Recent high-profile attacks globally have underlined the paralysing effect that hackers can wreak even on large, seemingly sophisticated, organisations. As investors, we take cybersecurity very seriously and are assigning an increasing weight to this issue in our analysis and company engagement.
LAY OF THE LAND
Risk is clearly more concentrated in some industries (think banking or e-commerce for example) than others, but no business is immune to significant operational and financial damage.
With the stakes so high, companies that collect and store sensitive private information have to allocate increasing resources to safeguarding this.
Regulatory change is on the way, including the European Union (EU)’s much-discussed General Data Protection Regulation (GDPR), due to come into effect in 2018. This is widely perceived to be the most stringent regulation to date, with hefty fines (up to 4% of annual global turnover) for non-compliance.
Knowing the robustness of a company’s defences, and processes in the event of an attack, is critical, but often difficult for investors to assess. In the arms race of cybersecurity the quantum of spend is clearly important, but can give a false sense of comfort. Likewise, meeting security standards such as ISO, while reassuring, may not be adequate given the rapid pace of change.
Quality is the operative word. Not only do we want to know where responsibilities lie, but also that the scenario-planning that businesses conduct includes real tail-risk situations. The problem, of course, is that a business may not, beyond generalities, want to reveal its activities on this front in any great detail, out of fear of sharing information that can be exploited by hackers.
The recent assault affected computers in the UK’s national health service (NHS), Russia’s interior ministry, and many large corporations. Security firms suggested the majority of machines globally affected were running Windows 7, but had failed to apply a patch which was issued in March.
WHAT WE ARE DOING
Engagement is an important tool for investors. Since last year we have been part of the steering committee of a collaborative initiative by the Principles for Responsible Investment (PRI) on cybersecurity that will commence this summer. This project will help us get an even better handle on best practice and enhance our own company-level analysis.
Cyber-related risks are not easy to price in, with statistical modelling poor at handling such threats. What we can do though is to think creatively – examining the losses suffered by comparable businesses – and stress-test company financials for a range of scenarios. Businesses with really strong competitive moats and a history of customer loyalty should – in theory – be able to recover from attacks but, even for these companies, there may be situations where trust takes a dramatic and lasting knock.