Hacking is the ultimate David v Goliath contest, but it is investors who could be knocked out if their portfolio companies’ digital defences are not robust enough. Mark Dunne reports.
Shoplifting is an occupational hazard for shopkeepers. Retailers invest in trying to stop it and, if that fails, are insured against any such losses. Yet in December 2013, US retail giant Target suffered a theft that has cost it hundreds of millions of dollars, despite the thieves not being in any of its more than 1,800 superstores at the time.
These were not your typical shoplifters. They did not take electrical goods or stuff bottles of whiskey inside their coats. Instead, they stole the debit and credit card details of up to 40 million customers from the retailer’s database. Four years later, Target paid $18.5m (£15.1m) to settle a lawsuit brought by those affected, while the total cost of the incident has to date exceeded $200m (£163.3m). A $39m (£31.8m) insurance payment has provided little comfort.
Unauthorised access to the online networks of companies and organisations, commonly known as hacking, is a growing threat to investors. Indeed, Target’s share price slumped 11% in the weeks following the attack, while earnings for that quarter plummeted by 46%, year-on-year.
So it’s not only warmer temperatures and rising sea levels that could cost businesses billions of pounds in the coming years. Increasing digitalisation is making companies more efficient but has introduced huge risks that investors need to factor into their decision making.
Indeed, the World Economic Forum has named cybersecurity among the world’s top five business risks, while Microsoft’s chief executive, Satya Nadella, has described it as the challenge of our age, committing $1bn (£826.1m) a year to tackling the problem.
It’s not just about money
The attraction to hacking is that it carries lower risk than bursting through the doors of HSBC carrying a sawn-off shotgun. Yet, while the rewards could be higher, money is not the only motivation.
“Cybercrime is not only about stealing information,” says Ian Burger, head of responsible investment at Newton Investment Management.
There is more to hacking than selling information on the dark web. “Cybercrime envelops an umbrella of issues,” says Margaret Childe, head of Canada for ESG research and integration at Manulife Investment Management. “It can be anything from system failures to business disruption. There can be many reasons why a cyberattack occurs.”
Whatever the motivation, hacking can be expensive. In 2015, cybercrime cost companies around the world $3trn (£2.4trn), Cybersecurity Ventures says, a figure it predicts could double by 2021.
Burger points to the example of a hearing aid maker that saw its EBIT shrink 22% following a cyberattack last year. “This demonstrates how cybercrime can have serious implications,” he adds.
Lower revenue through operational disruption, loss of customer confidence and legal bills are not the only consequences of a successful hacking. Fines can be heavy. General Data Protection Regulation (GDPR), which was introduced in Europe in 2018, states that companies failing to keep customer data secure face a fine of up to 4% of revenue.
In the mainstream
Some of the world’s most well-known businesses and organisations have been hacked, including Marriott, eBay, Linkedin, the city of Baltimore, Uber, Sony, Google and, as we went to press, budget airline easyjet. Even celebrities and movie stars have not escaped as their private pictures have been leaked online.
With such high-profile attacks, corporates are taking notice and improving their cybersecurity, says Anu Rames, ESG research, global technology & healthcare BNP Paribas Asset Management. “Cyber risk is a business strategy risk at the end of the day,” she adds.
It has become a mainstream strategy because the size of such breaches can be huge. For example, criminals accessed the personal details of 3 billion people when they broke into Yahoo’s system in 2013. But it is not just larger, multi-national businesses that are being targeted.
“No company is free from a potential cyberattack” Burger says. “Mega-cap corporates are a target because of their size, but even small, unlisted companies are targets; we have seen significant amounts of cash siphoned off from their bank accounts because their security is not robust enough.”
One of the trends in cybersecurity is hackers’ growing focus on healthcare. The NHS has proved its value during the current pandemic making it an ideal target for hackers. It has been targeted by such criminals on more than one occasion. In one such attack, hackers attempted to ransom patient files. Hospitals in France and Italy have also been targeted.
“Hospitals may be more vulnerable to such attacks because their cybersecurity resilience is under increased strain in dealing with the crisis,” Childe says.
It is not just weaker defences that make hospitals a target for hackers. “Health data often goes at a premium in the black market because it is the type of data that cannot be changed,” she adds. “We can change our banking information, but not our personal health data.”
The rise in keeping electronic records has led to an increase in privacy risk, a trend that has been noticed by Robeco. Cybersecurity is one of the top five issues the asset manager discusses with its healthcare portfolio companies as part of its engagement strategy.
BNP Paribas Asset Management is also working to get companies to disclosure more information on their cybersecurity performance. “It is an ongoing dialogue,” Rames says. “The more questions we ask, the more we understand. That is an area of focus for us. It is an ongoing conversation.”
