Our Firm

Information Security: A Major Risk Factor for Companies

Print Version

Information Security: A Major Risk Factor for Companies

With cybercrime on the rise, data security is both a growing business and a financial risk for companies today. This risk is exacerbated by the increasing complexity of computer networks, as well as exposure to greater vulnerabilities outside the organization’s firewall with the development of cloud computing. The question is not whether a company will be hacked, but when.

The High Cost of Data Breaches

Target, Sony and Yahoo are a few of the numerous companies that have experienced massive security failures. Consumer-facing companies like these are vulnerable to compromises of customer data that can result in reputational and brand damage, loss of customers, risks to profits, stock price declines and downgrades by rating agencies that can impact their cost of debt. Furthermore, the legal, compensatory and public relations costs of data security breaches are likely to have a multi-year impact on the company’s bottom line.

As the costs of cyberbreaches continue to escalate and the sophistication of attacks increases, the best-managed companies are beginning to incorporate state-of-the-art security practices throughout their organizations, including during the initial planning phases of every new project. While it is impossible to fully eliminate the possibility of a data security breach, effective corporate leadership can both minimize the threat and limit the damage should an attack occur.

Effective Cyber Risk Governance

Threats are always evolving, and there is no single solution that a business can implement. Instead, companies must remain vigilant. Because of this, the level of governance is the most important indicator of the maturity of a company’s cybersecurity systems.

Examples of effective governance include:

  • Management accountability and active engagement about data security
  • Regular board reviews of security risk practices, including supply chain and other third-party risks, and designation of specific board members to monitor information-security strategy and security-related risks
  • Employee training programs, including those designed to increase awareness of phishing schemes to avoid hacks, most of which result from human error
  • Employment of a dedicated team of highly trained resources inside the organization
  • Certification of data security systems to an industry standard
  • Regular audits by internal and third-party experts
  • Based on our view that effective cybersecurity is critical to protecting and promoting shareholder value, Parnassus closely evaluates cyber risk management practices as part of each company assessment. This evaluation is an important element of our broad identification of risks and opportunities that may be overlooked by non-ESG investors.



    Mutual fund investing involves risk, and loss of principal is possible.

    The views expressed are subject to change at any time in response to changing circumstances in the markets and are not intended to predict or guarantee the future performance of any individual security, market sector or the markets generally, or the Parnassus Funds. Current and future portfolio holdings are subject to risks.