Cybersecurity: A Pervasive Risk

In 2017, in the wake of the WannaCry ransomware attack, we argued that the event should be seen as a cybersecurity wake up call. Since then, cybersecurity risks have remained a source of uncertainty for most companies, driven by the increasing intensity, both in volume and impact, of cyberattacks. These risks are compounded by the continuous expansion of critical infrastructure (energy grids, utilities, hospitals) to digital platforms and the breadth of sensitive information that is housed in online servers. As a result, the pool of lucrative targets for malicious actors continues to grow. This is reflected in the notable rise in the number cyber insurance claims. According to a study by AIG, 2018 had the same number of cyber insurance claims as the preceding two years combined.[i]

Beyond the headlines

Since WannaCry, cyber risk has moved up the list of priorities with key international organizations as well as executive surveys flagging it as a critical business risk. Studies continue to show that the costs associated with data breaches remains significant. According to a study by IBM and the Ponemon Institute, the current average cost related to cybersecurity incidents is USD 3.92 million (Figure 1) and is highest within the healthcare sector (USD 6.45 million).[ii] The same report also notes that it took companies 279 days on average to detect and identify a data breach.[iii] This is not surprising when you look at the details of the major breaches in recent years. The breaches or system vulnerabilities at Equifax, Capital One, Google, Yahoo and Facebook were only identified months after the fact and in some cases, were not treated with the level of urgency required. According to a 2019 cyber risk perception survey, while prioritization of cyber risk has been elevated by companies since 2017, confidence in their ability to manage this risk has declined.[iv]

FY 2019 data reflects data collected between July 2018 and April 2019 according to the IBM Cost of Data Breach Study 2019

A complex risk equation

Data privacy and security governance remain tricky, especially for companies with expansive data supply chains, a perspective we sharedin a previous article. As data supply chains become increasingly complex, detection and mitigation are expected to be even more challenging from an enterprise risk management point of view. Since company systems do not operate in isolation, there are multiple channels for malicious actors to exploit – from employees to vendors to other third-party relationships that depend on a digital connection.

This new reality also means that breaches and associated costs are only one aspect of the risk equation. For example, annual losses as a result of cybercrimes were pegged at USD 500 billion in 2017 and have likely increased since.[v] This amount includes financial impacts from intellectual property (IP) theft, operational disruption and associated opportunity cost as well as legal liability from customers.

However, this is but one estimate, the risk and the losses could be much greater. Between 1975 and 2015 the proportion of enterprise value allocated to intangible assets among S&P 500 companies grew from 17% to 85%.[vi] Much of this intangible value is tied to IP as well as a company’s proprietary data assets. In the event a company is unable to identify a security vulnerability in its systems in a timely manner, blueprints on competitive strategies, intellectual property as well as confidential customer data could be extracted unbeknownst to the company.

Under the Radar

For investors, considering cybersecurity alongside traditional fundamental factors is key to developing a holistic understanding of company risks. In many cases, cyber risk may fly under the radar until there is a systemic failure, at which point it may already be too late to effectively mitigate the aftermath. In such scenarios, a company is likely to undergo significant market and regulatory scrutiny before it can even take steps to restore its credibility.

Sustainalytics has been examining how significantly data privacy and security can impact a company’s enterprise value. As part of our ESG Risk Ratings framework, when assessing the potential vulnerability of a company’s enterprise value to associated cyber risks, we consider factors such as the nature of a company’s data assets and its operating context (i.e., applicable regulations). For example, subindustries with companies that have sensitive data assets are deemed to have medium to high exposure to experiencing financially material impacts driven by the issue (Figure 2).[vii] This exposure is further refined at the company level using its specific operating context.

Building Cyber Resilience

The regulatory and market scrutiny associated with issues such as data privacy and cybersecurity are expected to increase, driven by the proliferation of ransomware, malware, phishing and new types of malicious attacks. For companies, such attacks can drastically impact productivity, bring down critical systems and result in residual damage that can take years to mitigate.

Cyberattacks are now part of the daily operating context and companies should plan accordingly. The key is establishing enterprise–wide cyber resilience to proactively manage gaps that could be exploited by malicious actors. It is important to remember that technology is only part of the answer. Even the most cutting edge enterprise–level cybersecurity solutions will not be able address deficiencies in employee training and functional oversight. At the end of the day, cybersecurity-related spending needs to be viewed as a long-term investment in business resilience as opposed to just another operating cost.