This year the “WannaCry” and “Petya” cyber-attacks made international headlines when they infected hundreds of thousands of computers in 150 countries and disrupted many of the world’s largest companies. These are just two of many pernicious attacks in recent years. According to a PwC 2015 report “Global State of Information Security", from 2009 - 2014 the number of cyber attacks increased from 3.4 million to 42.8 million, representing an increase of over 1000%.
Motivations behind the attacks
While ‘WannaCry’ highlighted the risks of ransomware attacks, the types and motivations of cyber-attacks are broad and complex. These can be government or corporate espionage, pure profit-seeking or greed, or protest and activism.
According to Gemalto’s ‘Breach Level Index’ , in 2016, 68% of attacks were carried out by malicious outsiders, 19% corresponded to accidental loss, 9% were conducted by malicious insiders (people working for the attacked company), 3% were hacktivists and only 1% of incidents are related to state-sponsored attacks.
The type of attack depends on the type of compromised data. The most common data breach is identity theft, representing 59% of all data incidents. Stealing identities allows hackers to access sensitive and valuable information from companies and governments. Financial access (stealing money) is the second most common type of attack - accounting for 18% of attacks.
A material risk
Cyber-attacks are a material risk to many investee companies and can impact the interests of the entire stakeholder community of a company. First, a cyber-attack has the capacity to disrupt operations harming the way a company’s employees and managers work. Second, it can impact more broadly the information systems which deal with company’s suppliers and contractors. Third, a company which fails to protect its customers’ personal data will find it more difficult to retain and build trust and solid relations with its clients. Finally, companies might end up at odds with regulators, as legislation becomes stricter. It is an integral part of fiduciary duty for institutional investors to be aware of these risks and manage them appropriately.
Institutional investors need to be able to identify the level of exposure to cyber-attacks within their portfolios and to understand how investee companies are mitigating technological and human vulnerabilities. This is no mean feat given the lack of disclosure from investee companies on the topic. This usually has two causes – a lack of understanding from senior management and boards as to the scale and importance of cyber risks, and the lack of experience in deploying the appropriate frameworks to manage cyber threats. In fact policy makers have only just started to deploy the appropriate frameworks. For example in Europe the Network and Information Systems Directive (NISD) relates to a loss of service. The Directive starts to apply from May 2018. Governments may impose fines of up to EUR 20 million or 4% of a company’s global annual turnover if the appropriate mitigation actions are not in place. The General Data Protection Regulations (GDPR), which relates to a loss of data, comes into effect at the same time and carries the same potential level of company fines.
Cybersecurity through the ESG lens
Cybersecurity impacts S factors (customer satisfaction and, linked to that, service quality) and G factors (how the board manages risk).
At BNP Paribas Asset Management, we have two levels of assessment. First, we examine a company’s cybersecurity strategy and its implementation. We expect companies to explain how they identify and manage their data vulnerabilities, and to describe their action plan, detecting and responding to a threat and recovering compromised data. Secondly, we focus on companies’ governance and risk oversight boards, expecting companies to be able to identify the key people responsible for the implementation of remedial actions, and to engage senior management and the board in the oversight of this process.
Cyber-attacks are a threat for all organisations and have real financial implications. Investors want certainty that the issue of cybersecurity is a top priority for boards and that governance structures are able to effectively deal with these threats. This is no longer just an IT department issue and investors need to take action to persuade companies to adopt cybersecurity best practices and to invest in the appropriate technical solutions.
BNP Paribas Asset Management is an active member of the PRI Cyber Security Advisory Committee which launched in 2016. Their role is to establish a framework to assess cyber security risks and to understand how companies are implementing actions to manage these. This year’s PRI in Person will offer a cybersecurity session to raise awareness and provide education to investors on how to engage companies to adopt cyber security best practices.