Data management and security have become increasingly important for IROs, especially with the rise of AI and the new SEC cyber-security disclosure rules coming into force in the US. But how can IR professionals handle data management within their teams and mitigate data-related risks? And if your company is building data capabilities from the ground up, what considerations does it need to make?
IR Magazine put these questions to Chip Newcom, senior director of IR at Equinix, Mark Hayes, partner and head of capital markets advisory at Breakwater Strategy and Jerry Mulloor, senior manager of IT and security at Q4 in a recent webinar hosted in partnership with Q4.
Below are the key takeaways from the conversation.
Implement robust data-governance practices
Today, IROs are faced with an ever-growing amount of data and its management. With volumes of information flowing in from various sources, experts say having an effective data-governance framework is essential to ensure security, efficiency and compliance.
For Newcom, data management isn’t just about storing information but also knowing what to keep and what to discard. Companies should conduct regular data audits, eliminating unnecessary or outdated information to minimize risk,’ he suggested.
‘We are thinking proactively about how long we need to be keeping data,’ he said. ‘So in the case of earnings scripts or all the Q&A preparation documents, once you move through that earnings preparations process, you probably don’t need to have drafts.’
Hayes noted that there have been several shifts over the last period in the way public companies are treating their data. The first is that data has evolved from a passive asset to an active, strategic one, leading to stronger data-governance structures to enhance business security. The second is that unlike 10 or 15 years ago when data was stored within the company itself, much of it now lives outside the business, via cloud computing systems and third-party vendors. On the latter point, Hayes stressed the importance of vetting third parties.
‘When you’re partnering with strategic [providers], make sure you’re kicking the tires in terms of practices, approaches and processes,’ he advised. ‘One of the things most important to understand – particularly about cyber – is that the characterization of popular media is [that] somebody comes up to the castle and knocks on the door and hopes he gets through. The counterparty argument is that there is a fair amount of insider threat risk in cyber with data, so understanding who you are doing business with and who has your data outside the company is really incumbent on the IRO.’
Prioritize cyber-security readiness
Cyber-security is no longer an afterthought. In the US, the SEC approved a set of cyber-security disclosure rules for public companies in July 2023. These require issuers to release information to their investors and the market about material cyber-security incidents and to make clear what control measures they have in place to counter those attacks.
‘Take us back 10 years to 2014 and there were about 1,000 incidents that year. This year, we’re projecting about 6,000,’ said Hayes. ‘The deepening of the cyber-environment is much more significant from a public company perspective.’
Mulloor noted that the SEC rules on cyber-security mean more eyes on these companies. But how can businesses balance the need for transparency with the need to protect sensitive information? Having a committee that includes member of the legal, IT, compliance and IR teams is the first step, he suggested: ‘[That’s] to ensure you have comprehensive oversight of cyber-security disclosures [and] keep everyone informed.’
He also urged companies to develop clear disclosure policies and procedures. ‘The trick is that you need to find that balance where you want to disclose what’s necessary, but you also don’t want to disclose sensitive information,’ he said. ‘Focus on impact over details. Disclose the nature of the impact and the incidents on operations and potentially financials, but without providing a lot of technical specifics that can be leveraged in a malicious manner.’
Leverage AI and automation for data management
‘I think AI can actually be an important part of a company’s overall data management and protection strategy in three dimensions,’ argued Hayes, noting that generative AI is all about pattern recognition so in the cyber-context it can be useful.
‘You can also use generative AI for things like data cleansing, to enforce data-management structures or governance and have real-time analytics in the context of how the data can be used and is being used. AI-driven security, information and event-management systems are going to be critical to both understand the nature of threats and respond to them across that accelerating amount of data.’
Mullor agreed: ‘There’s just a vast array of AI potential integrations that can be leveraged. And the idea would be to open your mind to that and embrace it, not necessarily be afraid of it.’
Think longer term
If your business is building its data capability from scratch there are three things IROs should think about, said Hayes: ‘The first is to be clear on your objectives. Think of what you want to achieve and what questions you want your data to answer.
‘Second, think of an active socialization with the management team, the board of directors and other people within your organization to describe what you are building. Finally, think of a direct path to value, particularly in the context of generative AI and operational tools that can improve efficiency.’
He added that it’s important for the capability to be interoperable and flexible. ‘The data you need today may not be the data you need in two or three years,’ he said.
Future-proof your company
Building on Hayes’ top tips, Newcom added that it’s important to review processes and be future-ready. ‘It’s not only thinking about the processes and procedures now, but also that iterative approach of reviewing what you’re doing every single year, reviewing your vendors, understanding what’s working for you and what doesn’t work,’ he explained.
‘Our organizations are going to continue to evolve – [for example], growing from being a small cap to a mid-cap to a large-cap company. If you’re shifting from being an IR team of one to being an IR team of three, four or five, you have to be thinking about how you’re going to be evolving, both in terms of the systems and the vendors you’re using.’
Mulloor said it’s important to break silos. ‘I would start thinking about building processes and rituals that are more inclusive,’ he said. ‘[A process that] brings everyone in, brings more visibility and transparency so that you can keep that machine rolling and build on that momentum. From my point of view, the more folks are thinking about security and data, the better.’
