COVID-19 shocked investors into taking pandemic risks more seriously. In an increasingly connected world, where data is the new oil, could cyberattacks be the next big threat?
In the spring of 2011, users of Sony’s PlayStation Network received a message informing them that “certain functions of PlayStation Network are down”. When it was still down the following day, the company issued another statement, saying it would be “a full day or two” before operations would be back to normal.
What PlayStation users didn’t know was that, behind the scenes, Sony already had evidence of a cyberattack that would eventually compromise the data of about 100 million customers, including personally identifiable information and financial details. The Sony PlayStation Network – the company’s cash cow – was taken offline while engineers addressed the breach, with functions not completely restored for about 40 days.1
Lost revenues from the outage, subsequent lawsuits from users who were targeted for credit card fraud, and mitigating efforts such as free offers of PlayStation 3 games to lure customers back would eventually cost the company $170 million, in one of the most damaging data breaches in history.2
“Think about that paradigm shift,” says Marc Goodman, author of Future Crimes: Inside the Digital Underground and the Battle for Our Connected World, in reference to the case.3 “Never in the history of humankind would it ever have been possible for one person to rob 100 million people simultaneously.”
Fast and furious
What allows criminal activities to be scaled to previously unimaginable heights is a combination of technological advances, proliferation of data and the connectivity of the global economy, says Louise Piffaut, environmental, social and governance (ESG) analyst at Aviva Investors. As the Internet of Things (IoT), artificial intelligence and cloud computing begin to shape the commercial realities across sectors, cyber threats can only rise – both in number and financial cost. Increasingly, the threats not only come from seasoned hackers but from countries and, more worryingly, employees.
But the same dynamic is also the lifeblood of the global economy, allowing “many companies to find new ways of creating value by monetising data to help their customers, lower costs and improve efficiencies”, she adds. This in turn encourages businesses to collect and store more and more data across the globe.
Naturally, securing this data is a key concern for businesses and investors
“We’re seeing the positive impact across industries, beyond technology, from industrial equipment to health insurance,” adds Mikhail Zverev, head of global equities. “Naturally, securing this data is a key concern for businesses and investors – protecting that data advantage, sensitive customer information, and ultimately the functioning of critical business infrastructure.”
The University of Maryland estimates a data breach occurs once every 39 seconds in the US, affecting nearly one in three Americans. The mean cost of each data breach is about $3.9 million to businesses, IBM estimates.4 And worldwide, the growth in the amount of cross-border data transfers (see Figure 1) is creating additional vulnerabilities, with individuals, companies and governments having little knowledge of what data they own and where they are stored, much less attempting to secure that data.
Figure 1: Cross-border data flows
Breaches involving user data remain the most common. Though they mostly impact the individuals targeted, data theft can also leave companies exposed to regulatory and legal liabilities, loss of revenues and severe operational disruptions. In some cases, lives are at risk. Other types of crimes conducted online such as malware and ransomware, while less prevalent, come at a greater cost. According to IBM, they average about $239 million for each incident – more than 60 times the typical cost of a data breach.
Under the EU’s General Data Protection Regulation (GDPR), companies can now be fined up to four per cent of annual revenues. Due to a data breach affecting nine million customers at EasyJet in May, the company may be liable for a maximum fine of about £255 million.5 Separately, a class action civil lawsuit has been filed in the High Court of London, seeking maximum damages of £18 billion, or £2,000 per customer.6
The intelligent adversary
Four years ago, Klaus Schwab, founder and executive chairman of the World Economic Forum (WEF), coined the phrase ‘The Fourth Industrial Revolution’ to refer to the coming era, “characterised by a fusion of technologies that is blurring the lines between the physical, digital, and biological spheres”.7 As the world economy edges closer to that reality, WEF has labelled large-scale cyberattacks among the top ten biggest risks over the next decade.8
Cyber resilience – the ability to anticipate, adapt and withstand shocks from online incidents – is therefore becoming a key supporting pillar of corporate sustainability, says Richard Butters, ESG analyst and financial sector specialist at Aviva Investors.
