Cyber-risk: how investors can prepare for the unpredictable
Cyber crime continues to create significant costs for companies globally, but understanding the risk means going beyond a formulaic assessment of policies.
17 August 2018
Digital data has grown exponentially in recent years, spurred by increased penetration of mobile devices and consumption of online services. The rapid expansion in the volume of data companies store, many of which are relatively new to data management and security, has attracted cyber criminals employing increasingly sophisticated tools and techniques. Cyber crime costs global companies around 60% more than it did only five years ago, whilst in the US, that number has risen by over 80% (see Fig 1). No company can afford to ignore the threat, and regulators such as the UK’s Information Commissioner’s Office (ICO) are stepping up enforcement actions. Their response represents the tip of the iceberg the problem represents.
Figure 1: Cyber costs are increasing
Source: ico.org.uk, Accenture & Ponemon Institute's 2017 Cost of Cyber Crime Study, Cisco Global Cloud Index
What does cyber risk mean?
Cyber risk is a broad term. For most people, it represents the risk of loss or harm from breaches or attacks on information systems. That loss can take many forms, including direct financial costs, reputational damage or operational continuity. Recent high profile breaches (WannaCry, Petya, Equifax etc.) have served to further raise awareness on the issue, in turn attracting regulatory scrutiny. Data privacy is commonly associated with cyber risk, and is a centrepiece of the EU’s General Data Protection Regulation (GDPR) regulation, which came into force in May 2018. That law has become a defacto global standard; it clarifies and expands upon what sensitive data entails, who has the usage rights, and assigns the responsibility to companies to keep customer data safe, with high fines if they fail to do so.
Why should investors care?
Cyber is an increasingly critical source of business risk, especially for companies with important intangible assets such as brands, customer relationships or technology. The negative impact a data breach can have on a brand link straight to companies’ competitiveness, future revenues and future cash flows. Data breaches often uncover poor governance practices and weak management; changing people or policies is quick but re-establishing market and customer trust take much longer.
An engagement approach
In our view, investors should focus on understanding how well a company prepares for cyber events. The depth of its approach should give confidence that when (not if) a breach occurs, processes and resources are in place to minimise the impact on operations and ability to create value.
Building that understanding means going beyond a formulaic assessment of policies. We believe direct company engagements are the best way to gain insights. We have delved into the topic focusing on a few main areas:
- Governance: assess how well cyber risk is understood by the board
- Expertise: does the company have the internal capabilities to manage cyber risk? Is it drawing on specialist skills from outside the organisation?
- Technological: has the company adopted best practices from a technical standpoint?
Recognising that cyber risk is relevant to many business models, we have engaged with Chief Information Security Officers (CISO) or Data Protection Officers (DPOs) at ten companies Schroders invests in, across sectors such as financial services, technology and telecoms.
Main findings: expertise and board responsibility
Our direct and detailed engagements have allowed us to identify where the material information lies, and to better understand the strength and weakness at a company level. We believe the key areas are:
- Expertise: it is critical that the company has a well-resourced and specialised cyber security team, managed by a CISO/DPO, reporting preferably to the CEO or the board. The security team should also leverage specialised external expertise on a regular basis to stay on top of new threats and security tools. Internally, the team should have direct ownership of specific technological tasks such as penetration testing, security patches etc.
- Board level responsibility: the board should have specific expertise to evaluate whether the company has the appropriate operational and managerial resources to mitigate cyber risk.
The analysis of a company’s level of expertise and board responsibility provides our analysts and fund managers with a basis on which to structure their questions of management teams, and to benchmark responses against peers.
In addition, the engagements have changed our understanding of a few areas usually thought of as important, but which most companies disregard. For instance, our discussions highlighted the weaknesses of focusing on ISO27001 (an IT standard that best-in-class companies implement internally), cyber insurance (current products offer limited coverage) and policies on cyber/data protection (while important for compliance purposes, they appear less helpful in actually managing cyber risk).
Conclusion: targeted engagement
Cyber is an increasingly important risk for every organisation. As investors, we need to gain a deeper understanding into how well companies held in our clients’ portfolios are prepared to manage this risk. We believe targeted company engagement is the most effective way to gain insights into key areas such as top-level risk governance and technical expertise, where investors might be able to identify unsuitable practices before they materialise.
Important Information: This communication is marketing material. The views and opinions contained herein are those of the author(s) on this page, and may not necessarily represent views expressed or reflected in other Schroders communications, strategies or funds. This material is intended to be for information purposes only and is not intended as promotional material in any respect. The material is not intended as an offer or solicitation for the purchase or sale of any financial instrument. It is not intended to provide and should not be relied on for accounting, legal or tax advice, or investment recommendations. Reliance should not be placed on the views and information in this document when taking individual investment and/or strategic decisions. Past performance is not a reliable indicator of future results. The value of an investment can go down as well as up and is not guaranteed. All investments involve risks including the risk of possible loss of principal. Information herein is believed to be reliable but Schroders does not warrant its completeness or accuracy. Some information quoted was obtained from external sources we consider to be reliable. No responsibility can be accepted for errors of fact obtained from third parties, and this data may change with market conditions. This does not exclude any duty or liability that Schroders has to its customers under any regulatory system. Regions/ sectors shown for illustrative purposes only and should not be viewed as a recommendation to buy/sell. The opinions in this material include some forecasted views. We believe we are basing our expectations and beliefs on reasonable assumptions within the bounds of what we currently know. However, there is no guarantee than any forecasts or opinions will be realised. These views and opinions may change. To the extent that you are in North America, this content is issued by Schroder Investment Management North America Inc., an indirect wholly owned subsidiary of Schroders plc and SEC registered adviser providing asset management products and services to clients in the US and Canada. For all other users, this content is issued by Schroder Investment Management Limited, 1 London Wall Place, London EC2Y 5AU. Registered No. 1893220 England. Authorised and regulated by the Financial Conduct Authority.