To help assess corporates on their cybersecurity performance relative to its peers, Robeco has created dVaR, a cybersecurity score. “Using publicly available data, we are able to break open the black box, giving us greater insight into the cyber risk and resilience of each analysed company,” van der Werf says.
He adds that the scoring system was developed in 2017 due to a lack of information for investors to assess at what level companies are monitoring and managing cybersecurity risks within their business.
Robeco has seen a rise in management giving more attention to cybersecurity and shareholders are voting to make dealing with the issue part of the executive bonus system.
“It is an evolution,” Burger says. “The attackers continue to up their game, so companies have to keep doing the same to counter that threat.”
Paul McGlone, a partner at Aon, adds that this is one of those wars that swings to and fro. “The number of successful attacks has been increasing because the number of attacks is increasing.
“We are more aware now than ever before of the things that could happen, but I suspect that proportionally fewer attacks are getting through, but the number of attacks that are taking place means that the number that get through is on the rise. “The defences out there are good and when I hear the cyber experts talking about the steps that they are taking to mitigate the risk, it is a fairly finely balanced war and there will be swings to and fro,” he adds.
Burger explains that when assessing a company’s network security, governance considerations are an essential part of due diligence: Is cyber risk part of the formal risk strategy and framework? Is there accountability and responsibility throughout the organisation from the board down to those who are managing or reacting to risks?
For Rames, you cannot protect corporates from every risk and so setting cybersecurity policies and procedures to prevent system breaches is not enough. “If the system is compromised, they also need a plan to protect the system and ensure minimal damage is caused,” she adds.
We are all connected now
The issue is that technology is changing rapidly. The invention of smart devices has changed how people do business and criminals are adapting.
Employees are more likely to work from the cloud than a server these days and so hackers have changed how they are targeting companies. Rather than trying to breach a company’s firewall, they are working to get an employee’s login details. The security focus has switched from protecting the network to authentication and securing devices. This is why there has been a rise in reported instances of hacking during lockdown as more people work remotely.
“The increase of digitalisation in all areas of business has heightened the cyber risk,” Burger says. “A lot of companies rely on their digital offering to get products and services to their customers, which puts them in a more susceptible position.”
The level of successful attacks is rising thanks to the Internet of Things, says Peter van der Werf, director of active ownership at Robeco.
“Many people are aware that their computer or phone can be hacked, but what about other devices that are increasingly being connected to the internet, such as smart TVs, fridges and music speakers? This growth of devices, at home and in offices, that are now online is rapidly outpacing our ability to ensure that such devices are properly policed and protected,” he adds.
Indeed, our homes can be controlled by our phones, while steering, braking, lighting and the warning systems in new cars are controlled by computers, known as a Controller Area Network (CAN). New advancements have created new threats. Consumer magazine Which? claims that it hacked into the CAN of two car models, which not only means that criminals can use the system to access the information in your phone but, worse, put your safety at risk.
“Cybersecurity is an issue that is front and centre for investors,” Childe says, especially as the world is moving more towards a cloud computing model. If one of those cloud hosts is breached it could have a systemic impact across the board. “So it is increasingly an issue that investors look at,” she adds.
For those looking not just to cut cyber risk in their portfolio, but to gain exposure to the growing threat, investing in financial technology is an obvious place to start.
There are various estimates on future spend in this market, but one estimate used in research by one asset manager puts the value of the cybersecurity software market at more than $80bn (£66bn) by 2024, up from $50bn (£41bn) in 2018, which suggests that the market is growing by 8.9% a year.
Rames explains that the world is migrating towards a concept where an employee can be anywhere in the world and log onto the system, those offering encryption services will benefit. “You are authenticating the device and the person.
“We are going to see a lot more connected devices enter the network,” she adds. “If you are looking at cybersecurity as a theme, networking stands to benefit. You need a provider who provides authentication.”
There are alternative sectors for those looking to gain exposure, such as insurance, payment companies and consultancies.
The cybersecurity-linked technology services and consultancy market is expected to be worth $109bn (£89.4bn) in the next four years, up from $65bn (£53.3bn) in 2018.
A report from S&P published in August 2019, stated that the cyber risk insurance market will expand faster than most traditional lines and could reach $8bn (£6.5bn) of gross written premiums by 2022. Two years ago, the market was worth $5bn (£4.1bn).
The cybersecurity market is huge and with technological advances and increasing digitalisation, the threat, and opportunity, is likely to always be with us. So investors not only have to be aware of the changing risks here, but also how to gain exposure to the upside of such a major long-term theme.