Digging deeper on the corporate cyber-attack threat
By Michaela Zhirova, senior analyst, and Marjo Koivisto, head of ESG Quant, at Nordea Asset Management
The immense business opportunities brought on by digitisation can come with a multi trillion-pound price tag if corporates do not prepare adequately for cyber-attacks.
Cyber-attacks, on both companies and governments, include infringement of privacy and confidentiality, expensive theft of data, compromise of system integrity and accessibility, as well as destruction of data. Despite cyber-attacks becoming both more frequent and more sophisticated at an alarming pace, companies seem to under-invest in cyber risk management.
Because cyber-attack identification, evaluation and elimination can take a long time and result in operational loss, the cost to companies continues to edge higher. This is evidenced by the NotPetya ransomware attack in 2017, which spread from Ukrainian servers to large global businesses – resulting in losses totalling more than $10bn. Infecting companies in multiple industries, NotPetya infamously brought down Maersk’s operations for more than 10 days.
Marriott was another company hit by a major cyber-attack, and the financial implications were severe. In July 2019, it was fined $126m from the UK, with further fines in Turkey and the US. The breach to Marriott became public on. In the month following news of the breach on 30 November 2018, Marriott’s share price plunged by 17%. Analysis shows investors do punish companies with data leaks, which should be a strong motivator for corporates to focus more on better cyber security preparations.
In our scoring system, the most exposed sectors are largely industrials and manufacturing. These sectors score medium-high for exposure but get dragged down by the lack of investment in systems and expertise. Systems in the restaurant and leisure sectors also tend to significantly lack the necessary sophistication to meet the demands of processing sensitive customer data.
As it is not possible to be ‘bulletproof’ against cyber-attacks, companies should aim to be sufficiently prepared to respond to potential cyber breach incidents. However, companies are, in general, underspending on cyber incident preparedness. While it is challenging for companies to publicly disclose cyber security spending budget, investors must ask for details.
Determining cyber-attack preparedness
As part of our research on the companies we invest in, we have developed a series of cyber security preparedness questions, with the objective of understanding our cyber risk exposure. We ask 17 questions, focused on identifying, governing, implementing and calculating material cyber risk exposure. Specifically, we see four primary factors related to cyber preparedness.
Firstly, there is cyber risk identification. It is a red flag for us if a company is unaware of the most material cyber risks to its business. We expect business risk appetite to be tailored to awareness about its material cyber risks, and we expect to see a cyber asset strategy concretely established. For example, an asset such as a source code must be protected in a differentiated way from personal data.
Next, there is governance, as cyber resilience should be a board level issue for companies. Privacy and data policies should have wide application, covering third parties, in which a minimum standard must be established in order to undertake any business. We prefer to see a quarterly check on cyber skills at the board level.
Context is also key. Best practice is to be aware of the need for a stronger ecosystem on cyber resilience, with knowledge sharing and collaboration on priorities with peers.
Finally, there is the implementation. Companies with best practice have solid incident anticipation and ‘damage control’ processes in place. We also expect best practice companies to have cyber security integrated at the product level early in product development, while also managing cyber assets and costs effectively.
At Nordea Asset Management, we see cyber security as an increasingly materialising ESG risk factor. The pace and scale of new technologies across different industries is expanding the cyber-attack surface that malicious actors can exploit, which will only increase as the trials and pilots for 5G accelerate.