Cybersecurity’s growing importance: what investors need to know

The rise of tech-enabled companies

The ever-evolving state of technology has enabled companies from all corners of the economy to modernize and adapt to better service their clients. The ability to deploy technology solutions across the connected world marks both an opportunity to modernize and another important risk to be managed. Restaurants adding self-service ordering kiosks, large retailers turning their focus to e-commerce, and electric utilities implementing smart grid software are just a few examples of a long-term trend; the rise of tech-enabled companies.

In contrast to the traditional understanding of what a technology company is, such as giants like Apple, Microsoft or IBM, a tech-enabled business is one that leverages the latest technology available to improve an existing market. Businesses leveraging such technology are able to chase higher efficiencies in mature markets by offering a better user-experience, increase convenience, and in some cases, establish additional revenue streams by reaching new consumers.

However, as companies from all sectors and regions try to capitalize on the opportunities generated by technological developments and digitalization, an unintended consequence is higher vulnerability due to the increasing risk of experiencing a cyber-attack.

Over 2,200 cyber-attacks take place each day¹. Just in April 2024, two major cybersecurity events seized investors’ attention. First, malware was added to Linux, an open-sourced operating system that runs on virtually all internet servers, but luckily a curious engineer detected and stopped the attack before it could cause widespread damage². Second, Change Healthcare, part of UnitedHealth Group which is the largest U.S. health insurer, was hacked and allegedly lost more than six terabytes of data, including medical records, costing the company USD $872M in “unfavorable cyber-attack effects”³.

The costs of a cyber-attack

The immediate direct financial impact of a cyber-attack can be undeniably substantial, including costs such as network downtime, investigations, security enhancements, enhanced customer support, legal fees, settlement payouts, and even potential ransoms.

However, once the dust settles, the actual costs of such an attack often extends beyond these monetarily quantifiable damages. If a cyber-attack erodes customer trust in a company’s offerings, in the long-term, the cost of restoring customer confidence and re-establishing a corporate reputation of prudent data security risk management may significantly surpass the initial operational and legal expenses.

In parallel, remote work has made it easier for hackers and cybercriminals to crack enterprise networks. Add to this the advancement in artificial intelligence (AI) models and the imminent rise of quantum computing (which hypothetically could break the present encryption practices deployed across the internet⁴) and it all underscores the financial materiality of cybersecurity risks to businesses.

In 2023, there were around 343 million victims of cyber-attacks worldwide, driven by a 72% increase in data breaches from 2021-2023⁵. The impact of global cybercrime, which may include loss of data, money stolen, fraud and reputational harm, costs the global economy trillions of dollars each year. Cybersecurity Ventures forecasts that number to be USD $9.5 trillion globally in 2024, up from $3 trillion USD in 2015⁶. By comparison, the annual GDP of the Canadian economy was USD $2.16 trillion in 2022⁷. The effects of cybercrime drive other meaningful changes across the economy, including the job market where there is set to be an expected stock of 3.5 million unfilled cybersecurity jobs in 2024⁸, or even the cyber insurance market, which is predicted to hit USD $14.8 billion annually by 2025⁹.

As a result, the key question becomes: How can investors more effectively assess and manage the cybersecurity risks inherent in their holdings and portfolios?

Overlooked sector risks and industry best practice

Businesses’ financial risks are usually reflected in their balance sheets, income statements, and other financial statements. Non-financial risks, such as cybersecurity, arise from the firm’s operations and are harder to track and assess. Investment managers traditionally leverage industry frameworks and best practices to better assess such non-financial risks.

An example is the Sustainability Accounting Standards Board (SASB) Materiality Map, which identifies financially material issues on an industry-by-industry basis¹⁰. Among the issues identified by SASB is cybersecurity; in particular, it views customer privacy and data security as significant business issues in industries such as telecommunication services, commercial banks, health care delivery, among others.

However, there appears to be an industry-wide gap in adequately recognizing cybersecurity risks across all industries. While SASB, and frankly most other industry-accepted frameworks, recognize cybersecurity risks in sectors like Information Technology (IT), Banking, and Healthcare, according to IBM Threat Intelligence, Manufacturing is the industry most targeted by cyber criminals, with Finance, Professional Services, Energy, and Retail completing the top five most targeted industries¹¹.

Share of cyber-attacks by industry in 2023

Source: IBM Security X-Force Threat Intelligence Index 2024

Source: IBM Security X-Force Threat Intelligence Index 2024Given the fast adoption of new technologies, such as the internet of things (IoT) and AI, the need to recognize cybersecurity as a financially-material risk across all industries and regions has never been greater. In an increasingly connected world, these risks need to be recognized and managed by investors.

What can companies and investors do?

Similar to other sustainability issues, companies should establish proper assessments of cybersecurity risks, develop processes and policies to ensure adequate management of assessed risks, integrate oversight and responsibility within enterprise risk management and governance functions, and disclose progress to investors through public reporting. Companies should ideally conduct risk assessments or audits on a recurring basis and pursue certifications on their information security management systems, such as ISO 27001.Holistic assessment is needed as investors might be overlooking this critical risk in several industries. New metrics and data sources are emerging that allow investors to better assess holdings’ cybersecurity exposures for more industries. Companies now periodically report the amount of personal data they collect, their exposure to evolving or increasing privacy regulations, data breaches, and their systems for protecting personal data.

Investors can encourage their investee companies to pursue these steps and adequately manage cybersecurity risks. At BMO GAM, we make public our Expectation Statements on Environmental, Social and Governance Practices. Core to our expectations is that companies should have board-level oversight of internal controls and all material risks, including ESG risks such as climate change, cybersecurity, and consumer protection.

In 2023, along with our third-party engagement service provider Responsible Engagement Overlay (reo®), we discussed cybersecurity or data security in various engagements with investee companies in different industries and regions. The discussions included topics surrounding certifications on information security, encouraging more disclosure on assessments, and enhancing privacy policies relating to user information. As technology continues to progressively permeate every aspect of our daily lives, we foresee a significant expansion in our cybersecurity centered engagements throughout 2024 and onwards. In addition to meaningful engagements, we also aspire to better align our clients’ investments with the evolving market landscape by integrating new cybersecurity-related metrics and insights into our ESG assessments to continually enhance the value for our investors.

“Each year, we continue to see the volume and cost of cyberattacks increase to record highs, with headlines of corporate data breaches coming from virtually every industry. We believe this underscores the need to recognize cybersecurity as a financially material risk across all sectors and regions.”