Michaela Zhirova & Marjo Koivisto: Cyber-security is now an ESG issue

ESG-focused investors must start digging deeper into businesses’ cyber-vulnerabilities

3 minutes

Cyber-security is emerging as an increasingly significant ESG risk factor for investors to consider. The pace and scale of new technologies across different industries is expanding the cyber-attack surface that malicious actors can exploit, which will only increase as the trials and pilots for 5G accelerate.

Put starkly, the immense business opportunities brought on by digitisation can come with a multi trillion-pound price tag if corporates do not prepare adequately for cyber-attacks.

Such attacks – on both companies and governments – include infringement of privacy and confidentiality, expensive theft of data, compromise of system integrity and accessibility, as well as destruction of data. Despite cyber-attacks becoming both more frequent and more sophisticated at an alarming pace, businesses still seem to under-invest in cyber-risk management.

As cyber-attack identification, evaluation and elimination can take a long time and result in operational loss, the cost to companies continues to edge higher. This is evidenced by the NotPetya ransomware attack in 2017, which spread from Ukrainian servers to large global businesses – resulting in losses totalling more than $10bn (£8bn). Infecting companies in multiple industries, NotPetya infamously brought down logistics giant Maersk’s operations for more than 10 days.

Hotel chain Marriott was another company hit by a major cyber-attack, and the financial implications were severe. In July 2019, it was fined $126m in the UK, with further fines in Turkey and the US. In the month following news of the breach on 30 November 2018, Marriott’s share price plunged by 17%. Analysis shows investors do punish companies with data leaks, which should be a strong motivator for corporates to focus more on better cyber-security preparations.

Under our own scoring system, the most exposed sectors are largely industrials and manufacturing. These sectors score medium-high for exposure but get dragged down by the lack of investment in systems and expertise. Systems in the restaurant and leisure sectors also tend significantly to lack the necessary sophistication to meet the demands of processing sensitive customer data.

As it is not possible to be ‘bulletproof’ against cyber-attacks, businesses should aim to be sufficiently prepared to respond to potential cyber-breach incidents. In general, however, companies are underspending on cyber-incident preparedness. While it is challenging for companies publicly to disclose cyber-security spending budget, investors must ask for details.

Four factors of cyber-preparedness

As part of our research on the companies we invest in, we have developed a series of cyber-security preparedness questions, with the objective of understanding our cyber-risk exposure. We ask 17 questions, which are focused on identifying, governing, implementing and calculating material cyber-risk exposure. Specifically, we see four primary factors related to cyber-preparedness.

First is cyber-risk identification – and it should be a red flag if a company is unaware of the most material cyber-risks to its business. Business risk appetite needs to be tailored to awareness about its material cyber-risks and so a cyber-asset strategy has to be concretely established – for example, an asset such as a source code must be protected in a differentiated way from personal data.

Next, there is governance, as cyber-resilience should be a board level issue for companies. Privacy and data policies should have wide application, covering third parties, in which a minimum standard must be established in order to undertake any business. We prefer to see a quarterly check on cyber-skills at the board level.

Context is also key. Best practice is to be aware of the need for a stronger ecosystem on cyber-resilience, with knowledge sharing and collaboration on priorities with peers.

Finally, there is the implementation. Companies with best practice have solid incident anticipation and ‘damage control’ processes in place. As best practice, companies should have cyber-security integrated at the product level early in product development, while also managing cyber-assets and costs effectively.

Michaela Zhirova is a senior analyst and Marjo Koivisto is head of ESG quant at Nordea Asset Management

MORE ARTICLES ON