More and more personal and business information worldwide is rapidly migrating into digital form on open and globally interconnected technology platforms. This trend poses serious risks to data security and privacy. Hardly a day goes by without news of a new cyber threat or a major data breach. Hackers, criminals and foreign governments have adapted their theft, fraud and sabotage activities to this increasingly interconnected world. The growing threat of cybercrime — and the opportunities it brings — is a new facet of responsible investing.
US whistleblower Edward Snowden’s actions have put data privacy firmly on the agenda of businesses, making the topic a corporate responsibility issue. The former National Security Agency contractor’s disclosures revealed the extent of government surveillance of internet communications. Companies such as Facebook and Google had to “defend” themselves when it became apparent that they were turning user data over to the US government in response to legal orders.
A common misconception is that attackers are outsiders. Unfortunately, they are quite frequently insiders: a current or former employee, a service provider, an authorized user of internal systems or a contractor. We are often not aware of these insider incidents and we underestimate their impact. In its 2014 US State of Cybercrime Survey of more than 500 executives of US businesses, law enforcement services and government agencies, PwC found that only 49% of all respondents had a plan for responding to insider threats.
A June 2014 report published by the Center for Strategic and International Studies (CSIS) concluded that the US, China and Germany together suffer an estimated $200 billion a year in cybercrime losses. A look at the corporate sector shows that a large majority of firms are still in the development phase of their cyber risk management capabilities. They are looking for ways to better understand which information assets need to be protected, who their attackers are and what defence mechanisms are most effective.
It’s not all bad news. Cyberspace is constantly evolving and businesses are eager to adopt new technologies, such as using the Internet to open new channels and adopting cloud services. These developments create vast opportunity but they also bring unanticipated risk. The cybersecurity sector is growing rapidly, and companies with the foresight to take advantage of these emerging trends have the potential to create value.
Today’s most successful and cyber-resilient organizations are appointing officers to oversee all activities in cyberspace and advise the management board. One of the main questions in the data-privacy area is whether companies are too willing to pass data on to governments. Vodafone has taken the lead in this debate by reporting government requests for customer personal data in each of 29 countries.
While the main players have already taken many steps in the right direction, there is still a long way to go. Technological systems are becoming more complex and therefore harder to secure. Procedures need to be simplified and dependencies need to be reduced, for example by moving toward more loosely coupled systems. Executives also need to take timely steps to improve their companies’ cyber resilience capabilities. Over time, this will also enhance companies’ collaboration with partners in public and international policy, as well as community and systemic responses.
Businesses need to make sure customers trust them. Trust can make or break deals. The private and public sectors need to invest more in attracting, retaining and rewarding cybersecurity talent. One option is providing opportunities to “bad guy” hackers to become “good guy” hackers.
How do investors ‘play’ this theme?
Investors can benefit from the data security and privacy theme in many ways. This can be done for example by investing in companies whose business models are clearly linked to areas such as consumer security, content security, critical infrastructure, data encryption, enterprise security, firewalls, intrusion detection, mobile security and web security. Also important is engagement with companies in all sectors on how well they are protected against cyber-attacks and what initiatives in data security and privacy they have taken. At NN Investment Partners, we believe that cyber security merits special attention from companies. We urge them to protect sensitive data entrusted to them by their clients.