BIS Insights Summary

Our Data and Privacy Approach

Aug 25, 2022
  • BlackRock

Technology plays an important role in both the global economy and society. Most companies today use technology platforms throughout their businesses. With the advancement of digital technology increasing interactions between companies and stakeholders, many companies are collecting extensive amounts of personal, and often sensitive, data which creates responsibilities for those companies. With that has come increased risks associated with data privacy and security.

BlackRock’s purpose is to help more and more people experience financial well-being. Our clients depend on us to help them achieve their investment goals. These clients include public and private pension plans, governments, insurance companies, endowments, universities, charities and ultimately individual investors, among others. Consistent with BlackRock’s fiduciary duty as an asset manager, BlackRock Investment Stewardship (BIS)’s purpose is to support companies in which we invest on behalf of our clients in their efforts to deliver long term durable financial performance. BIS serves as an important link between our clients and the companies they invest in – and the trust our clients place in us gives us a great responsibility to advocate on their behalf. That is why we are interested in hearing from companies about their strategies for navigating the challenges and capturing the opportunities they face. As we are long-term investors on behalf of our clients, the business and governance decisions that companies make will have a direct impact on our clients’ investment outcomes and financial well-being.

 


Data privacy and security as a material risk

Technology plays an important role in both the global economy and society. Most companies today use technology platforms throughout their businesses. With the advancement of digital technology increasing interactions between companies and stakeholders, many companies are collecting extensive amounts of personal, and often sensitive, data which creates responsibilities for those companies. With that has come increased risks associated with data privacy and security.

From our point of view as an investor seeking durable returns over the long term for our clients, increased access to personal data by companies comes with material business risks that can impact a company’s reputation and their ability to operate. Whereas the global average direct and indirect cost of a single data breach was estimated to be over $4 million in 2021, the financial tail risk associated with a very significant data breach can run to hundreds of millions of dollars1. A lack of adequate protections could increase that cost even further in the future, should customers become less willing to share information with or use services and products from an impacted company. For these reasons, BIS discusses the approach taken to engagement on data privacy and security with the companies in which BlackRock is invested on behalf of our clients.

Consistent with our Global Principles, BIS identifies companies for engagement based on our Engagement Priorities, our prior history of voting and engagement with the company, and our assessment of a company’s financial and governance profile relative to its peers. While data privacy and security issues can be material to all companies in our portfolios, we focus our engagement on those companies with the greatest potential risk. We consider the industry and market-specific context along with sector-specific public policy in assessing these risks. We focus our engagements on telecoms, technology, and professional services companies, and engage selectively with companies in other sectors with extensive access to customer data.

If, based on our assessment, a company is not effectively addressing material data privacy and security risks, or their disclosures setting out their approaches are inadequate relative to peers and/or industry standards, we will engage with company management and/or board members.

 


Our approach in focus:

As companies determine the best approach for addressing data privacy and security-related risks, it is helpful for long-term investors like BlackRock to understand:

Materiality assessment

How companies assess their exposure to data privacy and security risks, related financial implications, and any related regulatory actions taken or anticipated, including their approach to complying with regulations across multiple jurisdictions.

Board oversight and resources

How companies consider the board’s oversight and understanding of material privacy and data security risks, as well as the resources the board dedicates to cyber risk management.

Customer consent and data processing

How companies determine the rationale for and appropriateness of their practices for the collection, use, and safeguarding of customers’ personal information and any related legal, regulatory, and reputational risks.

Third party management

How companies ensure a responsible and secure transfer of data to third parties consistent with the company’s data protection policies.

To learn more about our approach, including examples of BIS engagements regarding data privacy and security highlighting selected case studies, please see the full publication:

Read our full commentary