Paulino do Rego Barros, interim chief executive officer of Equifax, from left, Richard Smith, former chief executive officer of Equifax and Marissa Mayer, former chief executive officer of Yahoo!, testify during a 2017 Senate hearing on corporate hacking incidents.
If you're an investor reading the headlines, you're probably concerned about all of the cybersecurity incidents and breaches affecting companies these days. Will the companies you are investing in become victims? Will they lose data, resulting in massive regulatory fines? Will a breach affect their industry reputation, causing customers to turn elsewhere? How will a security incident affect market cap?
Is a cybersecurity incident going to jeopardize your investment?
These concerns are appropriate. It's not just a handful of companies that are experiencing repercussions due to cybersecurity incidents. The reality is that cybersecurity is hitting the corporate bottom line for companies across the board. According to a recent study conducted by Forrester Consulting on behalf of BitSight, nearly two in five (38%) of enterprises admit that they have lost business due to either a real or perceived lack of security performance within their organization. Nearly half of all executives surveyed in that same report admit that their ability to attract new customers was harmed following a security incident.
Unfortunately, companies are doing very little to reassure their investors that they are adequately managing cyber risks and protecting shareholder value. For years, the Securities and Exchange Commission has challenged publicly traded companies to improve disclosure of cyber risks and incidents to investors. In fact, according to the Forrester-BitSight study, investors and shareholders receive the "least accurate" reporting from companies when it comes to cybersecurity.
Both investors and companies alike need to fundamentally rethink their approaches to this issue if they want to reduce risk and create greater trust and assurance in the ecosystem.
For investors, they must demand greater focus and attention by corporate executives and board members on cybersecurity issues. Investors should expect board-level leadership in addressing the risks and mitigating security incidents. Only through executive- and board-level involvement and oversight can companies appropriately adopt the right cybersecurity strategy, technology, budget, and culture needed to defend organizations against today's threats.
In a recent publication, the Council of Institutional Investors highlights several critical issues that investors should focus on:
- How the company's cyber risks are communicated to the board, by whom, and with what frequency.
- Whether the board has evaluated and approved the company's cybersecurity strategy.
- Whether the board has approved the company's organizational structure around cybersecurity.
- The metrics used by the board to evaluate the company's cybersecurity efforts, including security performance and sector/peer benchmarking
Importantly, investors don't have to passively wait for companies to disclose critical cybersecurity information. New quantitative data is available to investors that provides continuous insight into corporate cybersecurity performance that is useful in understanding investment risk. Investors need to become much more active if they truly want to understand the risks to their investments.
"For years, companies have treated cybersecurity as a risk that IT could solve alone. The response from the technology teams was to buy more technology but not necessarily measure effectiveness."
Corporate executives must improve their communication with investors on cybersecurity issues, and that means getting serious about measuring and managing cyber risk. If companies are losing business because of cybersecurity issues, then security must evolve into a business discipline. This means increased scrutiny on security spending, leveraging formal metrics to justify investments, and measuring organizational security performance.
For years, companies have treated cybersecurity as a risk that IT could solve alone. The response from the technology teams was to buy more technology but not necessarily measure effectiveness.
Corporate executives should focus on the practice of "security performance management" — essentially, a risk-based, outcome-driven approach to measure, monitor and manage cybersecurity program performance — in order to increase security effectiveness and meet the demands for transparent reporting. Companies that track performance can better justify their security budget and are more likely to take action to improve security outcomes.
According to the Forrester-BitSight study, companies that formally monitor, measure, and track performance are better at managing security outcomes.
- Companies with formal metrics are 1.8x more likely to develop security policies, 1.7x more likely to update security technology, and 1.6x more likely to perform security training.
- Companies using formal security metrics are more likely to have seen a 10% or greater increase in their security budget over last year (38% of firms with formal metrics said this versus just 25% of firms without formal metrics).
In short, while cyber incidents stand to threaten investors and businesses alike, neither side must idly stand by. By engaging with senior executives, leveraging data, and treating cybersecurity as a critical performance issue, investors and businesses will create a more trustworthy environment together.
—By Jake Olcott, BitSight v.p.