Cybersecurity’s growing importance: what investors need to know

June 12, 2024

The rise of tech-enabled companies

The ever-evolving state of technology has enabled companies from all corners of the economy to modernize and adapt to better service their clients. The ability to deploy technology solutions across the connected world marks both an opportunity to modernize and another important risk to be managed. Restaurants adding self-service ordering kiosks, large retailers turning their focus to e-commerce, and electric utilities implementing smart grid software are just a few examples of a long-term trend; the rise of tech-enabled companies.

 

In contrast to the traditional understanding of what a technology company is, such as giants like Apple, Microsoft or IBM, a tech-enabled business is one that leverages the latest technology available to improve an existing market. Businesses leveraging such technology are able to chase higher efficiencies in mature markets by offering a better user-experience, increase convenience, and in some cases, establish additional revenue streams by reaching new consumers.

 

However, as companies from all sectors and regions try to capitalize on the opportunities generated by technological developments and digitalization, an unintended consequence is higher vulnerability due to the increasing risk of experiencing a cyber-attack.

 

Over 2,200 cyber-attacks take place each day1. Just in April 2024, two major cybersecurity events seized investors’ attention. First, malware was added to Linux, an open-sourced operating system that runs on virtually all internet servers, but luckily a curious engineer detected and stopped the attack before it could cause widespread damage2. Second, Change Healthcare, part of UnitedHealth Group which is the largest U.S. health insurer, was hacked and allegedly lost more than six terabytes of data, including medical records, costing the company USD $872M in “unfavorable cyber-attack effects”3.

The costs of a cyber-attack

The immediate direct financial impact of a cyber-attack can be undeniably substantial, including costs such as network downtime, investigations, security enhancements, enhanced customer support, legal fees, settlement payouts, and even potential ransoms.

 

However, once the dust settles, the actual costs of such an attack often extends beyond these monetarily quantifiable damages. If a cyber-attack erodes customer trust in a company’s offerings, in the long-term, the cost of restoring customer confidence and re-establishing a corporate reputation of prudent data security risk management may significantly surpass the initial operational and legal expenses.

 

In parallel, remote work has made it easier for hackers and cybercriminals to crack enterprise networks. Add to this the advancement in artificial intelligence (AI) models and the imminent rise of quantum computing (which hypothetically could break the present encryption practices deployed across the internet4) and it all underscores the financial materiality of cybersecurity risks to businesses.

 

In 2023, there were around 343 million victims of cyber-attacks worldwide, driven by a 72% increase in data breaches from 2021-20235. The impact of global cybercrime, which may include loss of data, money stolen, fraud and reputational harm, costs the global economy trillions of dollars each year. Cybersecurity Ventures forecasts that number to be USD $9.5 trillion globally in 2024, up from $3 trillion USD in 20156. By comparison, the annual GDP of the Canadian economy was USD $2.16 trillion in 20227. The effects of cybercrime drive other meaningful changes across the economy, including the job market where there is set to be an expected stock of 3.5 million unfilled cybersecurity jobs in 20248, or even the cyber insurance market, which is predicted to hit USD $14.8 billion annually by 20259.

 

As a result, the key question becomes: How can investors more effectively assess and manage the cybersecurity risks inherent in their holdings and portfolios?

Overlooked sector risks and industry best practice

Businesses’ financial risks are usually reflected in their balance sheets, income statements, and other financial statements. Non-financial risks, such as cybersecurity, arise from the firm’s operations and are harder to track and assess. Investment managers traditionally leverage industry frameworks and best practices to better assess such non-financial risks.

 

An example is the Sustainability Accounting Standards Board (SASB) Materiality Map, which identifies financially material issues on an industry-by-industry basis10. Among the issues identified by SASB is cybersecurity; in particular, it views customer privacy and data security as significant business issues in industries such as telecommunication services, commercial banks, health care delivery, among others.

 

However, there appears to be an industry-wide gap in adequately recognizing cybersecurity risks across all industries. While SASB, and frankly most other industry-accepted frameworks, recognize cybersecurity risks in sectors like Information Technology (IT), Banking, and Healthcare, according to IBM Threat Intelligence, Manufacturing is the industry most targeted by cyber criminals, with Finance, Professional Services, Energy, and Retail completing the top five most targeted industries11.

Share of cyber-attacks by industry in 2023

Industry
2023
Manufacturing
25.7%
Finance and insurance
18.2%
Professional, business and consumer services
15.4%
Energy
11.1%
Retail and wholesale
10.7%

Source: IBM Security X-Force Threat Intelligence Index 2024

 

Given the fast adoption of new technologies, such as the internet of things (IoT) and AI, the need to recognize cybersecurity as a financially-material risk across all industries and regions has never been greater. In an increasingly connected world, these risks need to be recognized and managed by investors.

What can companies and investors do?

Similar to other sustainability issues, companies should establish proper assessments of cybersecurity risks, develop processes and policies to ensure adequate management of assessed risks, integrate oversight and responsibility within enterprise risk management and governance functions, and disclose progress to investors through public reporting. Companies should ideally conduct risk assessments or audits on a recurring basis and pursue certifications on their information security management systems, such as ISO 27001.

 

Holistic assessment is needed as investors might be overlooking this critical risk in several industries. New metrics and data sources are emerging that allow investors to better assess holdings’ cybersecurity exposures for more industries. Companies now periodically report the amount of personal data they collect, their exposure to evolving or increasing privacy regulations, data breaches, and their systems for protecting personal data.

