Railpen, the pension manager of the UK rail industry, and Royal London Asset Management (RLAM) have jointly published a report to address the growing threat of cybersecurity risks in investment portfolios.
The report, Cybersecurity Risk & Resilience: Guidance for Investors, emphasises cybersecurity’s financial materiality and offers practical advice for asset owners and managers to engage with portfolio companies. It focuses on three questions: why investors should prioritise cybersecurity, what they should expect from companies, and how they can take action.
The report encourages investors to adopt a structured approach: assessing baseline cybersecurity practices, engaging with high-risk companies using sector-specific insights, and integrating cybersecurity considerations into policy discussions.
“Cyber resiliency might not be a top priority for investors when building portfolios – but it absolutely should be,” said Caroline Escott, senior investment manager, sustainable ownership, Railpen. Citing data from the World Economic Forum that 29% of organisations have suffered material impacts from cyber incidents in the past year, she added: “Through understanding, monitoring, and influencing companies’ behaviour, we can protect and enhance the long-term value of members’ savings.”
Technology and operations leaders to gather at FundsTech Forum 2025
The report also highlights a disconnect between awareness and preparedness among business leaders. Sophie Harris, senior investment analyst, Railpen, pointed out that 40% of chief information security officers surveyed by Proofpoint admit that their organisations are unprepared for a targeted cyberattack. “While regulatory actions, such as the US Securities and Exchange Commission’s cybersecurity rules, are encouraging, investors must play a critical role in driving corporate accountability and preparedness.”
In 2019, Railpen collaborated with RLAM and joined forces with other investors to tackle systemic cybersecurity risks through company engagement and policy advocacy. This initiative followed an earlier report by Railpen and Nest, which laid the groundwork for addressing cybersecurity risks.
Escott added: “This guidance equips investors to ask the right questions and take meaningful steps to protect their investments for the long term. Cybersecurity is no longer a niche concern—it’s central to protecting the value of our members’ savings.”
