Cybersecurity has rapidly become a testing tech issue as attacks threaten to bring social chaos and disruption to computers and IT set-ups across the world. McAfee estimates such attacks cost the global economy more than USD 400 billion annually, giving cybersecurity a prominent place on the agendas of business and government policymakers, but also underscoring its significance for investors who need to be aware of the potential damage to their investments and companies' governance in this area.
This year, the ‘WannaCry’ and ‘Petya’ cyber-attacks made international headlines when they infected hundreds of thousands of computers in 150 countries and disrupted business at many of the world’s largest companies. They were just two of many pernicious attacks in recent years. According to PwC's 2015 “Global State of Information Security" report, from 2009 to 2014, the number of cyber-attacks skyrocketed from 3.4 million to 42.8 million, which is an increase by more than 1 000%.
Motivations behind cybersecurity attacks
While ‘WannaCry’ highlighted the risks of ransomware attacks, the types of cyber-attacks and the motivations behind them are broad and complex. They can range from government and corporate espionage to pure profit-seeking or protest and activism.
According to Gemalto’s ‘Breach Level Index’, in 2016, 68% of attacks were carried out by malicious outsiders, 19% corresponded to accidental loss, 9% were conducted by malicious insiders (people working for the organisation that was targeted), 3% were ‘hacktivists’ and 1% related to state-sponsored attacks.
The most common data breach is identity theft, at 59% of all data incidents. Stealing identities allows hackers to access sensitive and valuable information from companies and governments. Stealing money is the second most common type - accounting for 18% of attacks.
A material risk to investors
Cyber-attacks are a significant risk for many investee companies and can adversely impact a company’s entire stakeholder community.
- First, a cyber-attack on operational systems can disrupt how employees and managers work.
- Second, a cyberstrike can interfere with the IT systems through which a company deals with its suppliers and contractors.
- Third, a company that fails to protect customers’ personal data will find it more difficult to retain the trust and good will of clients.
- Finally, companies might end up at odds with regulators as legislation becomes stricter.
We believe it is an integral part of institutional investors’ fiduciary duty to be aware of these risks and manage them appropriately.
How vulnerable is your investment?
Institutional investors need to be able to identify the level of exposure to cyber-attacks for the companies in their portfolios and to understand what investee companies are doing to mitigate any technological and human vulnerabilities. This is no mean feat given the typical lack of disclosure by investee companies on this topic. We believe there are two main reasons: a lack of understanding by senior management and boards of the scale and importance of cyberrisks, and the lack of experience in deploying the appropriate frameworks to manage cyberthreats.
In fact, many policymakers have only just started to deploy such frameworks. For example, in Europe, the Network and Information Systems Directive (NISD) relates to a loss of service. The directive comes into effect from May 2018. Governments may impose fines of up to EUR 20 million, or 4% of a company’s global annual turnover, if the appropriate mitigation steps are not in place. The General Data Protection Regulations (GDPR), which relate to a loss of data, come into effect at the same time and carry the same potential level of fines.
Cybersecurity through the environmental, social and governance (ESG) lens
Of the ESG criteria, cybersecurity impacts ‘S’ factors (customer satisfaction and, linked to that, service quality) and ‘G’ factors (how the board manages risk).
At BNP Paribas Asset Management, we have two levels of assessment.
- First, we examine a company’s cybersecurity strategy and its implementation. We expect companies to explain how they identify and manage their data vulnerabilities and to describe their action plan when it comes to detecting and responding to a threat and recovering compromised data.
- Secondly, we focus on companies’ governance and risk oversight boards and we expect companies to be able to identify the principal people responsible for the implementation of remedial actions and to engage senior management and the board in the oversight of this process.
Data loss and loss of service can be costly
Cyber-attacks can have real financial implications. Investors want certainty that cybersecurity is a top priority for boards and that governance structures can deal effectively with these threats. This is no longer just an IT department issue. Investors need to take action to persuade companies to adopt cybersecurity best practices and invest in the appropriate technical solutions.
BNP Paribas Asset Management is an active member of the PRI Cyber Security Advisory Committee, which was launched in 2016. Its role is to establish a framework to assess cybersecurity risks and to understand how companies are implementing actions to manage these. This year’s PRI in Person will includee a cybersecurity session to raise awareness and help educate investors how to engage companies to adopt cybersecurity best practices.
Written on 02/10/2017