Last checked at 
* Survey of assets managers highlights weak disclosure
* Only three of Europe's top 10 companies flag risk inreport
* Boards urged to bring in tech-savvy executives
By Simon Jessop and Ross Kerber
LONDON/BOSTON, Aug 28 (Reuters) - Investors are being poorlyserved by a haphazard approach from fund managers to the growingthreat of cyber crime damaging the companies in which theyinvest, with a lack of clarity from the businesses themselvescompounding the problem.
Banks have led the way in developing cyber defences and sometop fund managers have ramped up pressure on companies to domore, but the broader picture is less encouraging.
"I don't see any visible stand asset managers are taking,like they do on other social responsibility items," said MalcolmHarkins, information security chief at U.S. cyber securitystart-up Cylance Inc.
The soft underbelly of companies outside the banking sectorwas exposed again this month when hackers leaked details ofnearly 37 million clients of Ashley Madison. The infidelitywebsite had to postpone its stock market listing and now faces a$750 million lawsuit.
More than half the value of companies worldwide is inintangible assets, such as intellectual property, much of whichis stored on computers and could therefore be vulnerable tohackers.
That figure could be as high as $37.5 trillion of the $71trillion in enterprise value of 58,000 companies, according toBrand Finance, a consultancy specialising in valuation ofintangible assets. The World Economic Forum said that robustprotection against cyber risk could add as much as $22 trillionto the global economy by 2020.
The global financial cost of attacks is rising fast -- upmore than 10 percent last year, a report by specialistresearcher Ponemon Institute said.
Though some might argue that investors can sell out ofbusinesses they consider to be performing badly on cyber safety,the reality is less straightforward. Passive funds that track aspecific index or sector have no leeway, while pension fundstend to demand a longer-term view from asset managers.
But even those keen to evaluate cyber risk face an uphillstruggle, hampered by a lack of resources, poor data and weakdisclosure from companies.
Sacha Sadan, corporate governance head at the fund arm ofinsurer Legal & General, told Reuters that cyber riskis one of his team's top priorities for corporate engagement butdescribed the approach of some rivals as "hit and miss".
"We would rather a company, when they come to talk to us,had a slide that said 'this is what we're doing'. At the moment,it's us asking them and they say, 'well, most other shareholdersdon't ask'."
MIXED PRIORITIES
A Reuters survey of fund firms with a combined $16 trillionin assets showed pressure on company boards is far from uniform.
Only four of 12 governance chiefs at British, French, Germanand U.S. fund houses interviewed by telephone and email saidthey considered cyber risk a "top priority" across all of theirinvestments. The remainder said they either discussed the issuecase by case or that there was too little information for properrisk-assessment.
BlackRock, the world's biggest asset manager, isamong those that have engaged with companies, though it declinedto provide further detail on examples in its quarterlygovernance report.
In its latest report BlackRock said it had spoken to a largeinsurer and "shared perspectives" gained from speaking to cyberexperts and other companies.
As for the types of business meriting closer examination,Jessica Ground, global head of stewardship at Schroders,said that less-obvious targets such as travel agents need to domore. Another chief named online gaming as a sector laggard.
Most fund managers do have dedicated teams supervisinggovernance. But these often number fewer than 10 people toanalyse and speak to thousands of companies on a broad range oftopics, with matters such as executive pay regularly givenhigher priority than cyber security.
On the other side of the fence, the companies themselves arefar from united in their approach.
"There is significant divergence across companies as to howprepared they are," said Antony Marsden at Henderson GlobalInvestors.
Though attitude to cyber risk is inherently difficult toquantify, analysis of the most recent annual reports of the 10biggest companies in Europe and the United States showedvariable communication on the issue.
Only three of the Europeans -- Novo Nordisk, HSBC and Royal Dutch Shell -- had a separatesection on cyber risk or information security. Across all 10reports there were a mere 14 mentions of keywords "cyber","information security", "hack" or "hacking".
That compares with five of the U.S. companies -- Apple, Wells Fargo, Facebook, General Electric and JPMorgan -- and 63 keyword references,partly influenced by more banks featuring in the list.
WHEN, NOT IF
"You can look at an annual report and see some companiestalk a lot about what would happen if the euro were to fail... But just as important is what happens if you get hacked,"L&G's Sadan said. "You will get hacked. So what's yourcontingency planning?"
Several smaller U.S. investment firms with a mandate forsocially responsible investment are already pressing companiespublicly over data security matters, including the filing ofproxy resolutions at shareholder meetings.
Arjuna Capital, for example, had American Express shareholders vote on whether it should report annually on howits board oversees privacy and data security. Amex opposed theidea, saying its board receives regular updates, and theproposal won only 22 percent of the vote at the annual meeting.
Highlighting the lack of a consistent approach from assetmanagers, a number of large fund firms opposed the resolution.
It is little wonder, then, that some have yet to address askills gap that leaves them ill-equipped for properrisk-assessment.
"The frameworks for dealing with cyber risk, about what itmeans for our business and what can we do about it, are only nowbeing put in place," said Sandra Carlisle at Newton AssetManagement.
Rules in the United States requiring companies to reportdata privacy breaches are likely to be replicated in Europe inthe near future, which will aid funds' understanding of therisks.
In the meantime, investors are very much in the dark.
"What you get is assurance that people are looking at thesethings," said Iain Richards at Anglo-U.S. fund firm ColumbiaThreadneedle. "There's a scarcity of meaningful disclosure." (Additional reporting by Carolyn Cohn; Editing by DavidGoodman)
