October 27, 2017
FISCO IR Ltd. announced today that it has added the category of “Information Security” to the FISCO Corporate Reports to help promote dialogue with investors on this subject as a material issue for corporate management. The reports will be provided as written materials to assist with the engagement between institutional investors that have signed the United Nations Principles of Responsible Investment (PRI) and investee corporations.
With the spread of the Internet of Things (IoT) and environments in which various physical items are connected via a network, there have been concerns in recent years over the increasing risk of damage from cyberattacks. Large-scale instances of such attacks have occurred at companies and government offices overseas. As Japan prepares to host the 2020 Tokyo Olympic and Paralympic Games, the Japanese government is taking the lead in advancing the call for taking countermeasures for corporate cybersecurity risk, mainly from a perspective of preventing cyberterrorism.
FISCO IR considers it very important for companies to disclose information to investors about their cybersecurity measures with regard to their awareness of risks concerning the protection of important sensitive information held by the company, and the measures they have in place.
In fact, PRI signatory GPIF established information security measures in July 2017 for parties that may be privy to non-disclosed information related to the GPIF's administration and management operations, such as contracted asset management institutions. It also established rules on information security measures at contracted asset management institutions and others. GPIF's contracted asset management institutions are required to take their own security measures. At the same time, cybersecurity is to be incorporated as one of the ESG issues for investee companies to address and engage with so that security risk for some investee companies does not merely become internalized as a negative external characteristic. They are also required through these efforts to effectively reduce the risk of holding the stocks over the medium to long term.
In the United States, the Securities and Exchange Commission (SEC) is already considered to have effectively mandated the disclosure of cybersecurity risk. In Japan, the relevant ministries and government agencies are beginning to press for disclosure of cybersecurity risk measures as an operational risk in annual securities reports. According to the Cabinet Office, a survey of the 225 companies included in the Nikkei Stock Average found that 60% of listed companies have already started disclosing this information. However, the method of presentation is often of a general nature and does not include specific envisaged incidents or damage. In 2015, the Ministry for Trade, Economy, and Industry and the Information -Technology Promotion Agency, Japan published the “Cybersecurity Management Guidelines”, which advise considering the disclosure of cybersecurity initiatives through an information security report, CSR report, sustainability report, or annual securities report, and so forth, as one example of a cyber security measure.
Cybersecurity risk tends to be considered as “defensive IT'; however, some companies are starting to move positively on the issue by considering it as “proactive IT.” Information disclosure is not just a means for explaining a company's current status; it also has the effect of regulating the company's image. Investors can make more efficient investment decisions on potential investment targets if risks are disclosed more fully. For the company, disclosure enables people to have a deeper understanding of the company itself, and it may earn trust for being able to disclose risk information. Information disclosure about cybersecurity has also been proven to have a greater information effect on stock price trends in companies that disclose information beforehand in comparison with those that do not.
In consideration of these circumstances, FISCO IR has decided to add “Information security” as an item in its Corporate Reports. By reporting on the initiatives of listed companies, FISCO IR aims to encourage companies to make efforts on cybersecurity measures by promoting higher overall levels of corporate cybersecurity risk measures and information disclosure, more proactive leadership on cybersecurity risk measures by company management, and greater dialogue about cybersecurity risk between companies and investors. The Company also sees this as a way to contribute to the successful completion of initiatives on cybersecurity measures not only for industry, but also as a basis for the security and safety for society as a whole.
Overview of FISCO IR Ltd.
Company name : Fisco IR Ltd. http://www.fisco-ir.co.jp/en/
Address : 5-4-30 Minamiaoyama, Minato-ku, Tokyo
Establishment : August 9, 1968
Capital : 89 million yen (As of December 31, 2016)
Representative : President and CEO Motoki Sato
Business activities : Provision of IR support services