Seth Berman at Stroz Friedberg on how hackers can damage equity value.
The ability to accurately assess risk is at the very heart of the fund management sector, where investment performance is the undisputed criteria for success. Well-balanced portfolios, backed by a deep understanding of markets and investee companies, are just some of the factors that allow star managers to outshine their peers. But a new risk is emerging that could impact performance and even threaten the survival of some firms.
Cybercrime is on the rise, with corporates across a wide range of sectors suffering data breaches, often leading to the loss of customer and staff personal information, credit card details, intellectual property, corporate client data or even hard cash. The abrupt closure of Code Spaces, a successful cloud storage and project management services company, which counted Oracle and FedEx as clients, serves as a salutary reminder of these risks. Hacked by an “unauthorised person”, the company ceased trading within hours of its refusal to meet extortion demands.
Leaving the profit and loss account to pick up the pieces after a cyber security incident is no longer an option. Recent cases have shown that an attack has the potential to significantly affect share price, reputations and executive careers. In response, investors must develop strategies to identify and assess such emerging risks and work with senior executives to reduce the likelihood of a breach impacting long-term value.
Equity holders should satisfy themselves that companies are committed to carrying out regular, detailed cyber security assessments of their IT systems. The review must be tailored to the organisation in question, its business, its unique risk landscape and its particular use of data. This will commonly include an analysis of the company’s data profile, the kind of attacks experienced by similar companies, as well as the type of information already in the public domain about the industry risks and potential adversaries. Each review is likely to highlight different types of security risks, depending on the business environment in which a company operates.
A security assessment will examine existing systems in depth, including the nature of the IT and security infrastructure, the type of data the company holds, the location of that data and how its systems and infrastructure are defended. The review will also examine the nature and depth of understanding within the organisation about existing security policies.
Importantly, a thorough security assessment will also review an organisation’s defences against the most insidious and most common adversary – attacks from within. It is estimated that at least 60% of data breaches are caused by insiders. In addition to the potential malicious insiders set on revenge or seeking financial gain, corporates must focus on the ways in which staff inattention can cause a breach, for example by staff accidentally activating viruses or malware by clicking on links in emails, or using easy to guess passwords. This type of behaviour is not only a problem of low-level employees. Stroz Friedberg’s On the Pulse: Information Security Risk in American Business survey suggested that the problem of careless behaviour as potential source of a cyber attack is greater for those at the top of an organisation.
Investors and their advisers must ensure current and future cyber risks are understood and factored into the equity valuation. In parallel, the responsibility is firmly on directors and their boards to recognise their governance obligations by strengthening corporate cyber resilience.
Seth Berman is executive managing director and UK head of Stroz Friedberg
©2014 funds europe