Cyber-risk: how investors can prepare for the unpredictable
Cyber crime continues to create significant costs for companies globally, but understanding the risk means going beyond a formulaic assessment of policies.
Digital data has grown exponentially in recent years, spurred by increased penetration of mobile devices and consumption of online services. The rapid expansion in the volume of data companies store, many of which are relatively new to data management and security, has attracted cyber criminals employing increasingly sophisticated tools and techniques. Cyber crime costs global companies around 60% more than it did only five years ago, whilst in the US, that number has risen by over 80% (see Fig 1). No company can afford to ignore the threat, and regulators such as the UK’s Information Commissioner’s Office (ICO) are stepping up enforcement actions. Their response represents the tip of the iceberg the problem represents.
Figure 1: Cyber costs are increasing
Source: ico.org.uk, Accenture & Ponemon Institute's 2017 Cost of Cyber Crime Study, Cisco Global Cloud Index
What does cyber risk mean?
Cyber risk is a broad term. For most people, it represents the risk of loss or harm from breaches or attacks on information systems. That loss can take many forms, including direct financial costs, reputational damage or operational continuity. Recent high profile breaches (WannaCry, Petya, Equifax etc.) have served to further raise awareness on the issue, in turn attracting regulatory scrutiny. Data privacy is commonly associated with cyber risk, and is a centrepiece of the EU’s General Data Protection Regulation (GDPR) regulation, which came into force in May 2018. That law has become a defacto global standard; it clarifies and expands upon what sensitive data entails, who has the usage rights, and assigns the responsibility to companies to keep customer data safe, with high fines if they fail to do so.
Why should investors care?
Cyber is an increasingly critical source of business risk, especially for companies with important intangible assets such as brands, customer relationships or technology. The negative impact a data breach can have on a brand link straight to companies’ competitiveness, future revenues and future cash flows. Data breaches often uncover poor governance practices and weak management; changing people or policies is quick but re-establishing market and customer trust take much longer.
An engagement approach
In our view, investors should focus on understanding how well a company prepares for cyber events. The depth of its approach should give confidence that when (not if) a breach occurs, processes and resources are in place to minimise the impact on operations and ability to create value.
Building that understanding means going beyond a formulaic assessment of policies. We believe direct company engagements are the best way to gain insights. We have delved into the topic focusing on a few main areas:
- Governance: assess how well cyber risk is understood by the board
- Expertise: does the company have the internal capabilities to manage cyber risk? Is it drawing on specialist skills from outside the organisation?
- Technological: has the company adopted best practices from a technical standpoint?
Recognising that cyber risk is relevant to many business models, we have engaged with Chief Information Security Officers (CISO) or Data Protection Officers (DPOs) at ten companies Schroders invests in, across sectors such as financial services, technology and telecoms.
Main findings: expertise and board responsibility
Our direct and detailed engagements have allowed us to identify where the material information lies, and to better understand the strength and weakness at a company level. We believe the key areas are:
- Expertise: it is critical that the company has a well-resourced and specialised cyber security team, managed by a CISO/DPO, reporting preferably to the CEO or the board. The security team should also leverage specialised external expertise on a regular basis to stay on top of new threats and security tools. Internally, the team should have direct ownership of specific technological tasks such as penetration testing, security patches etc.
- Board level responsibility: the board should have specific expertise to evaluate whether the company has the appropriate operational and managerial resources to mitigate cyber risk.
The analysis of a company’s level of expertise and board responsibility provides our analysts and fund managers with a basis on which to structure their questions of management teams, and to benchmark responses against peers.
In addition, the engagements have changed our understanding of a few areas usually thought of as important, but which most companies disregard. For instance, our discussions highlighted the weaknesses of focusing on ISO27001 (an IT standard that best-in-class companies implement internally), cyber insurance (current products offer limited coverage) and policies on cyber/data protection (while important for compliance purposes, they appear less helpful in actually managing cyber risk).
Conclusion: targeted engagement
Cyber is an increasingly important risk for every organisation. As investors, we need to gain a deeper understanding into how well companies held in our clients’ portfolios are prepared to manage this risk. We believe targeted company engagement is the most effective way to gain insights into key areas such as top-level risk governance and technical expertise, where investors might be able to identify unsuitable practices before they materialise.