The concept of a ‘fat tail’ describes a distribution of returns that exhibit a tail that decays to zero much slower than the Gaussian distribution
Risks are characterised by a distribution, and the concept of a ‘fat tail’ describes a distribution of returns that exhibit a tail that decays to zero much slower than the Gaussian distribution, says Didier Sornette, professor of entrepreneurial risks in the department of management, technology and economics at the Swiss Federal Institute of Technology in Zurich. Cyber risks have the broadest, wildest swings in the fat tail.
“Imagine, for example, Facebook being hacked: suddenly you have two billion ID thefts, with enormous consequences,” he adds.
This may sound far-fetched, given big tech’s sizeable budgets to shore up cyber defences. The five biggest tech companies – Facebook, Apple, Amazon, Microsoft and Alphabet, Google’s parent company – hold the most data security patents between them (see Figure 2). Nevertheless, Facebook’s security wall has been breached before, most notably in 2018 when at least 90 million user accounts were compromised, just as the company was recovering from the Cambridge Analytica data scandal. Inadequate controls around third-party access of user data had been a major issue behind the controversy.
CEO Mark Zuckerberg said at the time: “Security, it’s an arms race. We’re continuing to improve our defences, and I think this also underscores that there are just constant attacks from people who are trying to take over accounts or steal information from people in our community.”9
Figure 2: Big Tech’s data security patent application activities
The nature of cybersecurity risk presents particular challenges, requiring a different approach when managing it, argues Sam Savage, author of The Flaw of Averages and executive director of ProbabilityManagement.org, a non-profit organisation focused on modelling uncertainty. “You can’t treat cybersecurity threats like you would, say, a nuclear meltdown in a power generation plant,” Savage adds. “The nuclear reactor is not out to get you. If the core melts down, it’s something wrong with the physics. In cybersecurity, we have an intelligent adversary.”
Unguarded: Castle and moat
This interplay between offense and defence in cybersecurity is intensifying. The exponential increase in data and data connectivity is combined with the growth of complex data-sharing systems. “Within the next 30 years, we will live on a fully digital Earth,” says Warren Black, founder and principal of Complexus, an industry research collaboration and advisory initiative founded in 2016 to address risk management in highly complex systems. “The whole world is going to be a series of interconnected, complex-intelligent systems – collecting data, storing data, analysing data, sharing data and adapting to the data. That’s the way the world is moving.”
It currently takes 206 days on average for companies to even detect a data breach and another 73 days to contain it
It currently takes 206 days on average for companies to even detect a data breach and another 73 days to contain it, according to a 2019 IBM analysis. Combine that with new technology such as 5G that can increase download speeds of up to 100 times faster than 4G, and it is likely to be even harder for companies to detect malware, ransomware and other malicious algorithms in time. The digital paradox is that the same advances that enable higher efficiency for individuals, companies and governments also help criminals to wreak more damage and at a much quicker pace.
The velocity of digital advances, therefore, requires ever more sophisticated risk management tools and analysis. Take IoT. In one the most novel cases to date, hackers based in Finland targeted a casino in North America and downloaded valuable data through the company’s high-tech fish tank, according to a report by Darktrace, a cybersecurity company that helped detect and remediate the cyberattack.10
To be clear, the casino had taken extra precautions to isolate data transfers related to the fish tank from the rest of its commercial network by configuring an individual virtual private network (VPN). Nevertheless, hackers found a loophole to access the tank’s smart thermometer, from which they downloaded about 10Gb of data to the cloud pertaining to the accounts of the casino’s high rollers.
“By targeting an unconventional device that had recently been introduced into the network, the attack managed to evade the casino’s traditional security tools,” according to the report.