 

Investors can encourage their investee companies to pursue these steps and adequately manage cybersecurity risks. At BMO GAM, we make public our Expectation Statements on Environmental, Social and Governance Practices. Core to our expectations is that companies should have board-level oversight of internal controls and all material risks, including ESG risks such as climate change, cybersecurity, and consumer protection.

 

In 2023, along with our third-party engagement service provider Responsible Engagement Overlay (reo®), we discussed cybersecurity or data security in various engagements with investee companies in different industries and regions. The discussions included topics surrounding certifications on information security, encouraging more disclosure on assessments, and enhancing privacy policies relating to user information. As technology continues to progressively permeate every aspect of our daily lives, we foresee a significant expansion in our cybersecurity centered engagements throughout 2024 and onwards. In addition to meaningful engagements, we also aspire to better align our clients’ investments with the evolving market landscape by integrating new cybersecurity-related metrics and insights into our ESG assessments to continually enhance the value for our investors.

“Each year, we continue to see the volume and cost of cyberattacks increase to record highs, with headlines of corporate data breaches coming from virtually every industry. We believe this underscores the need to recognize cybersecurity as a financially material risk across all sectors and regions.”

 

Marco Iaboni
Associate, Technology and Communications, Global Equity
BMO Global Asset Management

Sources

Footnotes

1 115 cybersecurity statistics + trends to know in 2024 (norton.com)

2 One engineer’s curiosity may have saved us from a devastating cyber-attack | John Naughton | The Guardian

3 UnitedHealth says Change Healthcare cyberattack cost it $872 million – CBS News

4 https://www.forbes.com/sites/forbestechcouncil/2024/02/06/the-impact-of-ai-on-post-quantum-cybersecurity/

5 Cybersecurity Stats: Facts And Figures You Should Know – Forbes Advisor

6 Top 10 Cybersecurity Predictions and Statistics For 2024 (cybersecurityventures.com)

7 GDP (current US$) – Canada | Data (worldbank.org)

8 Cybersecurity Jobs Report: 3.5 Million Unfilled Positions In 2025 (cybersecurityventures.com)

9 Cyberinsurance Market To Reach $34 Billion By 2031 (cybersecurityventures.com)

10 Find Industry Topics – SASB (ifrs.org)

11 IBM Security X-Force Threat Intelligence Index 2024

Disclaimers

Any statement that necessarily depends on future events may be a forward-looking statement. Forward-looking statements are not guarantees of performance. They involve risks, uncertainties and assumptions. Although such statements are based on assumptions that are believed to be reasonable, there can be no assurance that actual results will not differ materially from expectations. Investors are cautioned not to rely unduly on any forward-looking statements.

 

These are not recommendations to buy or sell any particular security.

 

BMO Global Asset Management is a brand name under which BMO Asset Management Inc. and BMO Investments Inc. operate. Certain of the products and services offered under the brand name, BMO Global Asset Management, are designed specifically for various categories of investors in Canada and may not be available to all investors. Products and services are only offered to investors in Canada in accordance with applicable laws and regulatory requirements.

 

“BMO (M-bar roundel symbol)” is a registered trademark of Bank of Montreal, used under licence.

Reccomended

article collection

Mutual Funds

Insights

House view
July 17, 2024

Politics and profits: Finding wins in an election year

The bad news is that the economic environment is worse than it was one year ago. The good news is that it is still in a pretty strong position and we’re not seeing any signs in the marketplace worrisome enough to warrant taking significant risk off the table.
Sadiq Adatia
Sadiq Adatia
Commentary
July 15, 2024

Is it time to swap Big Tech for Small Caps?

Should investors consider rotating into equities with smaller market capitalizations? What did the latest CPI report tell us about the odds of a September rate cut? And where along the yield curve should investors look for opportunities?
Steven Shepherd profile photo
Commentary
July 11, 2024

BMO ETF Portfolios’ July commentary: “Take the Money and Run, or Take it Easy?”

With the end of the month, quarter and first half of 2024 in the books, markets seem to be taking a collective deep breath in anticipation of what the remainder of the year will bring.
Sadiq Adatia
Sadiq Adatia
Commentary
July 8, 2024

What can politics do to your portfolio?

What did we learn from the Fed’s reaction to the latest inflation data? How will election-related volatility manifest, and how big of an impact could it have on markets?
Sadiq Adatia
Sadiq Adatia
Commentary
July 2, 2024

Why American consumers are holding on—and Canadians aren’t

What is the state of the consumer as we enter the second half of the year? What impact did last week’s U.S. presidential debate have on markets?
Commentary
June 24, 2024

Chairman Powell: The Ultimate Bond Villain?

What’s causing the gap between Canadian and U.S. equities? What is the source of recent bond volatility, and will it persist for the rest of 2024?

Website attestation

you are entering the BMO Global Asset Management (GAM) Institutional website.

Read our Terms and Conditions
Click here to contact us

This information is for Investment Advisors only. By accepting, you certify that you are an Investment Advisor. If you are NOT an Investment Advisor, please decline and view the content in the Investor or Institutional areas of the site. The website is for informational purposes only and is not intended to provide a complete description of BMO Global Asset Management’s products or services. Past performance is not indicative of future results. It should not be construed as investment advice or relied upon in making an investment decision. The opinions expressed are subject to change without notice. Products and services of BMO Global Asset Management are only offered in jurisdictions where they may be lawfully offered for sale. The information contained in this website does not constitute an offer or solicitation by anyone to buy or sell any investment fund or other product, service or information to anyone in any jurisdiction in which an offer or solicitation is not authorized or cannot be legally made or to any person to whom it is unlawful to make an offer of solicitation. All products and services are subject to the terms of each and every applicable agreement. It is important to note that not all products, services and information are available in all jurisdictions outside Canada.