- Risk assessment is difficult, with no universal standard and poor understanding
- The quality of corporate governance can be key
- Well-structured industries are better able to pass on prevention costs
Investors need to take into account the rising risk of cyber-attack when evaluating a company, and yet assessing the risk is not straightforward. There are no universal standards or metrics. What is more, companies may only recognise some of the risks and it may not be in their interest to publicise where their cyber risks lie.
Data on spending on cyber risk protection is seldom disclosed fully. With firms increasingly taking cyber-liability insurance, it can be hard to assess the size and nature of the residual cyber risk.
According to the Gartner agency, global cyber-security spending in 2018 amounted to an estimated USD 114 billion, up by 12.4% from 2017, indicating that cyber-security is being taken increasingly seriously. Nonetheless, the global cost of cyber-crime, estimated in 2018 at USD 400 billion to USD 3 trillion, by far outweighs any spending on preventive measures.
Focus on strategy, governance – and how the competitors do it
There are two key stages when assessing a company’s vulnerability to cyber-attack. The first one is to examine the company’s cyber-security strategy and its implementation. Secondly, there is a need to focus on governance: each company should be able to show it can to identify the key people responsible for remedial actions and for overseeing the recovery process.
Good research in this area depends on good access to company executives and different levels of management. It is also prudent to study a company’s direct competitors within a given sector to learn about their cyber risks and take a view on the cyber-risk sensitivity of the industry.