AllianceBernstein: Cybersecurity for Investors: Why Digital Defenses Require Good Governance
By Diana Lee
Hacker attacks and data breaches have pushed cyber and data security to the top of company agendas everywhere. Investors must get to grips with the governance issues and growing business risks as a digitally powered world grapples with the need for more secure defenses.
Cyber and data security is a hot topic across sectors. Ever-evolving threats are forcing companies to continuously evaluate their defenses and readiness—to help minimize the damage of a potential attack. Public statements of preparedness often overstate the actual level of defenses in place.
Despite company awareness, cybersecurity isn’t a high priority for many investors. We think that’s a mistake—especially since governance issues are an important component of an environmental, social and governance (ESG) focus. Unprepared companies risk financial losses, penalties and reputational damage that can undermine a business, brand and compromise a stock or bond’s return potential. We spoke with cybersecurity professionals across multiple fields and reviewed the regulatory landscape to provide guidelines for investors on assessing cyber-risk management.
Counting the Costs of Escalating Attacks
Cyberattacks are very costly. In the first half of 2022, at least 2.8 billion malware attacks were recorded globally, an increase of 11% over the previous 12 months, according to cybersecurity company SonicWall.
The cost of a data breach reached a record $4.4 million per breach on average globally in 2022, based on a study by the Ponemon Institute and IBM Security. Recovery costs vary depending on the sophistication of a firm’s systems, and whether remote work was a factor, which tends to increase the expense.
Some industries are more at risk than others (Display). Yet in today’s online world, no company is safe. Increased risk has prompted increased regulation. In the US alone, three new regulations were released in the past year: the SEC cybersecurity rule, the Cyber Incident Reporting for Critical Infrastructure Act, and the Ransomware and Financial Stability Act of 2021. Meanwhile, governments are on high alert as state-sponsored cyberattacks surged at the onset of the Russia-Ukraine war. In this evolving environment, companies can’t afford to ignore the problem.
What Are the Biggest Challenges for Companies?
Many companies are addressing the risks by shifting on-premise data centers and security to cloud-based solutions. The pace is accelerating as issuers with smaller cloud storage capacity migrate to better synchronize their systems. But cloud-based security raises new concerns. We’ve heard several common themes from cybersecurity professionals.
Building the Infrastructure: Organizations face two key dilemmas—choosing from a large swathe of security providers and vendors, and managing them. Creating a single dashboard to manage a network of diverse solutions, ranging from end point protection to cloud systems parameter solutions, is a common problem, says one vendor who installs different cloud security platforms. And with so many similar options available, some organizations are paralyzed; they take too long to get the perfect fit rather than establishing an initial infrastructure to update over time.
Monitoring, Training and Governance of Systems: After completing the infrastructure, companies need properly trained staff to monitor and run the systems, as well as a governance structure to maintain its integrity. Streamlining various internal systems and security vendor products takes time and resources, a challenge further complicated because many major security providers are active acquirers of smaller companies, which can throw products out of sync.
What defines a strong cybersecurity governance structure? First, we think a clear reporting structure to the board committee responsible for oversight is essential, with jargon-free reports that can be easily understood by directors without cyber expertise. Similarly, a simple matrix classifying “High, Medium, Low” risks is helpful, as well as reports on mitigation action and threat taxonomies. The general counsel, board and business managers should interact with the information security team more frequently as governance matures. Oversight must extend to the employees running and monitoring systems. And companies should be aware that the vendors they choose matter; services that are more common will have more professionals available to run the systems.
Rising Costs of Implementation/Resourcing: Many CIOs told us they are struggling with costs. In some cases, engineers can make a single change on one server that dramatically increase overall costs for an entire system over time. What’s more, many vendors do not clearly outline the rising costs of monitoring and maintaining a robust cybersecurity infrastructure. Checks on employee additions and a forward-looking infrastructure cost model can help avoid these pitfalls, especially at companies with fewer dedicated cyber resources. Cyber insurance costs are another factor; insurance benefits may be reduced when new vendors are added and systems are updated, or if coverage decreases. For example, Lloyd’s of London recently announced it will stop selling insurance for state-backed cyber-attacks.
How Can Investors Evaluate Cyber Risk Management?
Investors must ask the right questions and focus on budgets to gauge a company’s cyber-strategy and actions. How are cyber issues reported to the board? How are risks monitored and escalated? What types of system tests and response plans are being deployed? Are employees prepared for an attack?
Discussions with directors and management can yield important evidence of cyber proficiency. In recent engagements, we found that companies with a strong sense of the risks are more willing to discuss the topic and provide details on governance, reporting and training. Vague or standard responses could indicate that a company is less prepared for threats, lags peers—and is more vulnerable to attack. Cyber budgets offer important insight into strategy and action. Transparency on spending for cyber insurance, resourcing, vendors, or in-house build helps complete the picture.
Coherent Strategies for Complex Threats
As threats increase, companies must step up efforts to combat attacks and secure their data and systems. Small- and medium-capitalization companies may face greater risks, as many are relatively early in their cybersecurity journeys and have gaps in their systems that could attract attacks.
For companies of all sizes, investors should scrutinize cyber systems in place and dig deeper into the governance, resourcing and reporting on security. With coherent strategies in each area, companies will be more prepared to prevent and respond to cyber-attacks. By engaging with management regularly on these issues, investors will be better equipped to incorporate a company’s cybersecurity profile into a broader risk assessment of portfolio candidates and holdings.
Robert Keehn, Proxy and ESG Engagement Associate from AB’s Responsible Investing team, contributed to this analysis.
The views expressed herein do not constitute research, investment advice or trade recommendations and do not necessarily represent the views of all AB portfolio-management teams and are subject to revision over time.
Learn more about AB’s approach to responsibility here