Internet security blog posts are usually more at home on the inside pages of IT trade publications than on the front pages of international newspapers. The one published by Microsoft Corporate Vice President Tom Burt on 2 March, about the emergence of “state-sponsored threat actor” Hafnium, was a notable exception.
A new threat had emerged, targeting Microsoft exchange server software. It wasn’t long before the phones of helpdesks worldwide started to ring, and IT managers’ social media feeds lit up. The hackers had attempted to penetrate much deeper than usual into the systems of their intended victims, in order to lurk undetected for a long period of time. The attack may have compromised as many as 20,000 organisations.
Large scale cyber-attacks of this kind are becoming more common and quantifiable. Their impact is becoming an increasingly important consideration for investment professionals who need to engage with corporations to understand the risks and protect their portfolios against adverse scenarios.
To illustrate what is at stake, a new publication by the CFA Institute Research Foundation on cyberwarfare and cybercrime cited a study examining the average revenue growth of companies affected by severe IT security breaches, and compared those results to industry peers not affected by cybercrime. The research covered some 432 companies and 460 unique events over a six-year period.
It found that in the two years after a severe security breach, corporate revenues first declined by about 10 percent on average and then recovered slowly. After two years, revenues had only recovered to the same level they were at when the security breach happened. By contrast, companies that did not suffer a security breach saw revenue growth of almost 20 percent over the same period.
What does this mean for investors?
The impact of a major security breach is not just reflected in a company’s earnings but also in its share price. Indeed, corporations that have suffered a severe breach could see share prices drop by 10 percent or more over six months and remain depressed for a long time.
With such potentially enduring consequences, it is no surprise that companies are stepping up data protection efforts.
That task is, however, becoming much more difficult as the pandemic has forced millions of people to work from home. This has increased the vulnerability of corporate data – especially from phishing attacks directed at employees.
These attacks have become so widespread that many analysts are comparing the coronavirus pandemic with an emerging “cyber pandemic”— with at-home employees playing the role of trojans.
The CFA Institute Research Foundation publication – Data, the Oil of the 21st Century – reveals the risks faced by corporations by the growing number of cyber threats emerging from both nation-states as well as criminal groups.
Author Joachim Klement warns that investors need to assess their potential exposure to such attacks which are already costing the average bank – with banks being the preferred targets of cybercrime – some $18.4 million-a-year (about £12.3m) based on 2018 data. Model estimates for the global banking system range from $97 billion (about £68.5bn) to $351 billion (about £247.6bn) per year in potential losses — easily capable of triggering a financial crisis.
Action needs to be taken
The recent Microsoft attack attracted global attention. It was, however, the eighth time in 12 months that the company had publicly revealed an attack by so-called nation-state groups targeting critical institutions. Victims ranged from health organisations fighting COVID-19, to political campaigns involved in the 2020 US elections.
Such attacks have encouraged a major push at state level to bolster cyber defences. For example, in March 2021, the UK government launched a new National Cyber Force – the result of cooperation between the Ministry of Defence and Government Communications Headquarters (GCHQ) – to disrupt and destroy communications systems of those posing a national security threat.
The financial industry should now engage to protect itself, and its clients, from emerging threats which – as the latest Microsoft hack highlights – are becoming more and more damaging.
Industry leaders may flinch at the required outlay of capital to upgrade cyber defences, at a time when there is a pressing need to conserve cash. But in order to prevent business disruption, information loss and revenue loss, the investment is critical.
To this end, the former US State Department official Richard Clarke may have some prescient insight. “If you spend more on coffee than on IT security, you will be hacked. What’s more, you deserve to be hacked.”
If this article has sparked your interest, click here for the full book.
Image credit: ©Getty Images / filadendron