We are fast moving towards an era of technology transformation - ubiquitous connectivity, artificial intelligence, quantum computing and accelerated digitalization. While these technology transformations will lead to paradigm shifts in how we conduct our daily lives, we need to assess how they generate new and systemic risks for the global ecosystem and corporations. One of the biggest risks of a fast-digitalizing world is cybersecurity.
The scope of potential cybersecurity threats includes cybertheft of intellectual property (IP) and personal data, and manipulation of online information, as well as critical infrastructure (e.g., telecommunications, transport, and health care) and IoT, which relies on software to network services. Every stakeholder – governments, companies and individuals, is at rising risk of cyber attacks and data breaches as digitalization accelerates and technology becomes a bigger part of our daily life.
Despite its increasing frequency, rising ferocity and increasing socialization where even vital government installations are not spared, we believe that cybersecurity is not being assessed by investors as a materially relevant financial risk. Investors must recognize that cybersecurity and data breaches are not simply technology related risks but are highly material business risks that have financial implications for a company's bottom line, can cause brand erosion through reputational damage and also pose legal ramifications with possible lawsuits. This is particularly true for financial services companies.
A recent study1 from technology research firm Comparitech provides direct implications of data breaches and cyber attacks on company stocks. Comparitech analysed 28 large US companies that have experienced a data breach of at least 1 million leaked records. Some of the findings of this study showed (1) Share prices of breached companies fall 7.27% on average and underperform the NASDAQ (2) In the long term, breached companies underperformed the market. One, two and three years after the breach, the stocks underperformed the NASDAQ by 6.5%, 12.9% and 13.3%, respectively and (3) Financial companies saw the largest drop in share price performance following a breach, while healthcare companies were least affected.
Like the rest of the world, India too is beginning to see cyber attacks and data breaches. These issues are, however, not receiving the scrutiny they deserve from financial investors in the aftermath; and the company's stock price reactions reflect this limited scrutiny.
At our ESG strategy, where we explicitly integrate ESG issues into our fundamental analysis, we have identified cybersecurity as a core ESG issue for India. Considering cybersecurity, alongside traditional fundamental factors, is in our view critical to the holistic understanding of company risks and for gauging company resilience to tail risks. We rank cybersecurity as an equally important and materially relevant ESG issue for India as carbon emissions, water security and air pollution.
Like the rest of the world, India too is beginning to see cyber attacks and data breaches. These issues are, however, not receiving the scrutiny they deserve from financial investors in the aftermath; and the company's stock price reactions reflect this limited scrutiny.
Cyber risks may go unnoticed until there is a systemic failure. However, when these issues hit, it may be too late to effectively mitigate the situation. In such scenarios, a company is likely to undergo significant market and regulatory scrutiny before it can even take steps to restore its credibility.
Although companies in India are increasingly recognising cyber risks and their impacts, corporate information in the public domain, or through disclosures, is not sufficient. As investors, we need assurance that companies have adequate governance structures and measures in place to deal with cybersecurity challenges. The lack of public disclosure also makes it difficult to differentiate between those companies that are proactively developing, monitoring and managing cybersecurity risks, versus those that are failing to prioritise these risks.
As we have identified cybersecurity as a materially relevant ESG issue for India, we evaluate companies on these criteria and explicitly look for information or ask companies in materially relevant sectors like banks, how they are safeguarding themselves from data breaches and cyber attacks and the plans and contingencies they have in place (training programmes, risk management etc). We try and assess how banks, for example, look at cyber governance and risk assessment. As is true with many other ESG variables, obtaining this information and comparing metrics across companies remains difficult, as there are no universally accepted cyber risk metrics. In one of our recent management interactions2 with the CEO of a top private sector bank, we were heartened to see the CEO likening cybersecurity risk as a core business risk.
India lacks a cohesive nation-wide cyber strategy, policies, and procedures. Stricter regulations around data privacy, protection, and penalty need to be enacted to help businesses evaluate their cybersecurity posture and seek ways to improve cybersecurity.
All good ideas begin with debate. It is time for India to build a narrative and enact policies on vitally material issues such as cybersecurity and climate risk mitigation. Boardrooms must take direct interest in these issues before it is too late.
Sources
1 How Data Breaches impact stock market prices, Comparitech, April 2020Authored by: Abhay Laijawala, MD and Fund Manager, Avendus Capital Public Markets Alternate Strategies LLP
Good Reads
Climate change will be a ‘really big’ focus for ESG investors in 2021, market analyst says
CNBC, December 2020
Environmental, social and governance investing is setting up for another big year. After an “extraordinary year” in 2020, ESG-themed investments should continue their hot streak as interest in sustainable and socially responsible investing grows, says MSCI’s Linda-Eling Lee
Why Socially Responsible Investing Is Likely To Gain Momentum Under Biden
Forbes, December 2020
Despite the Trump administration’s environmental policies investors and companies have rallied around sustainability. Get ready for a Biden boom in 2021. While President-Elect Biden begins to unravel some of the actions of his predecessor, he won’t need to do much to encourage continued growth in ESG investing.