In focus

How cyber risk has changed post Covid

It might not be surprising that cyber criminals have taken advantage of coronavirus and the rush to remote working. The age of cyber warfare was upon us even before the crisis.

New research suggests online fraudsters are boosting their attacks at an alarming pace, and it’s thought multimillion dollar ransoms could be at stake.

Interpol, the inter-governmental organisation which helps police in 194 member countries, has assessed cyber crime since the Covid-19 pandemic. It has reported that criminals have shifted their targets to big firms, governments and infrastructure.

Meanwhile PwC’s Threat Intelligence team found that by 20 May this year more than 150 organisations globally had their data published on leak sites. More than 60% occurred after 11 March when the World Health Organisation first declared the Covid outbreak to be a pandemic.

Garmin, the smart-watch maker, camera-maker Canon, and technology giant Intel are among recently-reported victims of hacking.

Andrew Howard, Global Head of Sustainable Investment at Schroders, says the crisis is “accelerating a shift in business models, which exacerbates the threats”.

He adds: “Our own analysis shows increased cyber attacks registered by US enforcement agencies, for example. Failure to manage that risk could prove fatal to companies in a world where regulations and fines for breaches are becoming punitive.

“As an active investor, we will continue to actively question those we believe are falling short of expectations.”

Our Sustainable Investment Analyst Ovidiu Patrascu explains in more detail.

Why should investors care about increased cyber attacks?

"Cyber is an increasingly critical source of business risk, especially for companies with important intangible assets such as brands, customer relationships or technology. The negative impact a data breach can have on a brand links straight to a company's competitiveness, future revenues and future cash flows.

"Data breaches often uncover poor governance practices and weak management. Changing people or policies is quick but re-establishing market and customer trust take much longer."

How does targeted company engagement help tackle cyber crime risks?

"In our view, investors should focus on understanding how well a company prepares for cyber events. The depth of its approach should give confidence that when (not if) a breach occurs, processes and resources are in place to minimise the impact.

"Building that understanding means going beyond a formulaic assessment of policies. We believe direct company engagements are the best way to gain insights. We have delved into the topic focusing on a few main areas – governance, expertise and technology. We have engaged with Chief Information Security Officers (CISO) or Data Protection Officers (DPOs) across sectors such as financial services, technology and telecoms."

What should companies be doing to minimise risks of cyber crime?

"It is critical that the company has a well-resourced and specialised cyber security team, managed by a CISO or DPO, preferably reporting to the CEO or the board. The security team should also leverage specialised external expertise on a regular basis to stay on top of new threats and security tools. Internally, the team should have direct ownership of specific technological tasks such as penetration testing, a simulated cyber attack.

"The board should have specific expertise to evaluate whether the company has the appropriate operational and managerial resources to mitigate cyber risk."