Cyber-attacks can hit investors and other stakeholders hard. Leaks, compromised customer data, denial-of-service attacks or file destruction can disrupt operations, lose client trust and lead to tougher legislation.
The rising risk of cyber-attack is important for investors to be aware of so it can be taken into account when evaluating a company.
In this article, Jeroen Knol from our European Equities team and Felipe Gordillo from the Sustainability Centre discuss how we assess the strength of business models and corporate governance with regard to cyber-security challenges.
Assessing the risk is not straightforward. There are no universal standards or metrics. What is more, companies may only recognise some of the risks and it may not be in their interest to publicise where their cyber risks lie.
Data on spending on cyber risk protection is seldom disclosed fully. With firms increasingly taking cyber-liability insurance, it can be hard to assess the size and nature of the residual cyber risk.
According to the Gartner agency, global cyber-security spending in 2018 amounted to an estimated USD 114 billion, up 12.4% from 2017, indicating that cyber-security is being taken increasingly seriously. Nonetheless, the global cost of cyber-crime, estimated in 2018 at USD 400 billion to USD 3 trillion, by far outweighs any spending on preventive measures.
At BNP Paribas Asset Management, we first examine a company’s cyber-security strategy and its implementation. Secondly, we focus on governance, expecting companies to be able to identify the key people responsible for remedial actions and for overseeing this process.
Our research benefits from good access to company executives and different levels of management. We also study direct competitors within a given sector to learn about their cyber risks and take a view on the cyber-risk sensitivity of the industry.
Studies have found that the sectors most likely to be attacked include healthcare, which represents a source of sensitive customer data; financial services, which handles large amounts of private information; and energy, which can suffer hacks to cause power outages.
As manufacturing and process-driven industries adopt internet-enabled technology, we can expect these businesses to face an enhanced cyber risk.
We believe well-structured industries – ones that face less competition and have more pricing power – are more able to pass on the cost of cyber risk prevention to customers. Their higher level of profitability also allows them to absorb the costs of cyber-security which can include compliance fines and court fees, measures to repair the damage to a company’s image or brand and a step-up in investment in tools and staff/identity theft prevention after ab an attack.
Furthermore, cyber-security might increasingly act as an argument for consolidation or as a barrier to entry as smaller companies are considered more vulnerable to cyber risk and tend to lack the huge IT budgets of large peers.
This article has appeared in The Intelligence Report – 17 July 2019
To find out more about our investment strategies, click here >
