The unknown risk for D&Os - when cyber risks lead to personal liability
Your investments aren’t immune to cyber risks - everything you need to know to minimise your exposure and stay ahead of future threats
The old saying “fortune favours the brave” is undoubtedly ringing true…unless it’s your investment capital we’re talking about, and the chance you are (or you think you are) willing to take relates to cyber risk.
If there was one issue that any business across the globe should be concerned about in 2022, it would be the threat of cyber-attacks. In retrospect, it’s clear that high-profile data breaches, costly ransomware incidents, long-reaching supply chain attacks and other cybercrime-related stories have rarely been out of the news in the last two years. But the actual threat is far more widespread and much closer to your existing or potential investments than you may think.
With nearly all organisations operating online, or using software to complement their service (even chip shops take cards now!), getting a handle on risk has become a huge priority as businesses are now vulnerable to more digital perils than before. Even companies that have operated in the digital space for a few years aren’t immune to risk, as the threat landscape is rapidly growing and changing by the minute.
The impact of a cyber attack on your investment can be huge, especially when looked at in monetary terms. Projected to reach $6 trillion in 2021 alone, global cybercrime costs are expected to increase by 15% annually over the next four years, hitting a staggering $10.5 trillion by 2025.
With this in mind, it’s no wonder that taking control of these risks has quickly become a huge factor for the investment sector. It’s fair to say that cyber risk might not always be at the top of the agenda for investment management firms. With the accelerated growth in cyber-attacks across the last 24 months, thanks to a growing dependence on technology intensified by COVID-19, cyber health urgently needs to be addressed within your portfolio, and maintained across any of the investment lifecycle stages, before it can jeopardise its future growth and your wallet.
“Where do I start?”, we hear you ask! Here at KYND, we understand the looming threats and associated challenges facing the sector, and are excited to help you and your investment businesses navigate the complex cyber world with confidence.
So, what has changed in the world of cyber risk?
It would be miraculous if we could be aware of what cyber criminals were going to do next, but we’re never going to know exactly what they’re planning. As hackers and rogues across the world think of new ways to destabilise and rob companies of their hard-earned profits, reputations and customers, their methods change with them. As a result, cyber threats are always evolving.
Take ransomware for example: before 2016, it was relatively low-down on the list of threats, with organised gangs seemingly only targeting large multinational companies. That’s all changed, thanks to landmark attacks like WannaCry in 2017. Criminals cottoned on to a new, profitable style of attack. Now it contributes to millions of pounds worth of damage and lost revenue. At the same time, some types of cyber attack appear to be on the decline – Howden have recently reported a staggering 70% drop in the occurence of data breaches (a classic cyber threat).
What does this mean though? Do criminals have a short attention span? Probably not; in fact it’s more to do with the way in which businesses are now becoming more proactive in how they handle threats and vulnerabilities. Data breaches are on the decline because it’s more difficult for the attacks to take place – this has everything to do with risk management. The same can be said for other attacks, such as zero-day vulnerabilities. Once a vulnerability has been publicly announced, there will be a rush of activity from both criminals and organisations alike, as the latter make sure they’re protected, and the former try their hardest to attack any viable targets who haven’t had the chance to get prepared. The days and weeks after this rush are marked by a steady drop in the recorded number of attacks related to the vulnerability.
Aside from the continually evolving style and rate of attacks, cyber risk has changed drastically when it comes to how expensive an unmanaged threat can become. It is incredibly difficult, if not impossible, to estimate how much an attack will really cost when you consider not only the lost revenue through businesses going offline, but also (again, taking ransomware as an example) the extra sting that comes in the cost of a ransom demand. There are few governments or insurers (if the victim business is lucky enough to have cyber insurance) who will willingly reimburse a paid ransom. If you factor in elements like reputational damage, business interruption, recovery costs, and even legal fees for having to fight to protect breached or stolen intellectual property, you have the recipe for a very expensive day in the office.
Why should investment managers care?
Keeping all this in mind, one thing is abundantly clear: unchecked risk is something that businesses can’t afford to take a chance on. And neither can you, when it comes to your own investment portfolio’s cyber exposure. The financial implications for your return of investment resulting from those vulnerabilities can be extremely damaging, if not addressed quickly. But what exactly are these implications we’re talking about? Let’s have a closer look at the risks facing investment managers, and possible scenarios of what happens next if cyber threats sneak into your portfolio, remaining undetected, and possibly turning into a full-scale attack.
Caution: the following information may upset cyber-sensitive readers; thankfully, we’ll provide some uber-useful tips on how to best shield your investments from these implications at the end of this article.
