ESG

Analyzing Cyber Security Risk

For Financial Advisor Use Only | Fourth Quarter 2025

November 14, 2025

4 min read

Download

INDUSTRY RISK ASSESSMENT

While any company or industry can be the target of a cyberattack, there are factors which can expose certain industries to higher risk than others.

Exposure risk by industry. Refer to previous paragraph for more information.

* Risk levels can vary significantly within industries, based on company size, geographic scope, and specific business models.

In addition to evaluating an industry’s likelihood as a target, we also consider the degree to which a cyberattack would be a significant threat to the business.

Business Impact vs Exposure Profile. Refer to previous paragraph for more information.Market capitalization is an additional dimension not visualized. While a cyberattack on a small-cap company might affect fewer individuals, any resulting financial loss could be more impactful to the overall business than it would be for a larger company.

ORGANIZATIONAL RISK ASSESSMENT

While there are risk signals common to certain industries, there are company-specific vulnerabilities that may be difficult to detect by an investor from the outside, including

1. Cultural

Security commitment may just be at the surface level and not fully embedded. Individual employee compliance is also a key variable.

2. Operational

Legacy infrastructure or insufficient planning/oversight may create unknown exposures and technical blind spots.

Financializaton

Significant cyber security incidents are often, but not always, financially material. Ways in which a cyber security incident can be financially material include the following:

  • Significant sums of money (which cannot be recovered) may be sent to a fraudulent individual.
  • Sensitive data may be lost, with associated fines/damages.
  • Underspending on security protections may lead to a sudden and unplanned expense to upgrade systems.
  • Inadequate cyber insurance may create large financial exposures.
  • Reputational damage may cause loss of customer trust and lower future sales.

Engagement

Engagement can serve two purposes:

  1. To better understand the risk profile of an investment
  2. To understand the range of remediation activities, post-incident

Some lines of enquiry that can be helpful include

1. Governance
  • Board expertise and management oversight
  • Degree of cross-functional coordination
2. Strategy
  • Scope of cyber management/policy
  • Incorporation of emerging risk factors e.g., AI
3. Risk Management 
  • Organizational risk tolerance and mitigation
  • Incident response testing and impact assessment
4. Metrics & Targets
  • Linkage of KPIs to compensation
  • Cyber as a % of IT budget and changes over time

While any company or industry can be the target of a cyberattack, there are factors which can expose certain industries to higher risk than others.

Cyber Security Risk

latest ESG insights

VIEW ALL INSIGHTS
ESG Significant Proxy Votes 3Q 2025

ESG

Significant Proxy Votes (3Q 2025)

ESG

The Role of our Integrated ESG Team (2Q 2025)

ESG

Environmental, Social, Governance (ESG) Investing Approach

VIEW ALL INSIGHTS

Further Information

These materials are intended solely for informational purposes. The views expressed reflect the current views of Pzena Investment Management, LLC (“PIM”) as of the date hereof and are subject to change. PIM is a registered investment adviser registered with the United States Securities and Exchange Commission. PIM does not undertake to advise you of any changes in the views expressed herein. There is no guarantee that any projection, forecast, or opinion in this material will be realized. Past performance is not indicative of future results.

All investments involve risk, including loss of principal. The price of equity securities may rise or fall because of economic or political changes or changes in a company’s financial condition, sometimes rapidly or unpredictably. Investments in foreign securities involve political, economic and currency risks, greater volatility and differences in accounting methods. These risks are greater for investments in Emerging Markets. Investments in small-cap or mid-cap companies involve additional risks such as limited liquidity and greater volatility than larger companies. PIM’s strategies emphasize a “value” style of investing, which targets undervalued companies with characteristics for improved valuations. This style of investing is subject to the risk that the valuations never improve or that returns on “value” securities may not move in tandem with the returns on other styles of investing or the stock market in general.

This document does not constitute a current or past recommendation, an offer, or solicitation of an offer to purchase any securities or provide investment advisory services and should not be construed as such. The information contained herein is general in nature and does not constitute legal, tax, or investment advice. PIM does not make any warranty, express or implied, as to the information’s accuracy or completeness. Prospective investors are encouraged to consult their own professional advisers as to the implications of making an investment in any securities or investment advisory services.

© Pzena Investment Management, LLC, 2025.  All rights reserved.