The WannaCry cyber attack that infected many hundreds of thousands of computers across 150 countries in May is a wake-up call for businesses and governments regarding robust online defence.
The attack, which affected Britain’s National Health Service and global companies including FedEx, Renault and Telefónica, is also a warning to investors: shareholders risk heavy losses if companies suffer a cyber breach that leads to a consumer backlash and fines from regulators.
Dave King, chief executive of Digitalis, which advises businesses on how to protect digital reputations, says news stories about the WannaCry worm are raising awareness. He points out, however: “The corporate board table is slowly getting to grips with some of these issues but the investment community is moving more slowly. Not many investors are on top of this.”
Ryan Rubin, managing director at advisory firm Protiviti, agrees. He says: “Good cyber security practices are not yet on the radar for investors as criteria for measuring corporate health.”
Experts say WannaCry infected computers by using vulnerabilities in operating systems but, according to Mr King, hackers can more easily target a company via “social engineering”. This involves the hackers building a profile of an executive using press reports or social media; they then tailor an email to the executive that appears to be from a friend or colleague but contains malware.
Mr King believes companies are increasingly aware of such risks but this is not the case with shareholders.
“Companies are starting to realise there are human as well as technological vulnerabilities,” he says. “For investors, the moral of the story is around the questions they should be asking: how are companies mitigating technological and human vulnerabilities? Is there information out there that could be used to trigger a cyber attack?”
Colin McLean, managing director of UK fund house SVM Asset Management, says investors should focus on this over the next 12 months because EU rules being introduced in May 2018 — the General Data Protection Regulation — could affect the share prices of companies that have weak cyber defences.
At present, the most a UK company can be fined for breaching the Data Protection Act is £500,000. Under the new EU rules, fines could reach €20m or 4 per cent of a company’s global annual turnover.
Mr McLean says: “Some more recent entrants into online technology [such as retailers] have not got the deeper levels of security that some of the traditional banks have. We have flagged that as a risk. The European legislation should force companies into action. Companies with customer data, particularly any covering children, will be affected.”
Mr King adds: “There are a huge number of unreported attacks. If that continues, a huge number of fines will be given. We know of hedge funds that have suffered attacks related to corporate espionage, shipping companies hacked for bidding information, a major oil organisation that made bids for projects which were known in advance by an Asian competitor.
“None of those attacks was reported but they were crimes with dramatic consequences for private organisations. Organisations in highly regulated areas will be obliged to disclose [such attacks in future]. The [proposed] fines are hugely punitive.”
Not all investors have been slow to consider the risks. Last year Muddy Waters, a small California-based hedge fund company, hit the headlines with a damning report about a manufacturer of cardiac pacemakers. Muddy Waters accused Minnesota company St Jude Medical of being vulnerable to a cyber attack that could crash its cardiac pacemakers. St Jude vigorously rejected the accusations as an “insidious attempt” to force down its share price. It began legal action, alleging that the hedge fund had been “intentionally disseminating false information”. Muddy Waters has said it has a right to criticise the company.
Mr King says the Muddy Waters incident is helpful because it encourages all investors to think about cyber vulnerabilities in their portfolios, and not just in financial and technology stocks. “Every company out there today is at threat of cyber attack and has probably had a breach,” he says.
Other investors, meanwhile, want to know more about cyber threats but say they are limited as to what they can assess.
Mr McLean says: “Having asked companies about these risks for our investments, we pretty much have to accept what they say — it is hard to tell what is going on behind the scenes. All investors can do is look at process and whether they get independent reports [carried out by external cyber risk consultancies].”
Hervé Samour Cachian, European equities portfolio manager at Natixis Asset Management, the French fund house, agrees: “From the perspective of an outsider it is difficult to assess these risks accurately.”
To try to increase the information available to investors, the UN-backed Principles of Responsible Investment group, which represents 1,380 investors managing $62tn of assets, last year created a committee to assess cyber security risks in retail, financial services and healthcare. The investors intend to seek information from 50 listed companies on their plans in the event of a data breach.
Fiona Reynolds, PRI managing director, says asset managers are increasingly aware of the risks “due to the reputational and brand damage that security breaches can create — not to mention the financial risks around loss of intellectual property”.
She adds: “With cyber crime on the rise, corporate boards need to implement cyber security strategies that cover all aspects of their business. Investors want to know that boards have a clear understanding of any impact to the company from data loss or disruption.”
1. On May 12 2017, mobile operator Telefónica was among the first large organisations to report infection by WannaCry
2. By late morning, hospitals and clinics across the UK began reporting problems to the national cyber incident response centre
3. In Europe, French carmaker Renault was hit; in Germany, railway company Deutsche Bahn became another high-profile victim
4. In Russia, the ministry of the interior, mobile phone provider MegaFon, and Sberbank became infected.
5. Although WannaCry’s spread had been checked, the US was not entirely spared, with FedEx being the highest-profile victim