The number of IoT-connected devices are estimated at about 38 billion,11 or nearly five devices for each of the (roughly) eight billion people on earth. Securing IoT devices requires a different approach than conventional ‘castle-and-moat’ or ‘perimeter security’ methods, which rely on firewalls, proxy servers and other preventative tools to secure the entry and exit points of the network. The traditional approaches assume all entries and exits are guarded, and everything inside the wall is safe – a strategy that is proving increasingly outdated.
Breaches originating internally are also increasing, says Piffaut, who specialises in the technology, media and telecom (TMT) sector. In the US, which experiences more data breaches than any other nation, internal threats were responsible for more than a third of around 40,000 incidents investigated in 2019.12 The trend could worsen if the COVID-19 crisis spurs more permanent disruptions such as remote working, job changes and cost cutting, which could increase the number of internal threats, she says.
More often, internal sources of cyber risks occur as a result of inadvertent security lapses that leave companies more susceptible to external threats, adds Piffaut. In its 2019 Global Data Risk Report, Varonis Data Lab found that the typical employee had access to an average of about 1.2 million folders.13 When Varonis analysed the average terabyte of data, it found thousands of sensitive files are not protected (see Figure 3.) To ensure full oversight, data access mapping and labelling are required.
Figure 3: Average state of data per terabyte
Nation states take aim
Increasingly, legacy IT networks are no match for the sophisticated tactics deployed by countries, which can use machine learning algorithms to autonomously improve the ability to find system weaknesses.
A major concern is greater digital integration in critical infrastructure
A major concern is greater digital integration in critical infrastructure, such as nuclear plants, which could be hacked and “pushed towards criticality”, says Sornette. “These are big concerns. Stronger and stronger interconnection and ‘fragilisation’, through optimising and just-in-time production, has made the system more efficient in the short term but left it more vulnerable to unforeseen shocks.”
One of the first incidents in which an entire power grid was hacked left more than 200,000 residents across Ukraine powerless when a cyberattack shut down 30 substations and disabled backup power supplies on December 23, 2015.14 According to a US government report about the incident, the cyberattack was “synchronised and coordinated, probably following extensive reconnaissance of the victim networks”. The attacks were implemented with malicious human intent, with the perpetrators likely overwriting existing software at the operating system level or via VPN connections.
Governments have been worried about such attacks to their grid systems for years, and the Ukraine cyberattack brought those fears to life. This led many other countries, including the US, to take extra precautions. Last year, US Congress passed legislation to improve cybersecurity of the country’s energy grid by, surprisingly, replacing automated systems with “low-tech redundancies, like manual procedures controlled by human operators”. The rationale was that it would make cyberattacks more difficult and deter criminals who would have to physically touch the equipment if they wanted to hack it and, therefore, put themselves at risk.15
As our world grows more and more connected, we have before us both new opportunities and new threats
“As our world grows more and more connected, we have before us both new opportunities and new threats,” US Senator Angus King, an independent from Maine, said on announcing the Securing Energy Infrastructure Act.16 “Our connectivity is a strength that, if left unprotected, can be exploited as a weakness. This bill takes vital steps to improve our defences, so the energy grid that powers our lives is not open to devastating attacks launched from across the globe.”
Taking aim at finance
Cybercrime is escalating in nearly all sectors, not just energy. Some industries, though, have been more heavily targeted. Financial services and insurance topped the list of sectors most widely attacked by volume for the fourth year in a row, accounting for 17 per cent of the total among the top ten sectors, according to IBM (see Figure 4). However, the sector also appears to be more prepared. Evidence suggests companies are likely to have “more effective tools and processes in place to detect and contain threats before they turn into major incidents”, says IBM.17 Financial companies are also more likely to test and revise their response plans to improve cyber defences.
