Internet security blog posts are generally more at home on the inside pages of IT trade publications than on the front pages of international newspapers. The one posted by Microsoft Vice President Tom Burt March 2, over the emergence of “state-sponsored threat actor” Hafnium, was a notable exception.
A new threat had emerged, targeting Microsoft Exchange Server software. It didn’t take long for help desk phones around the world to ring and IT managers’ social media feeds to light up. The hackers had attempted to penetrate much deeper than usual into the systems of their intended victims, in order to hide undetected for an extended period of time. The attack may have compromised up to 20,000 organizations.
Large-scale cyberattacks of this type are becoming more common and quantifiable. Their impact is becoming an increasingly important consideration for investment professionals who need to engage with companies to understand risk and protect their portfolios against adverse scenarios.
To illustrate what is at stake, a new CFA Institute Research Foundation publication on cyberwarfare and cybercrime cited a study examining the average revenue growth of companies affected by severe cybersecurity breaches and compared those results to those of their industry peers not affected by cybercrime. The research looked at some 432 companies and 460 unique events over a six-year period.
He found that in the two years following a serious security breach, business revenues first declined by about 10% on average and then slowly recovered. After two years, revenues had only returned to the same level as at the time of the security breach. On the other hand, companies that have not suffered a security breach have seen their turnover increase by nearly 20% over the same period.
What does this mean for investors?
The impact of a major security breach is not only reflected in a company’s earnings, but also in its stock price. Indeed, companies that suffered a serious breach could see stock prices fall by 10% or more over six months and remain depressed for a long time.
With such potentially long-lasting consequences, it’s no surprise that companies are stepping up their data protection efforts.
This task, however, becomes much more difficult as the pandemic has forced millions of people to work from home. This has increased the vulnerability of corporate data, especially to phishing attacks directed at employees.
These attacks have become so widespread that many analysts are comparing the coronavirus pandemic to an emerging “cyberpandemic” – with home workers acting as Trojan horses.
The publication of the CFA Institute Research Foundation – Data, the Oil of 21st Century – reveals the risks facing businesses in the face of the growing number of cyber threats emanating from both nation states and criminal groups.
Author Joachim Klement warns that investors should assess their potential exposure to such attacks which are already costing the average bank – with banks being prime targets for cybercrime – some $18.4 million per year (about $12.3 million) based on 2018 data. Model estimates for the global banking system range from $97 billion (about £68.5 billion) to $351 billion (about £247.6 billion). pounds) per year of potential losses – easily capable of triggering a financial crisis.
Measures must be taken
Microsoft’s recent attack has caught the world’s attention. It was, however, the eighth time in 12 months that the company publicly revealed an attack by so-called nation-state groups targeting critical institutions. Victims ranged from health organizations battling COVID-19 to political campaigns involved in the 2020 US election.
Such attacks have encouraged a major push at the state level to strengthen cyber defenses. For example, in March 2021, the UK government launched a new National Cyber Force – the result of cooperation between the Ministry of Defense and the Government Communications Headquarters (GCHQ) – to disrupt and destroy systems communications from those who pose a threat to national security.
The financial industry must now commit to protecting itself and its customers from emerging threats that, as Microsoft’s latest hack highlights, are becoming increasingly damaging.
Industry leaders may balk at the capital outlay needed to upgrade cyber defenses at a time when cash is urgently needed. But in order to avoid business interruption, loss of information and loss of revenue, investment is essential.
To that end, former US State Department official Richard Clarke may have a prescient view. “If you spend more on coffee than on computer security, you will be hacked. Moreover, you deserve to be hacked.
If this article piqued your interest, click here for the full book.
Image credit: ©Getty Images / filadendron