Why you need to include cybersecurity in your investment thesis
According to the Australian Government’s Cyber Security Review, cybercrime is costing the nation up to $1 billion annually in direct costs alone. And the costs are rising. Clearly, it’s time for investors to factor the risk, and potential impact, of cyberattacks on the businesses they invest in.
This fact was highlighted at Citigroup’s recent annual Australian equity conference, which included a panel discussion on cybersecurity. The session highlighted the increasing risks a business faces from being hacked or in other ways attacked by electronic means.
There are quite a few ways that a business is at risk from cyberattacks and different ways that an attacker can hurt the future prospects for a business. To name a few that I think are especially important:
- There is a clear trend that criminals have changed their modus operandi during the last years away from stealing and selling information to instead hijacking information and encrypting it to blackmail companies to pay to unlock. This is a much easier, faster and less risky “business model” for attackers as you take away the step of having to find a buyer for the information you have stolen. The sums demanded for the release of the encrypted data can be very substantial and could put a real dent in a company’s profitability.
- The risk for industrial espionage is also increasing but this is according to the panel now much more targeted with the emergence of “hackers for hire” firms and certain countries state sponsored entities who attack a specific target with the intent of looking for specific information rather than hackers stealing information first and then trying to find a buyer.
- The strong trend to an exponentially increasing number of connected devices means that the number of potential entry points into a company’s computer system is multiplying rapidly. Given that many of these devices are relatively simple in nature, they might not always contain internal firewalls etc. and this is increasing the risk for attacks unless a company is very diligent in how they construct their systems.
- What is often forgotten when talking about cyberattacks is the reputational damage that it can cause which can be much more long-lasting than short term monetary damage. A company that has gotten the reputation of not being able to safely store and handle its customer’s information might find it very hard to recover. Yahoo is a prime example of this where its demise was most likely significantly sped up by a number of leaks of customers information.
- The risk that really opened up to me from the discussion was though the risk of increasing your security measures to the extent that they have a negative impact on a firm’s ability to conduct business. An example was give where a company had been the target of a number of “phishing attacks” where attackers attempted to gain information by faking email addresses. The rather drastic response from the company was to ban external emails which of course presented quite severe difficulties for employees whose job included contact with any external parties and the ban was very quickly reversed. Another example was from Singapore where a while ago some government departments IT systems were completely disconnected from Internet. This of course made it harder for attackers to hack into the IT systems directly but it also made life so hard for employees that they resorted to photographing their screens and sending these photos to people using their private emails from their phones. The private emails are of course not monitored and secured by the departments IT department so this instead increased the risk overall…
According to the panel, the amount a company should spend of cyber security varies widely between different industries but can be quite substantial for information based companies like finance where banks often spend more than 10 per cent of their total IT budget on security.
Going forward, I will incorporate into my analysis of companies an assessment of:
- How likely is it that a company will be a target? A company which invests heavily into R&D and which relies heavily on having a technological advantage is of higher risk than a company operating at a lower technological level, and companies whose business primarily involves handling information like a bank is of course much more exposed than a commodity company for example.
- What are the short-term and long-term consequences if a company has a serious cyberattack? Are these consequences primarily monetary, competitive or reputational?
- Is the company investing enough in cybersecurity?
- Does the company have good contingency plans in place to deal with a potential attack?