Figure 4: Top ten targeted industries by attack volume
One of the industry’s most controversial cyber incidents happened in 2017, when credit reporting agency Equifax suffered a data breach affecting 146 million user accounts. “Here, data is an integral part of the company’s credibility,” says Giles Parkinson, global equity portfolio manager at Aviva Investors. “If Equifax is in the business of data and yet it can’t even keep its own records safe, what does that mean? Customers initially recoiled.”
Hackers found weaknesses within a customer dispute portal, which allowed access to a variety of other servers storing customer data. This was made possible partly because data was stored in plain text rather than encrypted. To make matters worse, the company had inadvertently failed to renew an encryption certificate, which again made it easier for the breach to occur.18
“Breaches have become very common,” Piffaut says. “It is less about whether you’re a victim of a cyberattack and more about how you’ve reacted to it that counts.”
It has taken time for Equifax to recover. The company brought in new management and spent $1.4 billion to remediate and improve its cybersecurity platform. In 2020, it finally reached a court settlement to pay up to $125 per consumer claim for a total of $1.38 billion.19 Piffaut says there has been a noticeable change in corporate culture, while the board level restructuring has improved the quality of oversight.
“Interestingly, this incident and resulting changes in its IT platform are helping Equifax in the long run – by moving its business to a ‘best in class’, leading-edge cloud platform and completely revamping its service offerings,” Zverev adds. “Equifax not only repaired the trust with its customers, but leapfrogged the competition in terms of its cybersecurity infrastructure.”
The high volume of sensitive data often stored on legacy IT platforms leaves large parts of the financial sector exposed
The high volume of sensitive data often stored on legacy IT platforms leaves large parts of the financial sector exposed. According to Butters, COVID-19 has only amplified these cyber vulnerabilities. The speed at which ecommerce, contactless payments and digital wallets proliferated almost overnight thanks to social distancing measures meant that many businesses simply were not prepared.
He points to India as an example. Many major financial institutions’ customer and IT operations are located there: when the government rolled out its lockdown with little notice, staff members had to quickly adapt to working from home with remote access to IT infrastructures that may not be sufficiently secured. Worldwide, an estimated 300 million office workers may be working from home during the pandemic, including up to 90 per cent of banking and insurance workers, according to the Financial Stability Institute. Hackers are taking advantage of this disruption. Since March, there has been a 38 per cent increase in cyberattacks against financial institutions.20
Non-discretionary consumer businesses are also likely to come under pressure, particularly those most disrupted by COVID-19 such as retail, travel and leisure. Even before the pandemic, some of the most notable cyber breaches by volume had occurred at airlines such as British Airways and hotel chains, including Marriott.
“A lot of employees have been furloughed during the pandemic, so there won’t be enough people able to maintain IT operations and security systems, at least not to the same extent,” Butters says. “It also comes down to the types of data that can fetch a higher price tag. It tends to be customer data, personal details and financial transactions. Both consumer discretionary and banking sectors have that in droves.”
The network effect
What happens in a company, though, doesn’t necessarily stay in the company. Networks are becoming borderless, and the blurring of professional and personal lives only exacerbates matters. According to Piffaut, Google and Apple’s concerted efforts to ramp up tracing functions to help fight the spread of the virus, for example, may link sensitive personal details of individuals to other networks belonging to governments, healthcare companies, insurers and TMT service providers. “If you have a virus in the system, it can propagate very quickly and have a devastating impact because you have multiple counterparties involved in that process,” adds Butters.
More organisations are migrating to the cloud, which may concentrate cybersecurity risk
Meanwhile, more organisations are migrating to the cloud, which may concentrate cybersecurity risk, says Zverev. Cloud providers such as Amazon, Google and Microsoft have large budgets and the talent to efficiently scale their cybersecurity platforms. “As more migrate to the cloud, it becomes more accepted to host your enterprise IT there. Security has been a reason to do it rather than a reason not to do it.”
