Staying ahead of the Cyber threat


Staying ahead of the Cyber threat

Recent high-profile attacks globally have underlined the paralysing effect that hackers can wreak even on large, seemingly sophisticated, organisations. As investors, we take cybersecurity very seriously and are assigning an increasing weight to this issue in our analysis and company engagement.


Risk is clearly more concentrated in some industries (think banking or e-commerce for example) than others, but no business is immune to significant operational and financial damage.

With the stakes so high, companies that collect and store sensitive private information have to allocate increasing resources to safeguarding this.

Regulatory change is on the way, including the European Union (EU)’s much-discussed General Data Protection Regulation (GDPR), due to come into effect in 2018. This is widely perceived to be the most stringent regulation to date, with hefty fines (up to 4% of annual global turnover) for non-compliance.



Knowing the robustness of a company’s defences, and processes in the event of an attack, is critical, but often difficult for investors to assess. In the arms race of cybersecurity the quantum of spend is clearly important, but can give a false sense of comfort. Likewise, meeting security standards such as ISO, while reassuring, may not be adequate given the rapid pace of change.

Quality is the operative word. Not only do we want to know where responsibilities lie, but also that the scenario-planning that businesses conduct includes real tail-risk situations. The problem, of course, is that a business may not, beyond generalities, want to reveal its activities on this front in any great detail, out of fear of sharing information that can be exploited by hackers.

The recent assault affected computers in the UK’s national health service (NHS), Russia’s interior ministry, and many large corporations. Security firms suggested the majority of machines globally affected were running Windows 7, but had failed to apply a patch which was issued in March.



Engagement is an important tool for investors. Since last year we have been part of the steering committee of a collaborative initiative by the Principles for Responsible Investment (PRI) on cybersecurity that will commence this summer. This project will help us get an even better handle on best practice and enhance our own company-level analysis.

Cyber-related risks are not easy to price in, with statistical modelling poor at handling such threats. What we can do though is to think creatively – examining the losses suffered by comparable businesses – and stress-test company financials for a range of scenarios. Businesses with really strong competitive moats and a history of customer loyalty should – in theory – be able to recover from attacks but, even for these companies, there may be situations where trust takes a dramatic and lasting knock.


IMPORTANT INFORMATION: All investments involve risk, including loss of principal. Past performance is no guarantee of future results. An investor cannot invest directly in an index. Unmanaged index returns do not reflect any fees, expenses or sales charges.

Equity securities are subject to price fluctuation and possible loss of principal. Fixed-income securities involve interest rate, credit, inflation and reinvestment risks; and possible loss of principal. As interest rates rise, the value of fixed income securities falls. International investments are subject to special risks including currency fluctuations, social, economic and political uncertainties, which could increase volatility. These risks are magnified in emerging markets.

The opinions and views expressed herein are not intended to be relied upon as a prediction or forecast of actual future events or performance, guarantee of future results, recommendations or advice.  Statements made in this material are not intended as buy or sell recommendations of any securities. Forward-looking statements are subject to uncertainties that could cause actual developments and results to differ materially from the expectations expressed. This information has been prepared from sources believed reliable but the accuracy and completeness of the information cannot be guaranteed. Information and opinions expressed by either Legg Mason or its affiliates are current as at the date indicated, are subject to change without notice, and do not  take into account the particular investment objectives, financial situation or needs of individual investors.