We know we’ve said it numerous times before, but it’s worth stressing once again: cyber is now a mission-critical business risk, not just a technology issue. Service disruption, lost opportunities, financial loss, and cost of the professional services following a security breach – these are all examples of the negative impact a single successful attack can have on a business within your portfolio, and they link straight to a business’ competitive advantage, future revenue and exit value. Attacked firms experience a higher probability of bankruptcy, an increase in cash flow volatility, and a decrease in shareholder net worth. In fact, according to a study conducted by (ISC)², 52% of organisations interviewed indicated that the share value of publicly-traded clients was negatively affected as a result of an acquired company’s post-acquisition data breach.
It’s also worth mentioning that in the event of a cyber attack, there might be the need to re-route the funds allocated to a business’ value-creation plans, to support remediation efforts, or the collapse of proposed investments.
Undoubtedly, cybersecurity incidents can be extremely damaging and costly to recover from, but there is more to it. In case of data leakage, the incident can trigger broad negative publicity resulting in severe reputational damage, harming both clients’ and investors’ trust in the breached company and its services. The inability to halt negative media coverage, and the lack of an immediate, effective response, can all result in an even longer-lasting impact on the breached investee that may not only require vast sums and many years to rectify, but it can even taint its investors.
As if the above-mentioned aspects weren’t enough, the breached investee company may also be liable for costs incurred by its clients and other third parties, as a result of a cyber attack or other cybersecurity-related incidents (e.g. damaged equipment, destruction of data, financial fraud).
Data protection is another major concern as a breach could expose personally identifiable information (e.g. its clients’ or employees’ contact details, financial records, health records, etc) in a way that conflicts with the European Union’s General Data Protection Regulation (GDPR). For the breached firm, failing to meet compliance requirements could result in substantial penalties of up to €20 million, or 4% of the company’s annual turnover – whichever is higher. In addition, large-scale data breaches have led to class action lawsuits filed on behalf of customers whose data and privacy were compromised. Altogether, this can be the most harmful impact of a successful cyber incident for investors if it appears that the company was inadequately prepared for both cyber incident prevention and post-breach response plans.
To put it in perspective, сyber risk should be a primary concern for investment managers as it can either cost or generate money depending on your, and your investees’, approach to it. In the end, this threat won’t simply go away. It will only continue to evolve in its scope and complexity; and its implications pose a real threat to your capital. With all the possible ramifications in consideration, this excessive risk can quickly turn an appealing opportunity into an “uninvestable” one for investment specialists. For businesses seeking investors, in turn, a failure to understand and reduce their cyber exposure means the loss of its attractive lustre.
You’ve grasped the problem, you’ve understood the risks, but you’re still not convinced that your carefully curated, growing portfolio is at risk. Well, if you’re thinking that your investments are safe from attacks because they’re a small or growing new business, you’d be wrong! This kind of thought process has arguably led to the rise in attacks against SMBs (Small to Medium Businesses) and it’s reported that 61% of them suffered a cyber attack in 2021. Hackers don’t care how big or small a target is, or what sector it operates in: at the end of the day, a target is a target. They’ll look for vulnerabilities wherever they can find them, preferring the path of least resistance. This is often presented to them by SMB organisations that typically lack the resources and security infrastructure of larger businesses, but have information that hackers are after.
That being said, there is an exception to the rule (isn’t there always?). Although the majority of cyber-attacks are financially motivated, there are criminals who act as agents of rogue states or splinter groups related to powerful non-state actors and organisations. Cybercrime can be used as an act of rebellion to destabilise powerful companies, or sometimes even nations, with the aim of weakening them or persuading them to back down from a particular cause. In 2022, we’ve seen increased evidence of pro-Russian/anti-Ukraine cyber-attacks that have gained a lot of attention from the media due to their motivation and target, but have arguably netted the criminals little in the way of profits. Sometimes a criminal’s aim is to grab headlines and promote a cause.
Supply chains & partners are a risk to business
Businesses that have worked hard to protect themselves against threats aren’t always as safe as they might think. Reliance on a supply chain or partner is increasingly normal as businesses grow in the global economy, and the services they provide can speed up transactions, offer better customer support and even more new lines of revenue. But what happens if these businesses don’t have the same commitment to cyber health as your own? Supply chain members and partner organisations are quickly becoming a risk in their own right. For investment managers, this means that every time an asset announces a merger or a change to their supply chain, they could be inviting new unforeseen risks into the company.
The danger from within – insider threats
Not to be forgotten is the fact that most businesses fail to acknowledge – the security threats that come from the inside. Often a result of a lack of employees’ or partners’ cyber security awareness training, that could prevent attacks from happening in the first place, these are the types of threats that could potentially cost your investments dearly. Lack of adequate training leaves employees in the dark about possible digital perils, making them easy prey for a vast variety of security threats, from lax password security practices right up to phishing attacks – all of which can easily put the entire organisation at risk of losing their most valuable assets. Depending on the scale of the damage, this type of an incident can be a death warrant for an early-stage or early-growth business in your portfolio.
