Cyber-security – a material investor risk

New Manifest research shows board cyber-security risk gaps

As global economies become more digitally dependent, the continuing rise of cyber-security threats and actual breaches raises serious questions for shareholders. If technology fails, it is no understatement to say that the impact can be immense. Investors therefore have a role in ensuring company boards take cyber-security risks seriously so that no stakeholder loses out.

Cybersecurity Concept

For a number of years Manifest has been tracking the key performance indicators and risks disclosed in annual reports. Manifest’s latest FTSE350 cyber-security risks research shows a rise in the number of companies with a dedicated board risk committee, up to 38% from 33% last year. Cyber-security also remains a high priority risk, second only to regulatory compliance. Twice as many sectors now recognise cyber-security risks in comparison with last year’s findings. Forestry & Paper and Software & Computer Services are among the sectors where all the companies analysed now recognise cyber-security risks compared to 0% and 67% of companies respectively last year.

Very worryingly, however, almost 20% of the FTSE350 do not recognise cyber security risks at all in their annual reports.

Investors join the cyber-security debate

New regulations due to come into force in May 2018 could see companies being fined up to 4% of group turnover for cyber-breaches. Given the material level of shareholder value at risk, shareholders need to join the debate and encourage boards and audit committees to ensure that cyber-risk is on the agenda. Therefore, as of the beginning of December 2016, Manifest’s standard voting policy will add a Case-by-Case flag on all resolutions re-appointing members of the audit committee and the chairman where companies have not disclosed a cyber-security risk strategy.

Given the potential impact of cyber-breaches, Manifest will not be publishing public lists of companies without cyber-risk management policies. Our clients will, however, be able to see this information in our Say on Sustainability reports, together with GHG risk mitigation targets.

Investors look to companies to communicate cyber-governance

In its Viewpoint report published in May the International Corporate Governance Network (ICGN)  said it encouraged board members to see IT as a strategic asset and to treat protection against technology incidents with the same seriousness as industrial accidents. Board members are encouraged to improve their personal knowledge of technology and its risks.

In dialogue with board members, investors should be cautious on excessive reactions to the most recent threat or regulatory release, the ICGN said; instead the focus should be on a balanced oversight of all cyber-related risks to business objectives. An overly reactive approach often results in using resources in order to fix the most recent crisis, the ICGN suggested, without a proactive, risk-based allocation of resources across all areas of information technology.

Boards getting better informed says PWC

The advisory firm, PWC, in its latest global state of information security survey believes that companies are now investing in tackling cyber security risk. PwC said that its survey found that internally, businesses are expanding the roles of key executives and boards of directors to allow for enhanced communication of cyber threat information and help build better-prepared, more resilient cybersecurity capabilities.

The study found that 45% of boards now participate in the overall security strategy.  PwC also said that it may be no coincidence that, as more boards participate in cybersecurity budget discussions, its survey saw a 24% boost in security spending.

PwC said that companies are also implementing awareness programs to help educate employees and executives about cybersecurity fundamentals and human vulnerabilities like spear phishing, which remains a very successful attack technique. At the same time PwC suggested that businesses are also more willing to share intelligence on threats and response techniques with external partners.

Another notable measure of progress in recent years, PwC said,  is a willingness to invest in cybersecurity. This year, respondents to the survey reported they have boosted information security spending significantly, and many are gearing up to tackle the cybersecurity risks head on. Action being taken include adopting innovative technologies like cloud-enabled cybersecurity, big data analytics and advanced authentication to reduce cyber-risks and improve cybersecurity programmes.

PwC’s study found that 91% of its respondents had adopted a risk-based cybersecurity framework which  PwC said enable organisations to identify and prioritise risks, gauge the maturity of their cybersecurity practices and better communicate internally and externally.

Security industry research flags the scale of the challenge

In its annual survey of internet security, global information protection expert, Symantec found that in 2015, the number of zero-day vulnerabilities – undisclosed vulnerabilities that hackers can exploit with no notice – more than doubled to 54, up from 24 in 2014 and 23 in 2013. Symantec also found that there were 430 million new unique pieces of malware in 2015, up 36% from the year before.

While the number of data breaches only increased slightly in 2015 by 2%, the number of mega-breaches – where over 10 million identities have been exposed – reached a peak of nine up one from the previous record of eight in 2013. The largest of these occurred at the end of 2015 when a wrongly configured database meant the identities of 191 million registered US voters were publicly accessible for about a week. Symantec said this meant the overall total number of identities exposed jumped 23% to 429 million. However, Symantec suggests this figure may in fact be much higher as it believes that companies are becoming unwilling to report cyber security breaches unless required to by law.

State-sponsored cyber-espionage

Symantec’s research shows that in 2015 , the services sector suffered more data breaches than any other industry, both in terms of the number of incidents and the number of identities exposed Symantec said. However, the reasons for the breaches varied when you analyse the data and look at industry sub sectors. The largest number of breaches took place within the health services sub-sector. In February 2015, 78 million patient records were exposed in a major data breach at Anthem, the second largest healthcare provider in the US. Symantec traced the attack to a well-funded attack group, named Black Vine, that has associations with a China-based IT security organisation, called Topsec. Symantec reported that Black Vine is responsible for carrying out cyber-espionage campaigns against multiple industries, including energy and aerospace, using advanced, custom-developed malware.

Cyber-insurance – no panacea

Lloyds of London, the world’s largest underwriter of cyber-insurance has estimated that cyber attacks are  one of the four emerging global threats which account for more than one fifth of the total GDP at risk. Both the Symantec and PwC reports highlight the rise of cyber insurance which PwC said was the fast growing insurance sector. While this may be good news for insurance companies, it adds to the overall cost of data breaches for those firms affected. Symantec reported that this year’s NetDiligence Cyber Claims study saw claims ranging up to US$15 million, while typical claims ranged from US$30,000 to US$263,000.

However, insurance may not always cover all cyber risks as even tech-savvy businesses are finding out to their cost. The message for boards and investors alike is clear – forget the Y2K ennui, as Tesco, TalkTalk and others have found to their cost: “this time it’s for real”.

Leave a Reply