As technology advances and we become increasingly connected, the risk of cybercrime and data corruption rises. Shareholders need to seek assurance that the companies they invest in are prioritising data and cyber security at a board level.
Many shareholders associate good corporate governance with areas like leadership, ethics and sustainability. But there is another increasingly important factor that provides investors with an insight into a company’s governance practices – their approach to cyberattacks.
Well-governed companies are more likely to have a better understanding of the cyber risks they face.
By asking the right questions, investors will be better placed to determine whether a company is managing the cyber threat properly, and in turn they will also gain valuable insight into the general quality of the company’s governance and risk management.
A growing menace
The widening reach of technology means we are more connected now than we have ever been, but also more vulnerable. While stored data is used to benefit consumers and tailor products, services, offerings and communication to their needs and preferences, it also increases the risk of cybercrime.
Shareholders are aware of the growing importance of data security, but there are a number of issues that make it matter now more than ever before:
- Technology is changing with an ever-expanding reach
- There is an increased emphasis on data privacy
- Risks are shifting and becoming more complex
- Ever-increasing data records, their complexity and their links to one another mean a single breach has the potential to expose a large number of people
- It is impossible for all companies to always be prepared for any potential attack
- News of breaches travels fast, impacting a company’s reputation instantly
- The costs of prevention and remediation of data security breaches are rising
The real cost to shareholders of cyber attacks
Companies need to be increasingly vigilant in protecting the integrity and privacy of data systems. While it may be costly for companies to implement processes and systems to adequately protect their data, inadequate protection could potentially be even more costly. Data breaches have real and significant financial impacts.
According to a report by the Ponemon Institute*, the average breach in 2017 cost each Australian company $2.51 million. The report also found that the faster the data breach can be identified and resolved, the lower the cost for companies.
Ultimately, a loss to the company equates to less take-home profits for shareholders and in some cases, even greater losses over the long-term due to reputational damage.
A clear correlation
An even greater issue is what a company’s preparedness for cybercrime says about its broader governance culture and systems.
Considering Environmental, Social and Governance (ESG) factors such as data security can uncover the greatest drivers of company value and lead to better informed investment decisions, and potentially higher returns.
While specific sustainability drivers will vary between industries, there is a clear correlation between how effectively a company manages ESG factors and financial returns.
The 9 key questions
How can shareholders properly assess a company’s handling of cybercrime? AMP Capital has a long history of open and constructive engagement with the companies in which we invest. As a result of this dialogue, we have developed a list of ten key questions that all investors should
ask the companies they are investing in:
- Does the board understand cyber security risks?
- Has the board identified the aspect of their business at greatest risk? What information, processes, and intellectual property is core to the business’ success?
- Has the company identified how that data or process could be compromised or stolen?
- Has appropriate data security been put in place and subjected to regular testing, including external independent review?
- Does access to sensitive data require strong passwords and/or second-level authentication?
- Does the board/senior management possess the necessary skills to truly understand the risk-management practices that have been put in place to mitigate against the risk of cyber-attack?
- What training does the company provide to equip employees with the necessary skills to manage cyber risks?
- Are they confident breaches will be detected promptly?
- If a breach were to occur, how quickly could the company respond?
- What is the process for notifying affected customers/stakeholders?
Firmly on boards radars
With cybercrime a growing threat, shareholders want to be confident that boards have the issue of cyber security firmly on their radars. If they don’t, boards are exposing shareholders to significant financial risk.
But, more importantly, if boards are not taking cybercrime seriously, concerns must be raised about the quality
of their governance.
Read more about this issue in the latest ESG Corporate Governance report.
While every care has been taken in the preparation of this article, AMP Capital Investors Limited (ABN 59 001 777 591, AFSL 232497) and AMP Capital Funds Management Limited (ABN 15 159 557 721, AFSL 426455) (AMP Capital) makes no representations or warranties as to the accuracy or completeness of any statement in it including, without limitation, any forecasts. Past performance is not a reliable indicator of future performance. This article has been prepared for the purpose of providing general information, without taking account of any particular investor’s objectives, financial situation or needs. An investor should, before making any investment decisions, consider the appropriateness of the information in this article, and seek professional advice, having regard to the investor’s objectives, financial situation and needs. This article is solely for the use of the party to whom it is provided and must not be provided to any other person or entity without the express written consent of AMP Capital.
This article is not intended for distribution or use in any jurisdiction where it would be contrary to applicable laws, regulations or directives and does not constitute a recommendation, offer, solicitation or invitation to invest.