Stepping up governance on cyber security

Cyber security risk is real and pervasive, as demonstrated by recent attacks that have put the frighteners on big banks, web service providers, the UK’s National Health Service and even the US intelligence community.

The World Economic Forum’s latest report on global risks yet again ranks cyber as one of the top five risks to businesses, reaffirming the need for company boards to prioritise this issue.

From an investor’s perspective, the business case to engage with companies on this topic is clear-cut. There are many forms of cyber security threats (see below) and related incidents can cripple business operations, materialise into legal and regulatory risks and have adverse impacts on portfolio company valuation and earnings (see Appendix 1 for a chart from CSO that quantifies the damage caused by breaches for companies, insurers and users or account holders).

In fact, a CGI-Oxford Economics study found that a serious cyber security incident could cause an average permanent decline of 1.8% in a company’s share price. It is therefore critical for investors that companies acknowledge cyber security-related risks and demonstrate through their reporting robust measures to mitigate these risks. However, corporate reporting on this topic often falls short of these expectations, creating difficulties for investors to draw conclusions around how companies are positioned to identify, manage and remediate a potential cyber security breach.

To better understand this, and to improve company disclosure on cyber security governance and processes, 53 institutional investors representing more than $12 trillion in AUM are collectively engaging with global companies in the healthcare, financial, consumer goods, information technology and communications.

This report and the underlying research findings will support and inform the engagement dialogue. The research evaluated the public disclosure of 100 companies on cyber security, covering 14 indicators on aspects such as policy, governance and flow of communication, access to expertise, training and assessment, and other procedures.

Key cyber threats

The European Union Agency for Network and Information Security (ENISA) identified notable cyber threats in its 2018 threat landscape report. These include:

Malware, one of the most frequently encountered cyber threats, is malicious software that is designed to exploit a computer or mobile device without consent.
Web-based attacks use web-enabled systems and services such as browsers, websites and the IT components of web services and web applications. They are commonly combined with malware campaigns. Examples include web browser vulnerabilities and malicious URLs.
Web application attacks are directed at web applications, web services and mobile apps.
Phishing attacks use social engineering to trick end users into clicking on a malicious link or download an attachment, which then allows the attacker to access credentials and install malware.
Spam has been one of the most prevalent means for delivering malware.
Denial of Service (DoS) attacks overwhelm servers, systems or networks with traffic, preventing it from being used by legitimate users. A distributed denial of service (DDoS) attack uses multiple infected devices to flood a targeted system.
Ransomware is a type of malware which is designed to block access to user files or the computer until a ransom is paid.
Botnet consists of interconnected devices that have been infected with malware and controlled remotely by a cyber criminal. They are used for spam campaigns and DDoS attacks.
Insider threat can arise when an insider uses his/her authorised access to jeopardise the security of their organisation deliberately or inadvertently.
Physical manipulation/damage/theft/loss of devices can cause a data breach, such as drilled ATMs and stolen smartphones.