Cyber Security – An Investor issue for the 21st century
In a blog written for the forthcoming “PRI in Person” investors’ conference in London on 8 September, ISAFE’s Chief Executive Richard Knowlton explains the critical issue of Cyber Security and the complex cyber threat environment implications that follow for companies and their investors.
“Cyber” is widely used as an adjective to describe a range of issues related to Information Technology (IT) networks and systems – cyber landscape, cyber threat, cyber attack, cyber security etc.
The extraordinarily rapid development of these networks now touches every aspect of our lives. While its impact is overwhelmingly beneficial, our increasing dependence on cyber technology creates vulnerability.
This is because the cyber pioneers who developed the worldwide web were idealists. They never developed their systems with security in mind – in fact, they deliberately kept them as open as possible.
Unfortunately, there are plenty of others with an interest in subverting the Internet. They do this to steal, to damage or even to destroy. They are state security agencies, criminals, terrorists or others with an agenda.
Private companies have been slow to grasp the implications.
Too many firms still make the fundamental mistake of seeing cyber risk management as a technology issue, best left to their IT managers.
This is understandable, since IT specialists – with all respect – are not always the best people to explain complex technicalities to a lay audience.
As a result, many Boards are happy to delegate issues that they don’t fully understand.
Under pressure to do something to mitigate a “technology risk”, they have thought it enough to invest in expensive software designed to keep attackers out.
Meanwhile the attackers – as often as not – are already inside the company’s systems. They use software and social engineering techniques originally called “advanced persistent threats” (APT), but which are now standard elements in the attackers’ toolkit.
These sophisticated attack methods – once the sole preserve of nation states – have proliferated and are freely available on the Internet. They are relatively cheap to buy and can be re-used multiple times, providing criminals with a highly attractive business model – especially as the chances of prosecution by law enforcement are negligible.
But it’s really important to remember that the vast majority of cyber attacks succeed not because of technical failures, but because of the action or inaction of employees inside the companies concerned – the so-called “insider threat”.
Some of these people have malicious motives. But most will simply have done something as apparently innocuous as clicking on a link in an email.
By doing so, they have unwittingly downloaded malicious software on to their firm’s IT systems. This “spyware” gives the attacker the ability to take control of the victim’s systems.
It’s worth noting, too, that a cyber breach is not necessarily the same as a data breach.
That may be the main risk for a company with retail customers, for example. But even those firms will have broader concerns about possible damage from cyber risk, including financial loss through fraud, business interruption, damage to property, and theft of intellectual property.
These concerns increase still further with the arrival of the Internet of Things, described in Wikipedia as “allowing objects to be sensed and controlled remotely across existing network infrastructure, creating opportunities for more direct integration between the physical world and computer-based systems, and resulting in improved efficiency, accuracy and economic benefit”.
Who is liable if hackers take control of a car management system and cause a serious accident, for example? Or if they manipulate the energy supply to a city?
Implications for companies and their investors of the complex cyber threat environment
Let’s turn to the implications for companies and their investors of this complex cyber threat environment.
The first point is that companies must not treat “cyber security” as some kind of black art incomprehensible to non-specialists and quite distinct from other aspects of security.
As I explained earlier, most successful cyber attacks do not result from technology failures. They rely on the careless, possibly stupid or even malicious actions of employees or insiders.
To meet such a complex range of threats, Boards must ensure that their technical and corporate security functions are working to a common strategy and a single set of priorities.
Equally important, security must report to a single person who takes overall responsibility for all security issues at the Executive Committee level. This is essential to ensure alignment of strategy, budget and priorities.
I have heard (often fiercely expressed) differing views on precisely where the security function should sit in a company organisation. I will not go into that subject here, except to say that in my view, security should not sit under Finance, HR or Technology, all functions which security may need to challenge.
And at the Board level? Should the Board appoint a member with knowledge of cyber security issues to advise them?
I think that this will depend on the company’s assessment of the risks that it faces. There is certainly a move in the U.S. to appoint non-executive directors with the knowledge and experience to provide independent advice.
The second implication follows very closely from the first.
The UK Government’s latest annual breach report shows that 81% of large businesses and 60% of small businesses suffered a cyber security breach in 2014.
Of course, this statistic only reflects those who actually knew that their defences had been successfully defeated…!
Meanwhile the World Economic Forum’s 2015 report on Global Risks firmly positions the cyber threat as a major risk in terms of likelihood and of impact. The WEF recognises it as one of the top commercial risks, along with geopolitics, the environment, and the economy.
My point here is that cyber risk is now an existential threat to every business in every sector, whether retail (customer data), technology (intellectual property) etc.
This means that Boards cannot afford simply to leave the issue to their security professionals.
We have to accept that a cyber breach is inevitable and that a company’s reaction will need a detailed and carefully prepared response from a wide range of departments including Commercial, Legal, Finance, HR, Internal & External Comms.
This means that dealing with cyber threats must be a key element of every company’s enterprise risk management process.
It also means that as with other types of business interruption, the company must be well-prepared to manage sudden incidents. If it is not, the reputational damage – let alone more tangible forms of loss – may be devastating.
Boards are belatedly waking up to this: in 2014, 88% of FTSE 350 companies included cyber risk in their strategic risk report, up from 58% in 2013.
But responsible investors have a key role in ensuring that Boards of Directors in the companies where they are investing are managing cyber threat issues in a consistent, practical and effective way.