Staying ahead of the cyber threat

Recent high-profile attacks globally have underlined the paralysing effect that hackers can wreak even on large, seemingly sophisticated, organisations. As investors, we take cybersecurity very seriously and are assigning an increasing weight to this issue in our analysis and company engagement.

12 June 2017

Lay of the land

Risk is clearly more concentrated in some industries (think banking or e-commerce for example) than others, but no business is immune to significant operational and financial damage.

With the stakes so high, companies that collect and store sensitive private information have to allocate increasing resources to safeguarding this.

Regulatory change is on the way, including the European Union (EU)’s much-discussed General Data Protection Regulation (GDPR), due to come into effect in 2018. This is widely perceived to be the most stringent regulation to date, with hefty fines (up to 4% of annual global turnover) for non-compliance.

The challenge

Knowing the robustness of a company’s defences, and processes in the event of an attack, is critical, but often difficult for investors to assess. In the arms race of cybersecurity the quantum of spend is clearly important, but can give a false sense of comfort. Likewise, meeting security standards such as ISO, while reassuring, may not be adequate given the rapid pace of change.

Quality is the operative word. Not only do we want to know where responsibilities lie, but also that the scenario-planning that businesses conduct includes real tail-risk situations. The problem, of course, is that a business may not, beyond generalities, want to reveal its activities on this front in any great detail, out of fear of sharing information that can be exploited by hackers.

The recent assault affected computers in the UK’s national health service (NHS), Russia’s interior ministry, and many large corporations. Security firms suggested the majority of machines globally affected were running Windows 7, but had failed to apply a patch which was issued in March.

What we are doing

Engagement is an important tool for investors. Since last year we have been part of the steering committee of a collaborative initiative by the Principles for Responsible Investment (PRI) on cybersecurity that will commence this summer. This project will help us get an even better handle on best practice and enhance our own company-level analysis.

Cyber-related risks are not easy to price in, with statistical modelling poor at handling such threats. What we can do though is to think creatively – examining the losses suffered by comparable businesses – and stress-test company financials for a range of scenarios. Businesses with really strong competitive moats and a history of customer loyalty should – in theory – be able to recover from attacks but, even for these companies, there may be situations where trust takes a dramatic and lasting knock.

This information is issued and approved by Martin Currie Investment Management Limited (‘MCIM’). It does not constitute investment advice.

The web article does not form the basis of, nor should it be relied upon in connection with, any subsequent contract or agreement. The information contained has been compiled with considerable care to ensure its accuracy. No representation or warranty, express or implied, is made to its accuracy or completeness. Martin Currie has procured any research or analysis contained in this article for its own use. Any opinions expressed are those of the named managers and subject to change without notice. They may not necessarily represent the views of other Martin Currie managers, strategies or funds.