The rising risk of cyber-attack is important for investors to be aware of so it can be taken into account when evaluating a company.
In this article, Jeroen Knol from our European Equities team and Felipe Gordillo from the Sustainability Centre discuss how we assess the strength of business models and corporate governance with regard to cyber-security challenges.
Lack of transparency clouds cyber-security risk
Assessing the risk is not straightforward. There are no universal standards or metrics. What is more, companies may only recognise some of the risks and it may not be in their interest to publicise where their cyber risks lie.
Data on spending on cyber risk protection is seldom disclosed fully. With firms increasingly taking cyber-liability insurance, it can be hard to assess the size and nature of the residual cyber risk.
According to the Gartner agency, global cyber-security spending in 2018 amounted to an estimated USD 114 billion, up 12.4% from 2017, indicating that cyber-security is being taken increasingly seriously. Nonetheless, the global cost of cyber-crime, estimated in 2018 at USD 400 billion to USD 3 trillion, by far outweighs any spending on preventive measures.
Assessing cyber-security risks
At BNP Paribas Asset Management, we first examine a company’s cyber-security strategy and its implementation. Secondly, we focus on governance, expecting companies to be able to identify the key people responsible for remedial actions and for overseeing this process.
Our research benefits from good access to company executives and different levels of management. We also study direct competitors within a given sector to learn about their cyber risks and take a view on the cyber-risk sensitivity of the industry.
At an industry level, the risk may be lower in relatively low-tech companies such as beer brewers than in a bank or an IT company whose business is based on technology and /or customer data. However, investors should be under no illusion; the risk is omnipresent.
Studies have found that the sectors most likely to be attacked include healthcare, which represents a source of sensitive customer data; financial services, which handles large amounts of private information; and energy, which can suffer hacks to cause power outages.
As manufacturing and process-driven industries adopt internet-enabled technology, we can expect these businesses to face an enhanced cyber risk.
The influence of industry structure on a company’s ability to withstand cyber risk
We believe well-structured industries – ones that face less competition and have more pricing power – are more able to pass on the cost of cyber risk prevention to customers. Their higher level of profitability also allows them to absorb the costs of cyber-security which can include compliance fines and court fees, measures to repair the damage to a company’s image or brand and a step-up in investment in tools and staff/identity theft prevention after ab an attack.
Furthermore, cyber-security might increasingly act as an argument for consolidation or as a barrier to entry as smaller companies are considered more vulnerable to cyber risk and tend to lack the huge IT budgets of large peers.
Some key questions to help determine the quality of a company’s practices
- What are the key cyber-security risks currently? How have these changed over the past few years?
- How are staff being made aware of, and trained for, cyber risks?
- By what percentage do you expect cyber-security costs to rise over the next three years?
- Have you taken out insurance cover against cyber risk and what is the residual risk and estimated potential damage?