Skip to main content
logo
  • Funds

    Fund Listing

    • Fund Explorer
    • Fund Distribution
    • Fund Documents

    Featured Funds

    • Sustainable Infrastructure Fund
    • Income Fund
    • Multi Income Fund
    • Future Transition Multi-Asset Fund
    • Global Equity Solutions
    • Provident Fund
  • Insights

    Market Insights

    • Market Insights Overview
    • Guide to the Markets
    • Weekly Market Recap
    • On the Minds of Investors
    • Guide to China
    • Multimedia

    Retirement Insights

    • Retirement Insights Overview
    • Principles for a Successful Retirement
    • Building Better Retirement Portfolios
    • Are you letting volatility derail your retirement plan?
  • Investment Ideas
    • Managing Volatility
    • Growth Strategy
    • Income Strategy
    • Retirement and long-term investing
    • Sustainable Investing
  • Personal Investing

    Knowing the Basics

    • Mutual Funds 101
    • Taking the First Step in Investing
    • Ways to Diversify Your Portfolio
    • Investing for Your Children’s Future
    • Retirement Planning

    Getting Started

    • Start Investing
    • Investment Ideas
    • Invest regularly: Monthly Fund Investment
    • eTrading Privileges
    • Open an Account Online with Ease
  • Retirement Services
    • ORSO Services
    • MPF Services
    • Retirement Fund Centre
  • Resources
    • About Us
    • Awards
    • Contact Us
    • Announcements
    • Forms & Literature
    • Investment Return Calculator
    • Insights App
    • JPM Bot
    • FAQ
  • Library
  • Language
    • English
    • 中文/ Chinese
  • Role
  • Country
  • eTrading Login
    Open an Account
    Search
    Search
    Menu
    1. Stakeholder engagement

    • LinkedIn Twitter Facebook Line
    JPM52843_Stewardship_Website_Banners_2800x900_FINAL_4

     

    Stakeholder engagement

    Generating long-term sustainable returns requires managing the interests of stakeholders.

     

    THEME IN FOCUS: CYBERSECURITY
    We believe boards should be accountable for key enterprise risks, such as cyber and data security issues, and should have clear oversight of technology, data security and privacy policies.

    As the incidence of cyberattacks and the costs of security failures increase, we want to be alert and stay ahead when assessing portfolio exposure to them.

    CASE STUDIES

    Company 1 Company 2 Company 3 Company 4
    Company 1

    What did we find out?
    We engaged with an Italian bank and established that it uses NIST, a U.S. external framework, to assess its cybersecurity maturity. It also reports cyber risk to senior management using key performance indicators. However, it was not transparent regarding the key personnel responsible for cybersecurity strategy, or whether there was an audit process.

    Following a second engagement, the company has confirmed it has an internal and external audit process on cybersecurity risk. It also has appointed a chief security officer, who is accountable to the board for execution of its cyber strategy. The board of directors has two candidates with cybersecurity expertise.

    In response to our specific questions the company said it provides ongoing training to its cyber experts so they may develop in their roles to meet the ever-changing nature of cybersecurity risk. The company confirmed that in 2020 it had allocated 5% of its total security budget to cybersecurity, which is in line with other European banks. The company is also working on its talent pipeline by recruiting directly from universities. 

    Next steps
    We will continue engaging to understand internal accountability.

    Company 2

    What did we find out?
    We engaged with Company 2, a Spanish bank, and established it has a cybersecurity incident response team. It collaborates with external entities, including government security agencies and different security providers. All employees receive training on cybersecurity. However, it was unclear who was responsible for the strategy in this area and what the company’s cybersecurity budget was. In addition, the board had not received specific training on the management of cyberrisks.

    Next steps
    We will continue engaging to understand internal accountability, board training on cyberrisk and whether the bank has an audit process for its cyberrisk strategy.

    Company 3

    What did we find out?
    We engaged with a UK insurer, which together with its subsidiaries, provides personal and commercial general insurance products in various countries. We found out that the company is a member of the Information Security Forum and has group policies and guidelines based on its Standard of Good Practice. These policies aim to ensure a consistent expectation of the cyber controls in place across the regions in which the company operates. The chief information security officer is responsible for the cybersecurity strategy and communicating to management.

