Cybersecurity has been a challenge for as long as IT systems have existed. Once seen as the exclusive domain of back-end IT departments, it is now beginning to take centre stage as more CEOs, COOs and CFOs put it at the top of their agendas.
How do cyber security issues impact investment tech?
There is growing recognition that cyber security is far more than just an IT issue
It is a fallacy to presume that poor technology is the sole contributing factor to cyber risks and threats. Inadequate security protocols can also expose organisations - including hedge funds - to significant reputational damage, regulatory breaches and client data breaches.
Research indicates that the majority of these threats are caused by people rather than technological failures. For example, using weak passwords, opening links from phishing emails, or deliberately sharing sensitive information, all put organisations at risk of cyber security breaches.
With greater threats and risks comes greater demand for cybersecurity itself
On a more positive note, for investors at least, cybersecurity investment rose by 25% in in the UK in 2021 compared to 2020, thanks to a growing appetite for cyber security stocks.
Cybersecurity companies in the UK generated £10.1 billion in revenue collectively in 2021 , which was 14% higher than in 2020. Globally, investors have put in £16 billion into the sector, with UK firms like Immersive Labs, a Bristol-based company that develops platforms to improve cybersecurity skills in businesses, raising an impressive £53.5 million during a Series C funding round.
Did you know that tech companies are especially vulnerable to cyber threats and risks?
In a Global Cyber Executive Briefing case study, Deloitte says the high-tech sector in particular is often 'ground zero' for cyber-attacks.
Why is that? Well, here are some explanations:
1. These companies store information which is valuable to cyber criminals.
We live in an era of Big Data, when investment tech companies store enormous volumes of confidential information that cyber criminals are eager to steal and sell to third parties.
2. They are often experimenting with new technologies that may be vulnerable to attacks.
Many of these new technologies have yet to mature, which means the security infrastructure may be weak and vulnerable to attacks.
3. The working environment will often be flexible
Hi-tech companies often operate hybrid working models, involving a mixture of home-working and office-based working, while others may be fully remote. If employees are accessing secure systems from multiple devices on a regular basis (i.e. a home laptop, a personal phone, a work laptop, a work phone), in theory, there is a higher quantitative risk of a cyber-attack.
Is cybersecurity becoming a bigger challenge for the wider economy?
The World Economic Forum, in its Global Cybersecurity Outlook report and meeting, revealed that the number of cyberattacks rose by 125% in 2021, and the evidence suggests a worsening picture in 2022.
One of the panellists at the event, Jürgen Stock, Secretary-General, International Criminal Police Organization, said he thought the major risk to IT security is human failure, which 'opens the door for criminals to attach the systems to take data hostage'. Jurgen also stressed that the data we refer to do not represent the full picture, because many victims of cyber-attacks do not report these incidents to authorities. He estimates that only about 5-10% of cases are actually recorded by law enforcement, so what we see in the data is the tip of the iceberg.
Cyber security issues should be a key concern for hedge fund managers too
Many cyber criminals will have a vested interest in targeting hedge funds to try and access sensitive information like client data and investment strategies, particularly as hedge fund technology grows.
In April 2022, an Israeli investigator pleaded guilty to a fraud and 'hacking-for-hire' conspiracy which targeted hedge funds, journalists and other groups. The investigator, who is now facing a maximum prison sentence of 27 years, admitted to working with hackers who sent phishing emails to try and acquire confidential client information.
Companies need to be more proactive at dealing with cyber threats and risks
In a 2019 report, McKinsey revealed that there is growing pressure from boards and regulators to apply a 'risk-based' approach to managing cyber risk, rather than the traditional ‘maturity-based' approach that focuses on the capability of an organisation’s cybersecurity.
What’s the difference between maturity-based and risk-based approaches?
The maturity-based approach emphasises strengthening security by introducing features such as multi-factor authentication on devices. Companies that adopt this approach will often hire highly skilled Information Security Officers to own these functions. But the new risk-based approach is much more comprehensive, focusing on managing cyber risk and threats through an enterprise-risk management (ERM) framework. This framework identifies all potential risks to the organisation and manages them within the company's risk appetite.
ERM frameworks can be valuable resources for hedge fund managers who are comparing candidates for their tech portfolios
This type of information can help you determine which companies have the best risk-management frameworks in place.
Why does all this matter?
The better a company is at managing risks, the lower the likelihood that it will experience adverse events, such as data breaches from hacking, which could expose it to significant operational, reputational and financial risk.
Data breaches aren't just a problem for an organisation's primary stakeholders
They are a threat to investors, too, because, in a recent study, the share prices of companies experiencing data breaches fell an average of 3.5% (Nasdaq) and hit their low about 110 market days after the breach. Long term, breached companies continued to underperform the market, implying that the original data breach was still having an impact on the stock price, or that there were other internal or external factors at play.
What should you look out for when assessing which tech companies to invest in?
ClearRisk, a risk management software provider, has identified a 9-point process for determining whether a company has an effective ERM Framework in place - here’s a summary of some key things to watch out for when investigating potential cyber security stocks to add to your prime brokerage portfolio.
Does the company explain its risk management functions in plain language? If someone at this company were to explain to you - verbally or in writing - what sort of cyber security risk management procedures it has in place - can you understand what they are talking about? If so, there is a good chance that other people in the organisation understand it too.
Does the company have a risk management steering committee?
If so, this is a good indication that the organisation takes this issue seriously.
Are there people in the organisation who have clearly defined responsibilities for cyber security?
Does the company publish a risk appetite statement and amend this regularly?
Does the company have RMPs? (risk mitigation plans)
In summary:
- Cybersecurity issues are far more than just an IT or tech sector problem
- Human failure plays a significant role in elevating these risks and threats
- The best tech companies will have robust ERM frameworks for managing risk
- Cyber breaches can reduce a company’s stock performance
Publication date:
The information and opinions on this report are provided for general information purposes only. IG Bank S.A. do not guarantee, explicitly or implicitly, that the information and opinions are accurate, reliable, up-to-date or exhaustive. Furthermore, this report may contain IG Bank S.A. external analyst’s judgment, future expectations, views or opinions, but actual developments and results may differ materially from such expectations, in particular due to a number of risks, uncertainties and other factors. Such statement may subject to alteration without notice.
The information contained in this report should in no event be construed as a solicitation or offer, as advice or as a recommendation to implement or liquidate an investment or to carry out any other financial transaction, and it does not constitute any legal or tax advice. It should not be used as a basis for any investment decision or other decision. IG Bank S.A. accept no liability for any loss or damage of any nature whatsoever, whether direct, indirect or consecutive, arising from accessing, using, consulting its report or navigating its website, or from links to other report and/or websites. No representation or warranty is given as to the accuracy or completeness of this information. Consequently any person acting on it does so entirely at their own risk. Any research provided does not have regard to the specific investment objectives, financial situation and needs of any specific person who may receive it and as such is considered to be a marketing communication.
Contact us
Let us create a solution tailored for your needs. Get in touch with our team by phone or email to discuss your objectives, or request a brochure.