By Abi High
Cyber attacks cost Australian businesses $323.7 million in 20211, yet cyber security remains one of the least understood risks posed to companies operating today. In an increasingly digitised world, it is imperative that companies understand, manage and report to investors the cyber risk they face as an organisation. Whilst cyber security is not a new consideration, there are a number of recent factors that have amplified the risk to investors:
- 67% of Australians are now sometimes or always working from home2 creating a wider “attack surface” outside of controlled office spaces,
- reliance on mobile devices by both customers and employees means that company data is increasingly difficult to monitor and control; and
- rapid adoption of cloud infrastructure (now used by 55% of Australian businesses3) creates further opportunities for interception of data.
We acknowledge that this is a highly complex and rapidly evolving area, therefore, this thought piece aims to highlight some of the key issues posed by cyber threats and how to manage them. We encourage companies and executive teams to consider a ‘not if but when’ approach to cyber security and advocate for increased company disclosure and proactive management of this escalating risk.
Categories of cost associated with cyber attacks
Cyber security breaches can result in losses under three main categories: financial, operational and reputational.
Financial
Financial losses can result from attacks which intercept payment systems or processes (such as a fictitious payment request), ransom payments or regulatory fines. The ACSC recorded over 67,500 self-reported incidents of cybercrime in the 2020-2021 financial year, resulting in over A$33 billion self-reported losses4. This number is significantly higher once adjusted for unreported losses, and multiples higher than historic records. For investors, announcement of a data breach typically results in share price underperformance (discussed in more detail in the next section).
Increasing cost of cyber crime in Australia
Source: Melior, https://www.cyber.gov.au/acsc/view-all-content/reports-and-statistics
Operational
Often businesses suffer operational disruption because of a cyber attack. More than half of all breaches result in more than four hours of operational downtime5, costing staff time and resulting in lost productivity.
Source: Cisco 2020 CISO Benchmark Survey, Figure 4
Reputational
This cost involves destruction of brand value and loss of customer trust following a data breach. In a study carried out by KPMG in the UK, 89% companies who were impacted by a cyber breach said they saw a long-lasting impact on their reputation, evidenced by loss of clients, ability to win new business and brand damage6. Varonis (2020)7 further explains the secondary effects of cyber attacks; 85% customers tell others about their experience and 33.5% use social media to complain about their experience. The opposite chart8 demonstrates the five-year journey for Target (US) to recover from their 2013 data breach (following significant investment into a customer loyalty program and increased digital security expenditure).
Target brand index rating: buzz (consumer perception)
Source: https://www.cyber.gov.au/acsc/view-all-content/reports-and-statistics
Economic and shareholder value risks posed by cyber attacks
Evidence suggests that announcement of a cyber breach results in a negative short term share price reaction, and longer-term underperformance where the company fails to respond quickly and meaningfully to address the causation and impact.
Share price reaction
Garg9 found that in the short term, on average “firms impacted by a cyber breach experienced a 2.7% decline in their stock price relative to the overall market on the day following the attack”. However, history has shown much more severe reactions, such as Equifax; whose share price plunged -34% in the two weeks following their 2017 data breach, or UK-based Cambridge Analytica whose Facebook-related data breach in 2018 led to their ultimate demise.
Long term impact
The long-term impact on business value is highly dependent on the company’s reaction once they fall victim to a cyber attack. Two possible but opposing impacts on shareholder value have been identified in studies:
- Value accretion. A quick reaction to a data breach, including adapting digital strategy and investing to protect against future cyber-attacks, can present an opportunity for shareholder value creation. For example, JP Morgan – following a cyber-attack in 2014 – experienced a share price decline of c.9% in the days following their filing to the SEC10. However, they subsequently released extensive information on the data breach and doubled their computer-security budget11; this response in part supported share price outperformance vs the S&P500 in the five years following. The share price for US home-improvement company, Home Depot, has similarly recovered following their data breach in 2014 after the appointment of their first CISO (Chief Information Security Officer) and making significant investments to enhance encryption of customer payment data.
- Value destruction. Where the company does not change processes and strategies following the breach, business value suffers longer term. Huang etc (2019) note that “the mostly negative impact indicates that those organizations do not effectively turn cyber incidents into opportunities to improve and optimize their business12”. This has been recently demonstrated by the ride-hailing group Uber, who, following their attempts to conceal a data breach in 2016 by paying a ransom fine have struggled to regain customer trust and have subsequently been subject to over US$148million in fines to settle legal claims. The stock has underperformed its Russell 1000 benchmark substantially since listing.