    Company 3 also provides annual privacy refresher training and regular updates to all employees. There is appropriate training on cyber and data security for all employees and the board. Occasionally, it carries out spot checks to ensure compliance with policy and procedures. Lastly, key controls are in place for an annual external audit, and the independent risk function conducts real-time and periodic assurance. The internal audit department’s information security is in line with the company’s audit plan.

    Next steps
    We will continue to engage with Company 3 to understand its cybersecurity budget.

    Company 4

    What did we find out?

    We engaged with a hotel services provider that was one of the first companies to disclose its cybersecurity budget. This accounts for around 5% of its total IT spend. However, the company confirmed that, due to the impact of COVID-19, this budget would not be spent in full during 2020. We were pleased to hear the company was preserving its capital expenditure. 

    The company also confirmed it will provide more disclosure on its training programs for data sharing. We were told the executive board receives training on cyber, data security and phishing, in addition to monthly reports about IT risks in the group. The executive board also has personal direct access to IT teams when members are not sure about the quality of an email. This company participates in a cybersecurity conference every year and has access to the online training platform and one-off on-site training. It also has a cyber surveillance program, which is managed by an external provider.

    In our view, the company lags many of those operating within the financial and insurance sectors because it has yet to consider external assessment frameworks. However, it does adhere to a four-tier internal process. The chief information security officer is responsible for setting the company’s cybersecurity strategy.

    Next steps
    We will continue to engage with Company 4 and follow its journey of adopting new policies and setting a cyber strategy by the newly appointed chief security information officer. 

    EXPLORE MORE

    Stewardship priorities

    • Governance
    • Strategy alignment
    • Human capital management
    • Climate risk

    Investment stewardship report

    Our global annual report for 2020 illustrates not just that we are engaging with a wide range of companies, but how we are doing it, too.

    Download the report

    Investment stewardship overview >

     

    J.P. Morgan Asset Management

    • Terms of Use
    • Privacy Statement
    • Cookies Policy
    • Investment Stewardship
    • Fund Notes
    • Offering Document(s)
    • Forms & Literature
    • Complaint Resolution
    • Guide to Using This Website
    • Sitemap
    • Download Insights App

    J.P. Morgan

    • J.P. Morgan
    • JPMorgan Chase
    • Chase

    The information contained herein is intended only for use by Hong Kong residents. By using this information, you are representing and warranting that you are either residing in Hong Kong or the applicable laws and regulations of your jurisdiction allow you to access the information, and you confirm that you accept the Terms of Use as set out in https://am.jpmorgan.com/hk/. Investment involves risk. Past performance is not indicative of future performance. In particular, funds which are invested in emerging markets and smaller companies may involve a higher degree of risk and are usually more sensitive to price movements. Investors should carefully read and consider the fund offering document(s), which contain details on investment objectives, risk factors, charges and expenses of the fund, before making any investment decisions. Investors should read carefully the fund notes before making any investment decisions. Information in this website does not constitute investment advice, or an offer to sell, or a solicitation of an offer to buy any security, investment product or service, nor a distribution of information for any such purpose. Opinions and statements of financial market trends set out are for information purposes only, based on certain assumptions and current market conditions and are subject to change without prior notice. Investors should conduct their own verification. The views and strategies described may not be suitable for all investors. This website and the advertisements contained herein are issued by JPMorgan Funds (Asia) Limited. This website has not been reviewed by the Securities and Futures Commission of Hong Kong ("SFC"), with the exception of material relating to the JPMorgan Provident Plan that the SFC has pre-approved (however such pre-approval does not imply official recommendation by the SFC).

    Apple, the Apple logo, iPad and iPhone are trademarks of Apple Inc., registered in the US and other countries. App Store is a service mark of Apple Inc.

    Copyright 2023 JPMorgan Funds (Asia) Limited. All rights reserved.