Why investors should care about cybersecurity
The following article is from Schroder Investment Management Limited (Schroders) and I believe the topic is quite relevant with so much financial and business activity being carried out on-line.
At Ethical Offshore Investments, our Sustainable Allocation portfolios do have some exposure to companies involved in Cyber Security, but we also can provide further guidance on the range of managed funds and ETF’s that specialise in investing in companies dedicated to protecting individuals and businesses from Cyber crime.
Article by: Jo Marshall
Today 100% of companies rely on the internet to operate, compared to one in four 10 years ago, according to a study from Accenture.
Add to this greater connectivity the increased volume of data being handled by companies, and the shift to remote working brought about by Covid-19, and it’s not hard to see why cybercrime represents a significant risk for companies.
Cybercrime in the headlines
There has been a spate of recent high-profile cyberattacks in which significant companies have been held to ransom.
Colonial Pipeline, the largest fuel pipeline in the US; JBS, the world’s biggest meat processing company; Ireland’s national health service; and South Africa’s shipping terminals are just some of the recent victims of ransomware attacks.
A ransomware attack is a type of cyberattack that involves locking the user out of their own files or systems and demanding a ransom in return for access. In Colonial Pipeline’s case, the ransom was $4.4 million, while JBS was forced to pay the equivalent of $11 million.
Other examples include the foreign exchange company Travelex, which was held to a $6 million ransom in early 2020; the attack on British Airways in 2018 (which resulted in a $26 million fine for the company because it was found not to have sufficient security measures in place) and the 2016 hack into the central bank of Bangladesh’s systems, where criminals made off with $81 million.
Many attacks don’t make the headlines. On a global basis, it’s reported that more than 30 billion data records were stolen in 2020. This is more than in the prior 15 years put together. In the US alone, the FBI received a record nearly 800,000 cybercrime complaints in 2020, a 69% increase on 2019’s total complaints, with reported losses at more than $4.1 billion. In Europe, cyber attacks increased by 75% over 2020 compared to 2019.
Cybercrime prevention: spending surge
The cost of cybercrime globally is expected to hit $6 trillion annually in 2021, and $10.5 trillion by 2025, according to Cybersecurity Ventures, a cyber research company. Cybercrime costs include damage and loss of data, money, productivity, intellectual property, business interruption, the restoration of hacked data and systems and reputational damage.
As a result, spending on protection mechanisms has sky-rocketed. Global spending on cybersecurity products and services is expected to increase at a compound annual growth rate (CAGR) of 7.7 -14.5% between 2020 and 2026. CAGR indicates the growth rate over multiple periods, taking into account the effects of compounding.
Figure 1: Cyberspend is expected to grow at 7.7-14.5% CAGR (USD bn annually)
What does cybercrime look like?
Cybercrime can take various forms and is becoming increasingly sophisticated. Most involve a user unwittingly clicking on dangerous links or opening harmful attachments that install malicious software (known as malware), enable the disclosure of confidential information and prevent legitimate users from accessing to necessary systems and data.
Figure 2: Types of cyberattacks
Weak spots of cybercrime vulnerability
Email is the most common way attackers infiltrate a company’s systems and data. Employees therefore represent the biggest weakness, with the main cause of cybersecurity failures reportedly being human error. This could be an employee failing to install security updates in time, not using a strong enough password to protect sensitive data or falling prey to phishing emails.
On a global basis, 43% of firms view employee naivety about cybersecurity as their most significant organisational weakness, according to the 2021 State of Email Security Report issued by the cybersecurity provider Mimecast. This percentage is notably higher in some countries: in the UK, the Netherlands, South Africa and the United Arab Emirates 50% or more participants view employees’ lack of cyber knowledge as a major threat to their companies’ security, according to its survey.
Rob Hyde, Schroders’ Chief Information Security Officer and Head of Enterprise Technology, said: “Training our employees is our best defence against cyberattacks. While we have high-security products to provide protection, ensuring our employees are educated as to how to spot a suspicious email or link is key to our ability to effectively guard our systems and data.
“Corporations have four key adversaries that we try to protect ourselves from. The ‘malicious outsider’ is someone external to the organisation that tries to penetrate our defences in order to access sensitive or proprietary information. The ‘malicious insider’ is similar, but is an employee that we’ve trusted with access to such information. The ‘accidental insider’ is an employee who has unwittingly become part of an attempted attack by clicking on a harmful link or opening a harmful email. We also have the ‘supplier’, which refers to the risk we take on when engaging the services of third-party providers.
“We have measures in place to guard against all four of these and are constantly improving our protection as attackers are becoming increasingly sophisticated in how they try to penetrate our defences. The advent of cryptocurrencies, for example, is creating a means for attackers to profit from their actions in ways that the traditional financial services system would make very difficult,” he said.
Cybercrime can have a considerable impact on financial companies
Any firm that uses the internet is a potential target for cybercriminals and a cyberattack can have a significant impact on a company, whether that’s financially or operationally.
There is also the reputational damage associated with having security defence breaches. On average, it takes two years for a business’s reputation to recover after a data breach is revealed, according to research by HSBC. Meanwhile share prices of companies affected tend to underperform by 15.6% in the following three years.
Figure 3 & 4: Effects of data breaches on reputation and share price
The finance sector tends to be the worst affected: it experienced the greatest decline in stock prices, of -16.7% on average against the NASDAQ, in comparison to the technology sector, which averaged -2.9%.
Figure 5: The finance sector tends to fare worst
Assessing a company’s cyber preparedness
A company’s cyber preparedness should be a crucial consideration in an investor’s investment decision. It is a business risk that investors can’t afford to ignore, according to Samuel Thomas, a sustainable investment analyst at Schroders.