Given the risk to company value, businesses need to approach cyber risk as an “economic threat” rather than a “nuisance”13, react proactively to manage cyber risk and have in place robust response plans and reporting frameworks.
Currently, Australian companies are not sufficiently prepared for cyber threats with current disclosure on cyber security among ASX-listed companies inconsistent, minimal, and inadequate in most cases. Only a minority of ASX-300 companies publish a comprehensive strategy to mitigate cyber risk or disclose any KPIs related to cyber security management.
“While the cyber incident brings the victimized company to the spotlight, it provides free public exposure for the company to showcase their responsibility and efforts to protect their stakeholders, customers, suppliers, and community.14“
What can companies do to protect against cyber threats?
Whilst companies cannot eliminate the risk of a cyber attack, our learnings so far have pointed us to some key areas that need to be addressed to minimise cyber risk exposure.
Strengthen first line of defence
An organisation is best protected against cyber criminals when employees are trained and vigilant in detecting potential security breaches. Role-specific training should be provided at all levels of the organisation to best equip employees with the skills required to detect and report cyber breaches in their daily operations.
Implement a cyber security framework
There are several frameworks that companies can use to measure and improve their cyber capabilities. One of the most prominent ones is the Cyber Security Framework (CSF) developed by National Institute of Standards and Technology (NIST), which is responsible for producing standards for the US Government15. The Framework is split into five functions, which align to how an organisation identifies, protects, detects, responds, and recovers from cyber incidents.
To date, there are no specified regulatory standards relevant to cyber security for Australian companies to follow. These may be introduced soon following an open consultation in 202116 by the Commonwealth Government on the options for regulatory reforms on cyber security. However, in the current environment we encourage companies to follow well-established frameworks, such as NIST CSF, to make sure that this risk is appropriately managed and ensure consistency of reporting.
Develop executive and board experience
Implement a cyber security framework
There are several frameworks that companies can use to measure and improve their cyber capabilities. One of the most prominent ones is the Cyber Security Framework (CSF) developed by National Institute of Standards and Technology (NIST), which is responsible for producing standards for the US Government15. The Framework is split into five functions, which align to how an organisation identifies, protects, detects, responds, and recovers from cyber incidents.
To date, there are no specified regulatory standards relevant to cyber security for Australian companies to follow. These may be introduced soon following an open consultation in 202116 by the Commonwealth Government on the options for regulatory reforms on cyber security. However, in the current environment we encourage companies to follow well-established frameworks, such as NIST CSF, to make sure that this risk is appropriately managed and ensure consistency of reporting.
Develop executive and board experience
Nasdaq recently reported that “91% of board members at the most vulnerable respondent companies were unable to interpret their company’s’ cyber security report17”. Given the increasing sophistication of cyber criminals, board directors must have sufficient experience to be able to interpret risk reports and monitor the effectiveness of the cyber security strategy within the organisation. In our last Insights report 18 we identified cyber security as a key skill requirement for board directors – broad ‘IT’ skills are not enough.
Reporting: Key Performance Indicators / targets
With effective reporting, executive teams, board directors and investors are better equipped to control and mitigate cyber risk. There are a multitude of KPIs that can be tracked either internally or by third parties (such as BitSight or Upguard), for example Mean Time to Detect (MTTD) a breach, or the number of successful security breaches during the year. We view Medibank Private (held in our portfolio) as a best practice example of cyber security KPI disclosure within its annual reporting [refer opposite].
Develop a response plan
A response plan, to be enacted during or after an incident, is key to minimising the long-term impact of that incident on business value. Response Plans should be made up of 4 key components19:
Information security and data breaches
Source: Medibank Sustainability Report 2021
Reporting: key performance indicators / targets
With effective reporting, executive teams, board directors and investors are better equipped to control and mitigate cyber risk. There are a multitude of KPIs that can be tracked either internally or by third parties (such as BitSight or Upguard), for example Mean Time to Detect (MTTD) a breach, or the number of successful security breaches during the year. We view Medibank Private (held in our portfolio) as a best practice example of cyber security KPI disclosure within its annual reporting [refer below].
