Digital data has grown exponentially in recent years, spurred by increased penetration of mobile devices and consumption of online services. The rapid expansion in the volume of data companies store, many of which are relatively new to data management and security, has attracted cyber criminals employing increasingly sophisticated tools and techniques. Cyber crime costs global companies around 60% more than it did only five years ago, whilst in the US, that number has risen by over 80% (see Fig 1). No company can afford to ignore the threat, and regulators are stepping up enforcement actions. Their response represents the tip of the iceberg the problem represents.
Figure 1: Cyber costs are increasing
Source: ico.org.uk, Accenture & Ponemon Institute's 2017 Cost of Cyber Crime Study, Cisco Global Cloud Index
What does cyber risk mean?
Cyber risk is a broad term. For most people, it represents the risk of loss or harm from breaches or attacks on information systems. That loss can take many forms, including direct financial costs, reputational damage or operational continuity. Recent high profile breaches (WannaCry, Petya, Equifax etc) have served to further raise awareness on the issue, in turn attracting regulatory scrutiny. Data privacy is commonly associated with cyber risk, and is a centrepiece of the EU’s General Data Protection Regulation (GDPR) regulation, which came into force in May 2018. That law has become a defacto global standard; it clarifies and expands upon what sensitive data entails, who has the usage rights, and assigns the responsibility to companies to keep customer data safe, with high fines if they fail to do so.
Why should investors care?
Cyber is an increasingly critical source of business risk, especially for companies with important intangible assets such as brands, customer relationships or technology. The negative impact a data breach can have on a brand links straight to companies’ competitiveness, future revenues and future cash flows. Data breaches often uncover poor governance practices and weak management; changing people or policies is quick but re-establishing market and customer trust take much longer.
An engagement approach
In our view, investors should focus on understanding how well a company prepares for cyber events. The depth of its approach should give confidence that when (not if) a breach occurs, processes and resources are in place to minimise the impact on operations and ability to create value.
Building that understanding means going beyond a formulaic assessment of policies. We believe direct company engagements are the best way to gain insights. We have delved into the topic focusing on a few main areas:
- Governance: assess how well cyber risk is understood by the board
- Expertise: does the company have the internal capabilities to manage cyber risk? Is it drawing on specialist skills from outside the organisation?
- Technological: has the company adopted best practices from a technical standpoint?
Recognising that cyber risk is relevant to many business models, we have engaged with Chief Information Security Officers (CISO) or Data Protection Officers (DPOs) at numerous companies Schroders invests in, across sectors such as financial services, technology and telecoms.
Main findings: expertise and board responsibility
Our direct and detailed engagements have allowed us to identify where the material information lies, and to better understand the strength and weakness at a company level. We believe the key areas are:
- Expertise: it is critical that the company has a well-resourced and specialised cyber security team, managed by a CISO/DPO, reporting preferably to the CEO or the board. The security team should also leverage specialised external expertise on a regular basis to stay on top of new threats and security tools. Internally, the team should have direct ownership of specific technological tasks such as penetration testing, security patches etc.
- Board level responsibility: the board should have specific expertise to evaluate whether the company has the appropriate operational and managerial resources to mitigate cyber risk.
The analysis of a company’s level of expertise and board responsibility provides our analysts and fund managers with a basis on which to structure their questions of management teams, and to benchmark responses against peers.
In addition, the engagements have changed our understanding of a few areas usually thought of as important, but which most companies disregard. For instance, our discussions highlighted the weaknesses of focusing on ISO27001 (an IT standard that best-in-class companies implement internally), cyber insurance (current products offer limited coverage) and policies on cyber/data protection (while important for compliance purposes, they appear less helpful in actually managing cyber risk).
Conclusion: targeted engagement
Cyber is an increasingly important risk for every organisation. As investors, we need to gain a deeper understanding into how well companies held in our clients’ portfolios are prepared to manage this risk. We believe targeted company engagement is the most effective way to gain insights into key areas such as top-level risk governance and technical expertise, where investors might be able to identify unsuitable practices before they materialise.
This document is issued by Schroder Investment Management Australia Limited (ABN 22 000 443 274, AFSL 226473) (Schroders). It is intended solely for wholesale clients (as defined under the Corporations Act 2001 (Cth)) and is not suitable for distribution to retail clients. This document does not contain and should not be taken as containing any financial product advice or financial product recommendations. This document does not take into consideration any recipient’s objectives, financial situation or needs. Before making any decision relating to a Schroders fund, you should obtain and read a copy of the product disclosure statement available at www.schroders.com.au or other relevant disclosure document for that fund and consider the appropriateness of the fund to your objectives, financial situation and needs. You should also refer to the target market determination for the fund at www.schroders.com.au. All investments carry risk, and the repayment of capital and performance in any of the funds named in this document are not guaranteed by Schroders or any company in the Schroders Group. The material contained in this document is not intended to provide, and should not be relied on for accounting, legal or tax advice. Schroders does not give any warranty as to the accuracy, reliability or completeness of information which is contained in this document. To the maximum extent permitted by law, Schroders, every company in the Schroders plc group, and their respective directors, officers, employees, consultants and agents exclude all liability (however arising) for any direct or indirect loss or damage that may be suffered by the recipient or any other person in connection with this document. Opinions, estimates and projections contained in this document reflect the opinions of the authors as at the date of this document and are subject to change without notice. “Forward-looking” information, such as forecasts or projections, are not guarantees of any future performance and there is no assurance that any forecast or projection will be realised. Past performance is not a reliable indicator of future performance. All references to securities, sectors, regions and/or countries are made for illustrative purposes only and are not to be construed as recommendations to buy, sell or hold. Telephone calls and other electronic communications with Schroders representatives may be recorded.