The rise of tech-enabled companies
The ever-evolving state of technology has enabled companies from all corners of the economy to modernize and adapt to better service their clients. The ability to deploy technology solutions across the connected world marks both an opportunity to modernize and another important risk to be managed. Restaurants adding self-service ordering kiosks, large retailers turning their focus to e-commerce, and electric utilities implementing smart grid software are just a few examples of a long-term trend; the rise of tech-enabled companies.
In contrast to the traditional understanding of what a technology company is, such as giants like Apple, Microsoft or IBM, a tech-enabled business is one that leverages the latest technology available to improve an existing market. Businesses leveraging such technology are able to chase higher efficiencies in mature markets by offering a better user-experience, increase convenience, and in some cases, establish additional revenue streams by reaching new consumers.
However, as companies from all sectors and regions try to capitalize on the opportunities generated by technological developments and digitalization, an unintended consequence is higher vulnerability due to the increasing risk of experiencing a cyber-attack.
Over 2,200 cyber-attacks take place each day1. Just in April 2024, two major cybersecurity events seized investors’ attention. First, malware was added to Linux, an open-sourced operating system that runs on virtually all internet servers, but luckily a curious engineer detected and stopped the attack before it could cause widespread damage2. Second, Change Healthcare, part of UnitedHealth Group which is the largest U.S. health insurer, was hacked and allegedly lost more than six terabytes of data, including medical records, costing the company USD $872M in “unfavorable cyber-attack effects”3.
The costs of a cyber-attack
The immediate direct financial impact of a cyber-attack can be undeniably substantial, including costs such as network downtime, investigations, security enhancements, enhanced customer support, legal fees, settlement payouts, and even potential ransoms.
However, once the dust settles, the actual costs of such an attack often extends beyond these monetarily quantifiable damages. If a cyber-attack erodes customer trust in a company’s offerings, in the long-term, the cost of restoring customer confidence and re-establishing a corporate reputation of prudent data security risk management may significantly surpass the initial operational and legal expenses.
In parallel, remote work has made it easier for hackers and cybercriminals to crack enterprise networks. Add to this the advancement in artificial intelligence (AI) models and the imminent rise of quantum computing (which hypothetically could break the present encryption practices deployed across the internet4) and it all underscores the financial materiality of cybersecurity risks to businesses.
In 2023, there were around 343 million victims of cyber-attacks worldwide, driven by a 72% increase in data breaches from 2021-20235. The impact of global cybercrime, which may include loss of data, money stolen, fraud and reputational harm, costs the global economy trillions of dollars each year. Cybersecurity Ventures forecasts that number to be USD $9.5 trillion globally in 2024, up from $3 trillion USD in 20156. By comparison, the annual GDP of the Canadian economy was USD $2.16 trillion in 20227. The effects of cybercrime drive other meaningful changes across the economy, including the job market where there is set to be an expected stock of 3.5 million unfilled cybersecurity jobs in 20248, or even the cyber insurance market, which is predicted to hit USD $14.8 billion annually by 20259.
As a result, the key question becomes: How can investors more effectively assess and manage the cybersecurity risks inherent in their holdings and portfolios?
Overlooked sector risks and industry best practice
Businesses’ financial risks are usually reflected in their balance sheets, income statements, and other financial statements. Non-financial risks, such as cybersecurity, arise from the firm’s operations and are harder to track and assess. Investment managers traditionally leverage industry frameworks and best practices to better assess such non-financial risks.
An example is the Sustainability Accounting Standards Board (SASB) Materiality Map, which identifies financially material issues on an industry-by-industry basis10. Among the issues identified by SASB is cybersecurity; in particular, it views customer privacy and data security as significant business issues in industries such as telecommunication services, commercial banks, health care delivery, among others.
However, there appears to be an industry-wide gap in adequately recognizing cybersecurity risks across all industries. While SASB, and frankly most other industry-accepted frameworks, recognize cybersecurity risks in sectors like Information Technology (IT), Banking, and Healthcare, according to IBM Threat Intelligence, Manufacturing is the industry most targeted by cyber criminals, with Finance, Professional Services, Energy, and Retail completing the top five most targeted industries11.