“Where would you rather your money be kept, under your mattress or in the vaults of a well-respected bank? It’s a bit like that,” Zverev says. “Who would you rather look after your data? An IT team in the basement of one of your buildings, or a company that has been doing it best for the last 20 years? I think the decision is easy in a way, but the risk of one incident potentially causing problems for many organisations is high.”
The key to addressing the interconnectedness of cybersecurity threats is correctly modelling the nature of the risk. Companies need to invoke game theory and model not one system, but layers upon layers of systems that can attack each other, according to Savage. “We need to optimise the system, then optimise how we would attack that system. Then we’re going to optimise how we counter that attack,” he says. “So that’s very different from modelling other types of risk. You certainly shouldn’t throw up your hands with cybersecurity, but you need to always be learning and improving your system.”
If Mark Zuckerberg is right and cybersecurity is an arms race, gamers may have an advantage when modelling the risks, according to Savage. “The best [risk] modellers are gamers, because they’ve learned the game by playing the game,” he says. “Games have opponents in them, and the way you beat an opponent is by staying with that opponent and continuously improving your own game.”
Machine learning and artificial intelligence are important components in advancing cybersecurity infrastructure
Savage also believes machine learning and artificial intelligence are important components in advancing cybersecurity infrastructure. For example, they can be used to learn what’s ‘normal’ for a company’s security system in order to detect unusual changes in online traffic, user behaviour and other inconsistencies that could help signal potential cyberattacks.
Norman Marks, a global expert on internal auditing and risk management who wrote Making Business Sense of Technology Risk, says: “Ultimately, you need good managers who are able to anticipate what might happen and make informed and intelligent decisions. What usually happens – and you’ve got this in other areas of a company by the way – is a siloed approach to managing cyber risk. You might have a risk committee, an IT department, a strategy team, and a board all having separate discussions.”
To strengthen their cyber defences, organisations need a more integrated approach, with a broader view on how cyber risk might affect the overall success of the business, not just its parts.
“Effective managers simply lead to better risk management,” adds Marks. “They are better at thinking about all the things that might happen, weighing them, going through and analysing different scenarios and different options, and making a decision. That’s risk management.”
Pricing in cyber risk
Like effective managers, however, cybersecurity risk may not always be reflected in share prices. For investors, this presents a dilemma. “While breaches can be costly and cause reputational damage as well as regulatory scrutiny and operational disruption, it’s not clear how this should translate into valuations, especially over the long term,” Parkinson says.
Facebook’s share price initially fell by as much as 20 per cent following the Cambridge Analytica scandal and data breach, but subsequently climbed to new highs. Both Equifax and Sony’s share prices, while suffering initial wobbles, also recovered.
The sensitivity of cyber risk to stock performance varies widely
Zverev sees cybersecurity resilience as a narrative rather than a specific indicator such as the price-to-earnings ratio or carbon footprint. Additionally, the sensitivity of cyber risk to stock performance varies widely, depending on factors such as the nature of the business. Cyberattacks in healthcare, for example, may be more costly and therefore have a bigger impact on share prices.
“It’s a bit like quality of management,” says Zverev. “How do you measure it? My answer to that, and it will be different for different investors, is to look at management’s ability to execute their plans, meet their guidance, allocate capital, deliver good returns, and act in the interests of shareholders and other key stakeholders at difficult points in the company’s history. Cyber resilience is part of that holistic analysis.”
The market’s perception of risk – including cyber risk – is in constant flux, sometimes with devastating speed.
How many professions would come to a complete standstill if the Internet went down?
“Today we have COVID-19, but tomorrow it could be a global supply chain disruption; a year or two years from now, somebody could hack the Internet,” says Black. “How many professions would come to a complete standstill if the Internet went down? And it is not implausible somebody could hack the Internet given how sophisticated our technology is becoming.”
Despite having plenty of warning, many governments, companies and investors didn’t see COVID-19 coming – or respond quickly enough when the true scale of the threat was becoming clear. Cyber risk may provide similar lessons in the years to come. Investors should take note.