“We use our proprietary ESG tool, CONTEXT, to help us measure how well a company is managing cyber risk. This involves assessing whether companies have a cyber security certification and ranking companies on how well they protect their customers’ data.
“We gain further insights through direct company engagement, focusing on how well a company can answer the questions such as:
1) Is there responsibility for cyber security and data privacy at the board and management level?
2) How is the company’s technical expertise organised?
3) What training and monitoring of employees and suppliers is in place?
4) To what extent does the company work with external cyber security specialists?”
Fund managers Katherine Davidson and Charles Somers use the above approach to assess the cyber preparedness of the companies they invest in.
Katherine says: “Ideally, we’d like to see more cyber security and data privacy expertise at the board and management level of the companies we invest in. Typically, this would include a chief information security officer or data protection officer in charge of cyber matters.”
Research by accounting firms Deloitte and Grant Thornton finds only 8% of FTSE 100 boards had a chief information security officer (CISO) in 2018. Meanwhile more than one-third of FTSE 350 companies that reported technology and cyber security as a key business risk in 2019 did not have directors with relevant expertise on their boards. In the oil and gas, consumer goods and financial sectors, this figure was 50% or more.
“We also want to see adequate protective systems and controls in place, rigorous and systematic testing of these systems and controls, and regular updates of security software,” says Charles.
“It’s important to us too that there’s appropriate training of employees and suppliers and that the security team use external specialists to keep up-to-date with industry trends and best practice.”
A selection of Schroders’ cyber engagements
Given its increased materiality, we have been engaging with companies on the topic of cyber risk and security for some time now.
For example, we undertook a mass engagement in 2018 with ten of our investee companies across sectors such as financial services, technology and telecoms, which is discussed further in this article: Cyber risk – how investors can prepare for the unpredictable.
The following year, 2019, saw us engage with hotel group Marriott International, pharmaceutical company Lonza, technology firm Science Applications International Corporation and human resources company Recruit.
Lonza:
– Our fact-finding engagement with Lonza yielded greater insights into how they apply cyber best practices
– There is board level expertise with regular briefings from top management.
– There is clear and direct management responsibility with dedicated team resources.
– Risk is pro-actively managed at the group level with penetration testing, interactions with third party expertise and cyber insurance.
– There is regular communication and coordination between technology counterparts in the various business units.
Marriot International:
– While we conduct our own research in-house, we complement this by reviewing external ratings on a quarterly basis to ensure we are assessing risks holistically from a range of perspectives. An MSCI downgrade, driven by the company’s limited data privacy policy and data security governance which lagged peers, and a data security incident in late 2018, prompted our engagement.
– Specifically, we asked for better and more transparent reporting on data security governance.
– The company has since included this in its sustainability reporting.
Science Applications International Corporation:
– Following an acquisition, we contacted the company to gather information on how cyber security was
being addressed.
– We discovered the company has the right tools and processes in place to mitigate cyber security risks,
including the appropriate oversight at board level.
Recruit:
– After a data breach in September 2019, we engaged with the company and suggested restructuring
so that oversight of data security and privacy sat at the board level.
– Recruit employed new executives to fulfil this role at the board level after our engagement.
Reply SpA:
In 2020, we engaged with digital services company Reply SpA and security system provider AssaAbloy.
– We contacted the company to gain more visibility of its data security practices and human capital management.
– We requested additional detail on aspects of Reply’s cyber resilience strategy to help investors more meaningfully understand its level of risk exposure and management approach.
– In particular, we asked for greater granularity over existing compliance mechanisms, such as the scope and frequency of audits and employee training on privacy and data security issues.
AssaAbloy:
– We undertook a fact-finding engagement to learn more about the company’s cyber security processes and oversight.
– We were happy with the response we received from the company but encouraged them to add direct oversight and expertise at the board level.
Read more sustainability insights from Schroders >
Important information
This communication is marketing material. The views and opinions contained herein are those of the named author(s) on this page, and may not necessarily represent views expressed or reflected in other Schroders communications, strategies or funds.
This document is intended to be for information purposes only and it is not intended as promotional material in any respect. The material is not intended as an offer or solicitation for the purchase or sale of any financial instrument. The material is not intended to provide, and should not be relied on for, accounting, legal or tax advice, or investment recommendations. Information herein is believed to be reliable but Schroder Investment Management Ltd (Schroders) does not warrant its completeness or accuracy.
The data has been sourced by Schroders and should be independently verified before further publication or use. No responsibility can be accepted for error of fact or opinion. This does not exclude or restrict any duty or liability that Schroders has to its customers under the Financial Services and Markets Act 2000 (as amended from time to time) or any other regulatory system. Reliance should not be placed on the views and information in the document when taking individual investment and/or strategic decisions.
Past Performance is not a guide to future performance. The value of investments and the income from them may go down as well as up and investors may not get back the amounts originally invested. Exchange rate changes may cause the value of any overseas investments to rise or fall.
Any sectors, securities, regions or countries shown above are for illustrative purposes only and are not to be considered a recommendation to buy or sell.
The forecasts included should not be relied upon, are not guaranteed and are provided only as at the date of issue. Our forecasts are based on our own assumptions which may change. Forecasts and assumptions may be affected by external economic or other factors.
Issued by Schroder Unit Trusts Limited, 1 London Wall Place, London EC2Y 5AU. Registered Number 4191730 England. Authorised and regulated by the Financial Conduct Authority.
The above article is for information purposes only.
At Ethical Offshore Investments, we can provide guidance on a wide range of regulated specialist funds that focus on investing in sustainable type investments with a global presence.
This will includes specialist managed funds and ETF’s that are directly and indirectly involved in preventing Cybercrime and providing Cyber Security.
Sustainable Investing – Ethical Business Standards
If you would like to learn more about the range of quality funds, click the More Information button below and we will contact you personally.