(Bloomberg) -- Lombard Odier Investment Managers said the “shocking” results of an analysis into cybersecurity risks lurking in portfolio companies have led it to apply ESG processes far more broadly to protect its funds from losses.

The Swiss asset manager is now on a campaign “to push these companies to get their basic cyber hygiene in order,” said Jeroen van Oerle, portfolio manager of Lombard Odier’s Global FinTech fund. The firm wants to treat “cybersecurity risks the same way as we look at climate-related risks, or water usage risks, or corporate governance risks,” he said.

Since the summer, Lombard Odier has been screening more than 500 companies each month in an effort to detect software vulnerabilities. The analysis found that about 20% are running outdated software. “To me, that was shocking,” van Oerle said.

Investment managers have this year started sounding the alarm on hidden cybersecurity risks, with industries favored by ESG funds such as health care and technology often particularly exposed. By 2025, costs associated with cybercrime may well exceed $10 trillion, up from $6 trillion in 2021, Lombard Odier estimates. Researchers at Berenberg recently identified cybersecurity as a key ESG theme for 2022, while analysts at Goldman Sachs Group Inc. have singled out cyberattacks as an area of particular concern to ESG investors.

Van Oerle said he’s ready to sell shares of a company if he’s left with the impression that management isn’t doing enough to protect the business from cybersecurity risks. 

“The companies which are really slow in cybersecurity will probably somewhere down the line pay up for that,” he said. This could be “either in the form of a large data breach or in the form of losing clients because the trust is gone.”

Passive Strategies

Using ESG screens to catch cyber risks should be a strategy that’s also adopted by “the big passive funds out there who now are also voting on ESG topics,” van Oerle said. “Maybe they should also get involved more on cybersecurity and make that an agenda point as well on which they engage and on which they try to optimize the solutions for their investors.”

The pandemic has served as a catalyst for cybercrime, with much of the work that used to take place in offices now being conducted remotely via corporate networks. Almost two-thirds of security and information technology leaders surveyed across 15 industries found a measurable increase in cyberattacks, attributing it to more remote work, according to research by software company Splunk Inc. and the Enterprise Strategy Group.

Analysts at Berenberg recently published an ESG report noting that “many companies appear under-prepared” for cyberattacks. They also found that investment in measures to guard against such risks are picking up, with the extra spending coinciding with a “booming” cyber insurance industry, the Berenberg analysts said.

“It’s my personal conviction that any company can be hacked,” van Oerle said. “What we want to find out is if the company, first of all, is hacked, how fast can it respond? And is the company actually leaving all of the doors and the windows open so that it’s super easy to hack, or do they at least try to protect themselves as much as possible from it?”

(Adds comment on passive investing)

©2022 Bloomberg L.P.