Unprepared cyber defenses risks financial losses: AllianceBernstein


12/31/2022

The urgent need to assess, prepared and minimize impact of potential cyber attacks.


Cyber security and data security is a hot topic in many industries. Companies must constantly assess their defences and readiness in order to help minimise the impact of a potential attack. Public declarations of preparedness frequently exaggerate the actual level of defenses in place.

Despite company awareness, many investors do not place a high priority on cybersecurity. We believe this is a mistake, especially given the importance of governance issues in an environmental, social, and governance (ESG) focus. Unprepared businesses risk financial losses, penalties, and reputational damage, which can undermine a company's brand and jeopardise the return potential of a stock or bond. We spoke with cybersecurity experts from various fields and reviewed the regulatory landscape to provide investors with guidelines for assessing cyber-risk management.
 
Costs of Cyber Attacks
Cyberattacks are extremely expensive. According to cybersecurity firm SonicWall, at least 2.8 billion malware attacks were recorded globally in the first half of 2022, an increase of 11% over the previous year.

According to a study conducted by the Ponemon Institute and IBM Security, the average global cost of a data breach will reach a record $4.4 million in 2022. Recovery costs vary depending on the sophistication of a company's systems and whether or not remote work was involved, which tends to raise the cost.

Some industries are more vulnerable than others (Display). However, no company is safe in today's online world. Increased regulation has resulted from increased risk. Three new regulations have been issued in the United States in the last year: the SEC cybersecurity rule, the Cyber Incident Reporting for Critical Infrastructure Act, and the Ransomware and Financial Stability Act of 2021. Meanwhile, governments are on high alert after a surge in state-sponsored cyberattacks at the start of the Russia-Ukraine conflict. Companies cannot afford to ignore the problem in this changing environment.
 
Biggest Challenges
Many businesses are addressing the risks by shifting data centres and security from on-premises to cloud-based solutions. The pace is quickening as smaller cloud storage capacity issuers migrate to better synchronise their systems. However, cloud security raises new concerns. We've heard several recurring themes from cybersecurity experts.
 
Shielding critical Infrastructure: 
Organizations face two major challenges: selecting and managing a large number of security providers and vendors. According to one vendor who installs various cloud security platforms, creating a single dashboard to manage a network of diverse solutions ranging from end point protection to cloud system parameter solutions is a common problem. With so many similar options available, some organisations become paralysed; they spend too much time looking for the perfect fit rather than establishing an initial infrastructure to update over time.
 
Monitoring, Training and Governance
Following the completion of the infrastructure, businesses require properly trained personnel to monitor and run the systems, as well as a governance structure to ensure its integrity. Streamlining various internal systems and security vendor products requires time and resources, which is made more difficult by the fact that many major security providers are active acquirers of smaller companies, which can throw products out of sync.

What makes a cybersecurity governance structure strong? First, we believe that a clear reporting structure to the board committee responsible for oversight is critical, with jargon-free reports that directors without cyber expertise can understand. Similarly, a simple matrix categorising risks as "High, Medium, Low" is useful, as are reports on mitigation action and threat taxonomies. As governance matures, the general counsel, board, and business managers should interact with the information security team more frequently. Employees who run and monitor systems must be subject to oversight. And businesses should be aware that the vendors they select are important; more common services will have more professionals available to run the systems.
 
Costs of Resourcing
Many CIOs told us they are concerned about costs. In some cases, engineers can make a single change on a single server that dramatically increases overall system costs over time. Furthermore, many vendors fail to clearly define the rising costs of monitoring and maintaining a strong cybersecurity infrastructure. Checks on employee additions and a forward-thinking infrastructure cost model can assist in avoiding these pitfalls, particularly in companies with fewer dedicated cyber resources. Another consideration is cyber insurance costs; insurance benefits may be reduced when new vendors are added and systems are updated, or if coverage is reduced. Lloyd's of London, for example, recently announced that it will no longer sell insurance for state-sponsored cyber-attacks.
 
Cyber Risk Management
To assess a company's cyber-strategy and actions, investors must ask the right questions and focus on budgets. How are cyber issues brought to the board's attention? How are risks identified and managed? What kinds of system tests and response plans are in use? Are your employees ready for an attack?

Discussions with directors and management can provide valuable evidence of cyber proficiency. We discovered in recent engagements that companies with a strong sense of risk are more willing to discuss the topic and provide details on governance, reporting, and training. Vague or standard responses may indicate that a company is less prepared for threats, lags behind competitors, and is therefore more vulnerable to attack. Cyber budgets provide critical insight into strategy and action. Transparency about spending on cyber insurance, resourcing, vendors, or in-house development helps to round out the picture.

Companies must increase their efforts to combat attacks and secure their data and systems as threats grow. Small and medium-sized businesses may face greater risks because many are still in the early stages of their cybersecurity journeys and have gaps in their systems that could attract attacks.

Investors of all sizes should scrutinize existing cyber systems and delve deeper into security governance, resourcing, and reporting. Companies will be better prepared to prevent and respond to cyber-attacks if their strategies are consistent across the board. Investors will be better equipped to incorporate a company's cybersecurity profile into a broader risk assessment of portfolio candidates and holdings if they engage with management on these issues on a regular basis.