Cyberattacks appear to be growing increasingly brazen and devastating with each passing year, raising the cybersecurity risks facing anyone connected to the cloud. But cybersecurity is not just a technological issue; it’s a critical governance issue with major implications for your clients’ portfolios.
The impact of these attacks is staggering. Various reports suggest the global financial impact of cybercrime ranges in the hundreds of billions of dollars annually, with some experts warning this volume could triple over the next few years.
Major global corporations such as Yahoo!, Uber Technologies Inc., Target Corp., Home Depot Inc., TJX Cos. Inc., Equifax Inc. and others have been the targets of cybersecurity breaches that resulted in significant financial losses. The impact of the hack at Equifax continues to grow as the credit reporting agency deals with the aftermath of a data breach that affected more than 145 million Americans and 100,000 Canadians. This event led to a 35% drop in Equifax’s share price and cost the company at least US$87.5 million in expenses in response to the hack. It has also exposed the company to “more than 240 consumer class-action lawsuits as well as financial institution class-action lawsuits, shareholder class-action lawsuits and other lawsuits and claims,” according to the company’s 2017 third quarter report.
Even the largest technology companies are susceptible. In just a few days following the news that 50 million Facebook users’ data had been obtained without consent and used for political purposes, Facebook Inc. had lost 10% of its market capitalization — equal to US$60 billion.
Thus, your clients need to know that companies in their portfolios are prepared to prevent, respond to, and recover from data breaches and cybersecurity threats. The World Economic Forum’s Global Risks Report 2018, published in January, noted that cyberattacks and data fraud are among the top five risks most likely to happen in 2018. Furthermore, according to Marsh LLC’s Global Cyber Risk Perception Survey, published in February, two-thirds of senior executives rank cybersecurity as a top five risk-management priority. However, only 19% are confident in their organization’s ability to manage and respond to a cyberevent and just 30% have developed a plan to do so. This data suggest that cybersecurity is viewed widely as an important risk issue, but most companies are largely unprepared to deal with a breach.
Given the tremendous financial implications of cybersecurity issues, advisors would benefit from analyzing the cybersecurity policies, procedures and practices of companies in their clients’ portfolios. Although technological solutions provide the foundation for cybersecurity, it’s how a company manages in-house human error and maliciousness that can prevent a costly data breach.
A recent study from Forrester Research Inc. found that employees were often the weakest link in a company’s cybersecurity armour. The report notes that employee errors, accidents and malfeasance were among the top causes of cybersecurity breaches. The report also found that current, temporary and former employees and managers were among the top perpetrators of cybersecurity incidents.
Many cyberattacks are preventable with proper management and controls. For example, a hacker exploiting a software vulnerability, an attack on a corporate website, or an attack using compromised login credentials can often be prevented by performing regular software updates and following existing cybersecurity protocols. Equifax’s former CEO admitted as much about the company’s data breach when he testified to the U.S. House Commerce and Energy Committee in October 2017. And a report from the U.K.’s National Audit Office notes that the WannaCry ransomware attack on the National Health Service (NHS) last year was the result of NHS staff not acting on critical alerts and not managing their computers’ firewalls properly. These cases illustrate that cybersecurity is not just a technology issue; it’s a people-management issue that requires sound governance.
On the other hand, growing cybersecurity risks represent new opportunities for responsible investors. Companies, governments, non-governmental organizations and other organizations all over the world will be upgrading and enhancing their cybersecurity platforms continually to mitigate exposure to these risks. Some reports suggest that the cumulative global cybersecurity spend could reach US$1 trillion by 2021. Pure-play cybersecurity firms could be in a strong position to capitalize on the significant increase in projected cybersecurity spending over the next few decades. Investment fund companies are developing products for investors to tap into the this trend. For example, Evolve Cyber Security Index ETF invests in companies that are involved in the cybersecurity industry through hardware and software development.
When it comes to corporate online security, the harsh reality is that nothing — and no one — on the Internet is completely safe. With that, however, comes a potential upside for responsible investors who manage their exposure to these risks and capitalize on cybersecurity opportunities. Thus, it’s imperative for advisors and their clients to stay up to speed on the latest cybersecurity threats and innovations. Your financial well-being, and even your identity, depends on it.