As this transformative digital journey continues to unfold, it is increasingly important for investors to keep up with the associated trends and risks.
Cybercrime is one of biggest threats posed in today’s digitalised world. However, while many companies have been quick to invest in their digital capabilities, they have been slower to invest in their cybersecurity. On the investment side too, little has been done to integrate this element into the selection process.
Costs and opportunities
The total, global costs of cybercrime were estimated at $6trn in 2021, a price that is expected to rise to $10.5trn by 2025. What is more, cybersecurity risks are not limited to specific companies or industries. This is clear from the number of high-profile cyber-attacks in recent years, which have resulted in significant reputational and financial damage.
For investors, a company’s cyber hygiene is therefore becoming increasingly critical when creating portfolios, with firms risking exclusion if their standards are low.
For those asset managers who do take cyber risks into account, there is a growing opportunity to engage with companies around their exposure to cyber risks. This will ultimately increase the number of companies meeting investors’ cyber-focused screening criteria, widen the investment universe for portfolio allocation, and strengthen the investment case for companies amid growing investor focus on exposure to new and evolving risks.
However, due to the highly technical nature of cybersecurity data, finding a catch-all way to assess a company’s overall cyber risk level is easier said than done. It therefore makes sense to start with the basics, and improve screenings along the way.
These basics revolve around known vulnerability detection. The easiest thing a company can do to protect itself is to make sure its software is up to date, allowing it to avoid vulnerabilities that could be exploited in an attack. Easy as that sounds, Lombard Odier found that 20% of companies screened do not adhere to those basics. This means any cybercriminal can infiltrate 20% of the companies in our screening universe using scripts readily available on the dark web. From here, malware or spyware can be installed and further infiltrations planned.
Another important element of the cybersecurity risk management process is active engagement. This is where the appointment of a chief information security officer (CISO) can be of significant benefit to companies, allowing them to uphold cyber standards through a dedicated internal resource with specialist knowledge. A CISO can monitor employee activity to determine data outflows and map vulnerabilities in the company’s tech framework. Additionally, they can act as a source of information for investors, reflecting cyber concerns to management teams and ensuring cyber security is front of mind for business leaders.
We anticipate that, over time, cyber health will become integrated into wider ESG reporting standards. This is likely to result in greater managerial focus on how cyber reporting requirements are met. With cyber screening growing in significance for investors, companies need to ensure they have sufficient processes to capture, filter and report data to investors and other stakeholders.
With data reporting, there is nowhere to hide: it is objective and is gathered via a wide variety of screening tools. Filling out a questionnaire stating that all software is up to date will not help if the screenings come back with an opposite conclusion, and will result in challenges from critical investors.
Security and vigilance will be increasingly tested via investors’ objective screening processes. The goal is not to invest in companies that cannot be hacked – after all, no company can completely protect itself. The focus must be on mitigating the risk of cyber security threats by investing only in the most resilient companies.
For as long as the investor community does not ask questions about cybersecurity, the topic will not be considered a priority by management teams. Engagement helps to focus management teams’ collective minds on the topic and to resolve business continuity risks by addressing low hanging fruit, including updated software, the appointment of a CISO (chief information security officer) and cyber risk insurance.
Jeroen Van Oerle, portfolio manager of Global Fintech Equities at LOIM
World News || Latest News || U.S. News