Will cyber security threaten the sustainability of returns for investors?
The way companies understand and manage cyber threats will have a significant impact on their value.
As technology widens its reach, we have become more connected, but also more vulnerable. Data being collected and stored could be used to both our benefit and our detriment. It is for this reason that companies need to be increasingly vigilant in protecting the integrity and privacy of data and systems.
While it may be costly for companies to implement processes and systems to adequately protect their data, not doing so could potentially be even more costly. News of data breaches can travel quickly and put a company’s reputation and financial stability at immediate risk. In this article, we explore the investment implications associated with a board’s understanding and management of their cyber risks and responsibilities.
7 reasons why data security matters more now than ever before
SMSF investors should and are becoming increasingly interested in data and cyber security for the following reasons:
- Technology is constantly changing and has an ever-widening reach.
- There is greater emphasis on privacy of data.
- Risks are relentlessly shifting and becoming more complex.
- Ever-increasing numbers of records and inter-connectedness mean a greater number of people will be affected by breaches.
- It is impossible for companies to be prepared for all attacks.
- News of breaches travels fast and has an instantaneous impact on reputation and demand for a company’s products or services.
- The costs of prevention and remediation of data security breaches are rising
What can go wrong?
Our research into the issue of cyber-security highlighted the large number of ways systems and data could be compromised. While it is not possible to discuss all potential internal and external threats here, it appears 90% of breaches can be put down to the actions of people.
The data most often targeted relates to the personal information, bank and credit card details, and passwords of customers. Thieves can use stolen data for financial gain; either by embarrassing and then extorting those exposed, or by using the data to access tax refunds or to apply for new loans and credit cards. It is also evident that an increasing number of data records are being affected. Companies running essential infrastructure are also vulnerable to cyber-attacks as hackers could wreak havoc with transport, energy and water services.
The physical, financial and reputational implications of an attack on a company’s technology data and systems will, to a large extent depend on how prepared the company is for an attack.
Cyber security is a governance issue with real financial implications. Understanding the potential magnitude of financial losses helps companies prioritise the management of these risks, with those potentially causing the biggest damage to the business requiring the closest attention.
There are various estimates with regard to the financial cost associated with data and cyber-crime. Average loss for a breach of 1,000 records is forecast to be between A$52,000 and A$87,000 with larger companies suffering higher losses per breach.
- Data released by NetDiligence in 2013 showed the median claim payout for incidents that occurred between 2010 and 2012 was US$242,500 and the average was US$954,253.
- When Telstra released its first Cyber Security Report in 2014, based on data gathered through its network, partners and interviews, it found 41% of organisations surveyed had experienced a major cyber security incident during the past three years. It also found 45% of internet security incidents were as a result of staff clicking on malicious attachments or links within emails.
- In December 2014, The Age newspaper reported that “cyber-attacks are costing large Australian enterprises an average of $8.3 million a year, but the real costs could be much higher”.
- A study sponsored by HP Enterprise Security, the US-based Ponemon Institute questioned 30 large Australian organisations on their experience with cyber-attacks. It found that each organisation was the victim, on average, of 1.6 successful attacks every week. Ponemon calculated the average annual cost for organisations across all industry sectors at A$4.3 million. Companies in the energy and utilities sector had the highest average cost at A$8.3 million while the retail sector had the lowest at A$1.4 million annually. The study found business disruption was the largest component of the external cost of breaches (40% of the total) followed by information loss (29%) and revenue loss (25%).
Cyber threats are real and significant, especially as the reliance upon technology increases. The way companies understand and manage these issues today will have a significant impact on their value and ability to generate sustainable returns for investors over the long-term.
As companies have the potential to understand, reach and service their customers better, many senior leaders see big data, digital transformation and disruption as a significant source of value to their companies. However, with these great opportunities come significant risks. How a company answers questions about cyber security provides valuable insights into the general quality of the company’s governance and risk management. To date, few companies have addressed the issue of cyber and data security in their communication with investors. This will need to change as we know the real impact on company value is no longer driven by its access to data sets, but rather by how efficiently the company captures, manages, understands, leverages and protects that data.
About the author
Karin Halliday was appointed to her current position with AMP Capital in May 2000. She is responsible for determining how AMP Capital votes on behalf of the firm and its clients at all meetings held by the Australian companies in which AMP Capital invests. In doing so, Karin also monitors various aspects of corporate governance in many Australian companies.