Integrating cyber risk management into the investment process
As the scale and frequency of cyber-attacks continue to grow, investors are increasingly looking for new ways to mitigate potential reputational and financial risks arising from their investments’ susceptibility to cyber threats. With the threat landscape changing so quickly and unpredictably, it’s vital for investment management firms nowadays to know that the businesses within their portfolio have a firm handle on both present and possible threats. Investors themselves are a profit-driven business like any other, and it doesn’t make good sense for them to spend money on an organisation that's high risk and has, therefore, a good chance of failure. The only question is, how can investment management firms achieve greater visibility into cyber risk in this ever-changing environment to make more informed investment decisions?
The answer to this question is, by implementing proactive cyber risk management into your investment process! For investment managers, cyber risk management means effectively identifying, evaluating and addressing your investments’ vulnerabilities, ensuring your valuable assets are well-armed against potential threats. By simply integrating this practice into your due diligence activities, it can help inform your investment decision-making and decrease perceived risks before an investment.
But, due to the complex nature of risk and lack of expertise, often investment firms do not have the capacity to handle cyber risk management in house. Fortunately, this matter can be easily resolved as investment managers can now leverage the technology, knowledge and experience of existing cyber risk management experts. Comprehensive insights into your investments’ risk profile offered by third-party providers can help you understand the level of risk you're taking on, and estimate the cost and timeline for remediation in the early stage of the investment process.
However, we do always recommend that assets and their managers look to keep ahead of digital threats to ensure they stay protected from potential cyber incidents that can have a significant impact on business value. This means staying proactive and not treating cyber risk as something that’s only considered as a part of the due diligence process on potential investee companies. A good investment manager will ensure a good cyber posture is maintained throughout the full lifecycle of an investment; keeping your finger on the pulse of your portfolio’s cyber health means you’ll always stay on top of new vulnerabilities that could harm your investments. In addition, it will enable you to mitigate financial, reputational and legal risks in the event of attack, as it typically triggers scrutiny of what steps had been taken before the funding.
Given what we’ve discussed about the substantial implications a successful attack can entail, proactive cyber risk management approach must also be a primary consideration for both investors and investees during the course of a deal.
How can continuous risk management make a difference for the investment sector?
Imagine the scenario: you’ve taken the time to understand what threats face your assets, and helped them shore up their defences to protect against the worst. Then, out of nowhere, they’re hit by a completely new kind of attack that you had no knowledge of and no time to prepare for. Although this might be a scary thought, it’s a reality that a lot of businesses face. The ever-evolving cyber threat landscape has caught many organisations off guard and future attacks can be difficult to predict. Businesses that don’t look to future-proof their cyber risk strategy may find that they’re vulnerable in ways they hadn’t even imagined!
This is exactly what happened in 2021, when a vulnerability named “PwnedPiper” exploited previously unknown flaws in control panel software. This allowed attackers to impact pneumatic tube systems in hospitals that transported samples, blood and even medications – greatly restricting activities and presenting a danger to patients.
How can you future-proof your assets against new and emerging threats? Even as investments grow you need to be prepared, and as the threat landscape evolves, there’s no telling what risk will look like in the next six months, let alone the next few years. Continuous risk management provides a quick and simple solution. Our own round-the-clock 24/7 monitoring and alerting technology turns managing these threats into part of the everyday life of a company, without the hassle of intrusive scans and traditional techy, jargon-heavy risk reports.
Thanks to ongoing assessment and analysis, whenever a new or possible vulnerability is spotted, an organisation will instantly get an alert, coupled with helpful advice on how to tackle the would-be threat. This gives organisations the time they need to react before the worst happens and helps ensure that the risk doesn't transform into an attack.
What can organisations do about risk and how can KYND help?
So, what’s the solution? How can investment managers ensure that their assets are protected? Does a business spend half the annual budget on the latest and greatest cyber security software? Or, do they stop and think about where they’re at risk the most? This could be easier than you first thought, and understanding where risk lies is the first step in the journey to managing and reducing threats to businesses. KYND’s powerful suite of cyber risk management tools and services has been developed to give you a “hackers-eye” view of any investment and helps you see quickly where vulnerabilities lie. Plus, thanks to risk prioritisation, businesses will know exactly what threats to address first.
From there, we offer clear and simple advice on risk remediation and fixes to help assets get a handle on risk. Of course, protecting your business remains priority number one, but imagine a quicker and easier way to do it, with no intrusive scans or special access. All KYND needs is a website domain name to get started! Find out more about how KYND can help manage cyber risk in every asset.
Adding C to ESG: why cyber risk management is a critical ESG factor in your investment decision-making
PRESS RELEASE: KYND recognised as a global Top 100 InsurTech innovator for second year in a row