The impact of cybersecurity in investment has been brought to the fore in the last 12 months, thanks to high-profile data breaches paired with landmark legislation.

Jamie Crawley speaks to experts in the cyber field to see what attention must be paid to cybersecurity in an investment strategy.

Cybersecurity and ESG investment

A great deal of attention is paid to companies’ ESG (Environmental, Social and Governance) performance. But some are now asking whether cyber management should be considered as an integral part of this, as an aspect of a company’s internal governance.

Matt Lock, director of sales engineers at data security company, Varonis, says: “Security in the financial sector is often viewed as a risk-management exercise. I think it’s worth expanding that view to include ESG.

“Most companies build their businesses on customer loyalty – and a data breach can negatively impact that overnight. A company’s commitment must go beyond standard language and promises – they must be able to explain what they are doing to ensure they’re keeping their customers’ private data, well, private.”

Data as the new oil

It is quite common today to refer to data as the “the new oil”. This may be perceived as a slight exaggeration by some, but there can be no doubt that in many industries, data is a company’s number one asset, and should be protected accordingly.

“Data is at the centre of the modern digital enterprise. It’s priceless,” says Benjamin Ross, director of data management company, Delphix.

“Yet, data is costly to store, slow to copy, difficult to move and hard to govern. Despite billions being poured into the innovation pot, projects are so often slowed down by data friction, the result of growing volumes of siloed data and multiple access requests.

“Research has shown that less than 37% of business organisations perceive that IT’s digital initiatives are aligned with the business and only 25% believe that IT are correctly using their data. This means that whilst the future holds exciting new developments in technology such as automation and AI, data friction is the principal obstacle which stands in the way of truly taking advantage of these innovations.”

Third-party cybersecurity

Identifying good from bad cyber management is a complex exercise, which banks and wealth managers should be acutely aware of. Not only do financial services companies need to be conscious of their own own internal cyber management but also those of the businesses they invest in or possess as clients.

Financial services is among the best-performing industries when it comes to cybersecurity. Banks may then use their own cybresecurity processes as yardsticks to measure others.

“If we look at financial services, they are among the most mature and sophisticated in identifying and managing cyber risk.” says John Sheehy, vice president at cybersecurity firm IOActive.

“They have very mature risk models and risk management frameworks.”

Using the tech industry as an example, Sheehy explains how the maturity of a business can offer some indication of their cyber management.

“The older tech companies are 40 to 50 years old. Many of the organisations with that kind of tenure tend to have pretty secure practices and mature governance. A great example is Microsoft.

“Microsoft was really beaten up in its adolescence for not having good security, which resulted in Bill Gates writing the ‘Trustworthy computing’ memo in 2002.

“They made a commitment to make that transformation.

“Some of the younger organisations that have been around for 10-15 years haven’t yet made that transition.”

Cybersecurity – location, location, location

This trend is observable, not only across industries, but by geography as well.

Cybersecurity company Trustwave published its ‘Global Security Report’ in April 2019, which found Asia-Pacific had overtaken North America as the most vulnerable region to data compromise, accounting for 35% of all reported breaches.

“Some of the fastest growing economies around are in the Asia-Pacific market,” Trustwave’s vice president of research, Ziv Mador, says.

“Asia-Pacific businesses are growing, making them better targets for cybercriminals. It takes time for these companies to develop awareness of cybercrime: recruiting effective teams, training them, and providing them with the tools they need.

“We have found that the most effective way of infiltrating an organisation is through social engineering, meaning education of employees is so important. In Asia-Pacific’s growing economies, it takes longer for companies to attain the same level of effectiveness in cybersecurity that you see in other regions.”

The far-reaching impact of a cybersecurity breach

Last year saw high-profile data breaches affecting huge companies across multiple sectors. These have the obvious short-term impact on the firm’s share price, but in the longer term the reputational damage will continue to bite.

Tim Hickman, partner at global law firm, White & Case, says: “The thing that is most likely to drive damage to a share price is the spiral of negative press stories.

“And it becomes a self-fulfilling prophecy: as long as you’re in the press for having a bad reputation for privacy, it’s very difficult to live it down.

“Regulators only have a certain amount of money every year from the exchequer that it can invest, so they are always going to put that money into cases that are most likely to generate press attention, so they can call for more money the following year.

“So once a company has that reputation, regulators are more likely to listen to complaints about them than they are others.

“So a bad narrative in this space can do a lot of damage to a share price very quickly.”