03 June 2024

---

Cybersecurity: Risk for Investors?

Luigi Campopiano

---

In today’s constantly connected world, cybersecurity is an ever-present and still underestimated risk. According to the report “Cyberwarfare in the C-Suite” by Cybersecurity Ventures, cybercrimes in 2021 resulted in a cost of $6 trillion, with approximately 2,244 attacks every day. Projections suggest that by 2025, the annual cost will reach $10.5 trillion, significantly driven by the pandemic, during which the FBI reported a 300% increase in cybercrimes.

This issue is becoming increasingly tangible, impacting the business world both in terms of reputation and direct costs, with investors starting to take notice. More and more investors are demanding that cybersecurity risks be integrated into portfolio management processes. However, the market does not yet seem ready to consider these factors when pricing assets. According to Lombard Odier Investment Managers (LOIM), it’s time for a change to protect both data and investors' portfolios.

The effect of cyber-attacks on listed companies cannot be ignored due to their direct impact on returns and, consequently, on stock values. Since achieving 100% protection is impossible, what can be done? LOIM experts, in their report “Cybersecurity in the FinTech Sector,” identified three key areas to focus on:

• It’s important to note that the number of vulnerable points in IT systems is very low (on average, six vulnerabilities per 100,000 services, considering that each company utilizes around 4,000 services). Since it’s impossible to fully protect a company from all threats, it’s crucial that identified vulnerabilities are promptly managed (the costs for total coverage are very high, but protecting sensitive data must be an absolute priority).
• Once a vulnerability is identified, immediate action is essential. Companies that neglect cyber risks for longer periods are the most vulnerable. LOIM’s research shows that “the majority of considered companies commit to optimizing their software within 30 days of identifying the first security issue (green), while the rest take more than 100 days (red),” thus exposing themselves to significant risks.
• Engagement must be the key word. LOIM experts explain that “since initiating direct communication with the companies marked in red, the number of vulnerabilities has decreased.” This is an initial sample analysis, but the results appear very promising.

Suffering a hacker attack incurs costs that are expected to rise with the transition to the “SAAS” (software as a service) model. Therefore, it is crucial for asset managers to incorporate information about a company’s cybersecurity into the investment process: this will not prevent potential hacker attacks, but it will allow investors to distinguish between companies prepared to face a possible attack and those that are more fragile and exposed.