What are companies doing with regard to cybersecurity?
The shareholder engagement activities of Raiffeisen Capital Management’s (Raiffeisen KAG) fund management on the topic of cybersecurity and justice include dialogue with some of the largest, and for us most interesting, listed companies in this field. In total, over 45 companies from various sectors were contacted, with a focus on the especially vulnerable sectors of utilities, telecommunications, industry, and financials. These companies in particular are often victims of cyberattacks but are also at the forefront when it comes to defending against them.
The following questions were asked in this process.
What significance does cybersecurity currently have at your company and how has this changed over the last two years due to the increase in telecommuting, the pandemic, and the tense geopolitical situation?
The pandemic, the associated increase in telecommuting, and the tense geopolitical situation surrounding Ukraine have changed the digital security structure on a lasting basis over the past two years. As a result, companies were also forced to arm themselves against the growing threat from cybercrime. Entirely new approaches had to be taken on a global basis in order to successfully defend against these new threat scenarios. At the same time, companies have more to lose than ever before as a result of the digitalisation that pervades the entire corporate structure.
In its dialogue with Raiffeisen KAG, the Austrian petroleum producer stressed that cybersecurity is the highest priority for its group-wide IT division. This is reflected in numerous preventative and reactive measures. For OMV, cyberdefence is not a rigid process but must always be developed further in order to have the optimal defence ready for unexpected situations.
The Spanish utility company Iberdrola relied on cloud solutions and virtualised infrastructure to a greater degree during the pandemic. Cybersecurity is a top priority for the company, which is active in the field of critical infrastructure. Accordingly, it introduced a cybersecurity risk policy all the way back in 2015 to ensure the constant availability of its services. In order to counteract the risks resulting from the tense geopolitical situation, Iberdrola has currently put the highest alert level into effect and works closely together with IT security firms, the authorities, and partner companies. In addition, security training is conducted for employees that covers not only cybersecurity but also other risks.
Have you planned budget increases for cybersecurity?
Bawag, Elisa:
As capital providers, we are always interested in how these funds are tied up. In light of the rising cybercrime, companies have to not only explore new possibilities but also make massive investments.
The BAWAG banking group is expanding its control mechanisms and protective measures in all three relevant dimensions: customers and employees, processes, and technology. This ensures that the company is at the cutting edge in all areas of cyberdefence and can thus protect itself, its employees, and its customers.
For telecommunications companies, cyberdefence is particularly important for customers, as well. At the Finnish company Elisa, for example, an increase in customer requests pertaining to this topic led to an increase in the budgets for cyberdefence.
Do you receive government support for dealing with these challenges?
When it comes to cybercrime, the shutdown of critical infrastructure is one of the biggest risks for a country. But how do governments support companies that are active in socially relevant fields? Many of the companies we contacted do not receive any government support, neither financially nor in the form of information. The insurance company Allianz is an operator of critical infrastructure as defined by the IT Security Act (IT-Sicherheitsgesetz) and is obligated to report to the German Federal Office for Information Security (Bundesamt für Sicherheit in der Informationstechnik; BSI). The BSI analyses the information that is reported and uses it to prepare a status report on an ongoing basis, which in turn is provided to Allianz. This enables Allianz to improve its internal knowledge and get an overview of the general threat situation.
One of the most frequent targets of politically motivated cyberattacks are utility companies. The previously mentioned Spanish utility company Iberdrola works closely together with the government agencies for cybersecurity in all of the countries in which it operates in order to exchange information about threats and proven cybersecurity methods. The utility also receives funds for the improvement of cybersecurity capacities in the countries where such arrangements are in place for utilities.
Which types of attacks on your digital security are most dangerous for you (phishing, social engineering, etc.) and how do you train your employees to protect them against attacks?
Scammers are getting more and more creative and innovative in order to achieve their goals. As a result, a highly professional e-mail from a purported customer can easily turn out to be a Trojan and do permanent damage to the company’s security environment. Because opening the links contained therein enables the cybercriminals to install malware on the computer. Likewise, there are no boundaries when it comes to social engineering. For example, the friendly job applicant who cannot get through the turnstile could be a fraudster who specifically wants to steal passwords from the company.
The danger with these attacks is that every employee can become a security gap, which is why company-wide training is needed. In order to provide a broad range of training offerings, companies often have to find situation-specific solutions.
The logistics and shipping company Hapag-Lloyd introduced a user awareness programme for how to handle phishing e-mails in 2021. Due to the poor connections on the high seas, it is not always technically possible to use this online programme. In order to nevertheless ensure the continuous training of the employees, the officers instruct the material using digital training documents and videos. Regular reports of abnormalities by the crews indicate to the company that these awareness-raising measures are working.
When it comes to defending against phishing, well-trained personnel is essential and support can primarily be provided through advanced security systems. The utility company Verbund uses technical defence systems that utilise anomaly detection and the blocking of suspicious e-mail contents that must first be reviewed by the security unit.
What contribution does your company make to Sustainable Development Goal 16 (Peace, justice and strong institutions)?
Peace, justice, and strong institutions are fundamental building blocks of our modern society, and companies are also confronted with SDG 16 in many different ways.
Parcel services are often used by criminals to do their business. The Austrian postal service Österreichische Post AG is aware of this and thus places emphasis on security and crime prevention. This also includes the increased efforts aimed at combatting bribery and corruption.
The postal service ensures public access to information. This is not just an important contribution to the social stability of individual countries but is also in line with national regulations and international agreements.
The telecommunications company A1 Telekom has introduced products for people with hearing impairments and severe visual impairments onto the market. These products use state-of-the-art technology and are intended to contribute to increasing equal opportunity and facilitating fair access to modern communication.
Herbert Perus
Fund management/Corporate Responsibility, Raiffeisen Kapitalanlage GmbH