Information security and data breaches
Source: Medibank Sustainability Report 2021
Develop a response plan
A response plan, to be enacted during or after an incident, is key to minimising the long-term impact of that incident on business value. Response Plans should be made up of 4 key components19:
- Contingency Planning – including a Business Continuity Plan and Disaster Recovery Plan,
- Communication Approach – how appropriate stakeholders will be notified, both internally and externally,
- Analysis – how the business will identify what controls failed and the extent of the breach,
- Mitigation – what steps the business will take to resolve the incident, prevent expansion, mitigate its effects, and invest in future protections
Melior's response
We have recently enhanced our ESG Framework to include multiple factors that help us to assess which companies are effectively managing their cyber risk exposure. We will soon be including a cyber security KPI in our quarterly performance to track our portfolio vs the ASX300 on this issue, and this will also form one of our Active Corporate Stewardship 2030 Impact Goals. We believe that having a comprehensive cyber security strategy in place contributes to SDG 16 – ‘Peace, Justice and Strong Institutions’ – by enabling successful operation of “effective, accountable and transparent institutions” and helping to “combat all forms of organized crime”.
In our advocacy engagements with companies, we are raising awareness of cyber security risk with management teams and boards, urging them to raise the level of cyber expertise and oversight within their organisations, implement comprehensive strategies to mitigate the risk and encourage greater disclosure on cyber security within annual reporting. Our investment team are also upskilling via dedicated training sessions and webinars to ensure that we are well-equipped to identify cyber risk from company disclosures and proprietary analysis.
Melior walking the talk
Melior have a Cyber Security Policy in place20, as well as a number of measures to mitigate cyber risk including; mandated staff training, employing infrastructure and software-based cyber risk mitigation solutions, monthly reporting to management on cyber metrics and managing cyber-related risks within our business in accordance with our Australian Standard ISO 31000:2018-aligned risk management framework.
We recognise that cyber crime is a growing threat, and therefore endeavour to continue to upskill our employees and further develop our processes, reporting and systems to continue to actively manage this risk.
Sources
1 ACSC Annual Cyber Threat Report 2020-21 I Cyber.gov.au
2 The Families in Australia Survey: Towards COVID Normal that among the employed survey respondents, 67% were sometimes or always working from home, compared to 42% pre-COVID. Two thirds of Australians are working from home. Australian Institute of Family Studies (aifs.gov.au)
3 55% all businesses reported use of paid cloud computing in 2019-202 (42% in 2017-2018) Characteristics of Australian Business, 2-19-20 financial year I Australian Bureau of Statistics (abs.gov.au)
4 ACSC Annual Cyber Threat Report 2020-21 I Cyber.gov.au
5 Cisco 2020 CISO Benchmark Survey, Figure 4
6 Small Business Reputation & The Cyber Risk (assets.kpmg) p2
7 Analyzing Company Reputation After a Data Breach (varonis.com)
8 Analyzing Company Reputation After a Data Breach (varonis.com)
9 [1] Garg, A., Curtis, J. and Halper, H. (2003). “Quantifying the Financial Impact of IT Security Breaches: What Do Investors Think?”. Information Management & Computer Security 11(2): pp. 74-83
10 On October 7, 2014, JPMorgan Chase & Co. (JPMorgan) filed with the Securities and Exchange Commission (SEC), a statement disclosing some details of the data breach first announced in August. Share price performance taken 08/10/2014 – 16/10-2014 (Bloomberg)
11 JP Morgan Chase Sees Cyber-Security Spending Doubling I 2014-10-12 I Security Magazine
12 Keman Huang, Rebecca Ye, Stuart Madnick (2019),” Both Sides of the Coin: The Impact of Cyber Attacks on Business Value”, Massachusetts Institute of Technology: p4
13 Gordon, L. A., Loeb, M. P. and Zhou, L. (2011). “The Impact of Information Security Breaches: Has There Been a Downward Shift in Costs?”. Journal of Computer Security 19(1): pp. 33-56.
14 Keman Huang, Rebecca Ye, Stuart Madnick (2019),” Both Sides of the Coin: The Impact of Cyber Attacks on Business Value”, Massachusetts Institute of Technology: p4
15 An Introduction to the Components of the Framework I NIST
16 Australia’s Cyber Security Strategy 2020, Strengthening Australia’s cyber security regulations and incentives (homeaffairs.gov.au)
17 Nasdaq accountability Gap report, 2016 Bridging the Accountability Gap: Why We Need to Adopt a Culture of Responsibility I Nasdaq
20 As part of the Adamantem Investment Group firmwide Cyber Security Policy
This content is for general information only. In preparing and publishing this content, Melior Investment Management Pty Ltd (ACN 629 013 896, authorised representative no. 001274055) does not seek to recommend any particular investment decision or investment strategy and has not taken into account the individual objectives, financial situation or needs of any investor. Investors should consider these matters, and whether they need independent professional financial advice, before making any investment decision.