20 April 2015
Institutional investors back away from businesses that have been hacked into, according to a global survey conducted by KPMG.
KPMG’s survey of global institutional investors found that 79% of investors would be discouraged from investing in a business that has been hacked. The research surveyed 133 institutional investors with more than USD $3 trillion under management.
Malcolm Marshall, global head of KPMG’s cyber security practice, says: ‘Investors see data breaches as a threat to a company’s material value and feel discouraged in investing in a business that has had its sensitive information compromised.’
The survey also finds that investors believe less than half of boards of the companies that they currently invest in have adequate skills to manage cyber risk and that 43% of board members have unacceptable skills and knowledge to manage innovation and risk in the digital world.
Investors expect more from businesses and in a world where breaches are common, it is reasonable to expect boards to have prepared themselves comments Marshall, who says that ‘there is an expectation from investors for businesses to increase their cyber capabilities from top to bottom, including the board.’
‘A good start would be for boards to elevate cyber higher up on the agenda and invest more time towards it. Our survey reveals that 86% of investors want to see an increase on the time boards spend on cyber compared to last year.’
In addition, Marshall says that organisations that have been breached are generally better run, understand risk, and are more prepared for future risks, post-attack. A serious breach brings the competence and team work of senior executives and the board into sharp focus.
He adds that companies are struggling to demonstrate that they are taking cyber risk seriously to their existing and potential investor base. The inability to demonstrate that a business is doing so could make it a less attractive investment proposition.
Marshall suggests that boards need to consider the following to be cyber secure:
Board directors need to understand and approach cyber security as a business risk issue, not just a problem for IT.
Directors need to understand the legal implications of cyber risks as they relate to their company’s specific circumstances.
Boards should have sufficient cyber security expertise, and discussions about cyber risk management should be given regular and adequate time on the boardroom agenda.
Directors should set the expectation that management will establish a firm wide cyber risk management framework that has adequate scope for staffing and budget.
Discussions of cyber risk should include identification of which risks to avoid, accept, mitigate, or transfer, as well as specific plans associated with each approach.