Recent high-profile data breaches in offshore jurisdictions have highlighted the need for companies to take cyber security seriously.
In its first annual report (October 2017), the U.K.’s GCHQ National Cyber Security Centre revealed that more than 1,000 incidents had taken place since its inception — over half of which were classed as ‘significant.’ Some of the more high-profile breaches have included the ransomware attacks that affected the NHS, and of course the recently disclosed Uber hack.
Furthermore, the ongoing speculation around possible Russian intervention in the U.S. elections and Brexit referendum has highlighted that almost anyone, from large corporations and public sector bodies to private individuals, can be a target.
Clearly the extent of the cyber security threat has not been restricted to the United Kingdom and the U.S. Recent high-profile data breaches, including the Panama and ‘Paradise’ papers, have also embroiled a number of companies, offshore jurisdictions and prominent individuals.
In the Cayman Islands, the Information & Communications Technology Authority has warned businesses about the danger of cyber attacks, including phishing emails which purport to be from the regulator itself.
These emails claim to inform the recipient about security and ask them to click on a link — which is in fact merely a tool to allow the attacks to steal user details, and typically money or sensitive data.
The threat to businesses in the Caribbean region is an extension of the global battle against cybercrime. In May 2017, an attack by the WannaCry malware impacted businesses in the Cayman Islands and 150 other jurisdictions worldwide.
The malware encrypts files on infected computers and demands money from users to unlock their files. Such attacks are often spread by malicious attachments or links sent to unsuspecting victims, with attackers adopting a range of disguises: from authority figures promising financial gain to legitimate human resources staff inside a business.
Unfortunately the inherent dynamic is that there is more to be gained financially from cynical data theft than in relying on the very few methods of tracing (let alone catching) cyber criminals.
It therefore seems only logical that companies will need to keep cyber security at the top of mind — not least for those firms that harbor a large amount of highly confidential information about individuals who value that privacy more than most.
Complicating matters, in some jurisdictions paying a ransom to retrieve data encrypted by cyber attackers can be illegal as it can be viewed as complicity in the crime.
Cyber risks can no longer be considered peripheral irritations for an IT department to sort out. A business’s approach to cyber risk may have a critical impact on the value and going concern of the firm. In particular, cyber security is acutely important to those businesses who manage individuals’ privacy, such as the fiduciary sector.
A risk to corporate valuations?
The risk posed by cyber security to M&A deals is increasingly visible in public markets: $400 million was knocked off the value of Yahoo in the course of its summer 2017 acquisition by Verizon due to two historical data breaches which left an estimated 500 million user accounts compromised.
More recently, a 2016 breach at Uber has hit the press with an as yet unknown effect on the company’s listing aspirations or valuation. However, Japan’s Softbank has reportedly offered to buy Uber shares from existing shareholders at a 30 percent discount to the ride-hailing group’s previous fundraising (although this may perhaps be an unrelated coincidence).
Recent data breaches at other notable public companies have included consumer goods company Reckitt Benckiser, U.S. consumer credit reporting agency Equifax and Morrisons, the U.K. supermarket chain. In the latter case, 100,000 staff payroll details were stolen, including addresses, names, bank details and phone numbers. The incident triggered a 10 percent drop in the company’s share price.
According to a 2016 report by MergerMarket for West Monroe Partners, 23 percent of senior M&A executives at corporates and private equity firms reported that they had walked away from a deal due to data security issues at the target.
Turning adversity into opportunity
The rise of cybercrime, and the concurrent increase in the importance of companies and services that counter it, have created an interesting subsector: publically investable crime fighting technology companies. A number of listed cyber security firms have benefitted from these high profile cyber attacks.
The CIBR First Trust NASDAQ Cybersecurity ETF (see graph) aims to track the large cap cyber security universe and its compelling performance since the end of 2015 to Dec. 7 (+24.5 percent) has reflected the increased importance of the sector. However, one must keep in mind that past performance is not a guide to future performance.
Increasingly, this is an area that is not only an investment opportunity in itself, but also an important part of the investment due diligence, ensuring that companies are taking this cyber protection seriously. It is also a significant tail risk to bear in mind for data-critical businesses where a data breach could be catastrophic. Conversely those data-rich companies who are best equipped with a strong track record of cyber data protection may well turn their attentiveness in this area as a core part of their proposition and business model. See figure 1
Given this background, it should be expected that the potential impact of cyber security breaches will progressively come under the spotlight and that the perceived cyber risk will increasingly be priced into both public and private corporate transactions.
In the dynamic fiduciary world which has experienced a spate of corporate activity over the last few years, the merging of systems and confidential information will need to be managed even more judiciously. Debatably, the background of greater regulatory burden and higher cyber security costs affecting smaller fiduciary companies may well lead to this trend continuing with the best prepared most likely to flourish.
Furthermore, from an investment perspective, the companies selling cyber security services are likely to become an increasingly important part of our clients’ investment universe.