Share of cyber-attacks by industry in 2023
Industry | 2023 |
|---|---|
Manufacturing | 25.7% |
Finance and insurance | 18.2% |
Professional, business and consumer services | 15.4% |
Energy | 11.1% |
Retail and wholesale | 10.7% |
Source: IBM Security X-Force Threat Intelligence Index 2024
Given the fast adoption of new technologies, such as the internet of things (IoT) and AI, the need to recognize cybersecurity as a financially-material risk across all industries and regions has never been greater. In an increasingly connected world, these risks need to be recognized and managed by investors.
What can companies and investors do?
Similar to other sustainability issues, companies should establish proper assessments of cybersecurity risks, develop processes and policies to ensure adequate management of assessed risks, integrate oversight and responsibility within enterprise risk management and governance functions, and disclose progress to investors through public reporting. Companies should ideally conduct risk assessments or audits on a recurring basis and pursue certifications on their information security management systems, such as ISO 27001.
Holistic assessment is needed as investors might be overlooking this critical risk in several industries. New metrics and data sources are emerging that allow investors to better assess holdings’ cybersecurity exposures for more industries. Companies now periodically report the amount of personal data they collect, their exposure to evolving or increasing privacy regulations, data breaches, and their systems for protecting personal data.
Investors can encourage their investee companies to pursue these steps and adequately manage cybersecurity risks. At BMO GAM, we make public our Expectation Statements on Environmental, Social and Governance Practices. Core to our expectations is that companies should have board-level oversight of internal controls and all material risks, including ESG risks such as climate change, cybersecurity, and consumer protection.
In 2023, along with our third-party engagement service provider Responsible Engagement Overlay (reo®), we discussed cybersecurity or data security in various engagements with investee companies in different industries and regions. The discussions included topics surrounding certifications on information security, encouraging more disclosure on assessments, and enhancing privacy policies relating to user information. As technology continues to progressively permeate every aspect of our daily lives, we foresee a significant expansion in our cybersecurity centered engagements throughout 2024 and onwards. In addition to meaningful engagements, we also aspire to better align our clients’ investments with the evolving market landscape by integrating new cybersecurity-related metrics and insights into our ESG assessments to continually enhance the value for our investors.
“Each year, we continue to see the volume and cost of cyberattacks increase to record highs, with headlines of corporate data breaches coming from virtually every industry. We believe this underscores the need to recognize cybersecurity as a financially material risk across all sectors and regions.”
Marco Iaboni
Associate, Technology and Communications, Global Equity
BMO Global Asset Management
Sources
Footnotes
1 115 cybersecurity statistics + trends to know in 2024 (norton.com)↩
2 One engineer’s curiosity may have saved us from a devastating cyber-attack | John Naughton | The Guardian↩
3 UnitedHealth says Change Healthcare cyberattack cost it $872 million – CBS News↩
4 https://www.forbes.com/sites/forbestechcouncil/2024/02/06/the-impact-of-ai-on-post-quantum-cybersecurity/↩
5 Cybersecurity Stats: Facts And Figures You Should Know – Forbes Advisor↩
6 Top 10 Cybersecurity Predictions and Statistics For 2024 (cybersecurityventures.com)↩
7 GDP (current US$) – Canada | Data (worldbank.org)↩
8 Cybersecurity Jobs Report: 3.5 Million Unfilled Positions In 2025 (cybersecurityventures.com)↩
9 Cyberinsurance Market To Reach $34 Billion By 2031 (cybersecurityventures.com)↩
10 Find Industry Topics – SASB (ifrs.org)↩
11 IBM Security X-Force Threat Intelligence Index 2024↩
Disclaimers
Any statement that necessarily depends on future events may be a forward-looking statement. Forward-looking statements are not guarantees of performance. They involve risks, uncertainties and assumptions. Although such statements are based on assumptions that are believed to be reasonable, there can be no assurance that actual results will not differ materially from expectations. Investors are cautioned not to rely unduly on any forward-looking statements.
These are not recommendations to buy or sell any particular security.
BMO Global Asset Management is a brand name under which BMO Asset Management Inc. and BMO Investments Inc. operate. Certain of the products and services offered under the brand name, BMO Global Asset Management, are designed specifically for various categories of investors in Canada and may not be available to all investors. Products and services are only offered to investors in Canada in accordance with applicable laws and regulatory requirements.
“BMO (M-bar roundel symbol)” is a registered trademark of Bank of Montreal, used under licence.
