Data, the oil of the 21st Century

An opinion piece by William Tohmé, CFA, Senior Regional Head, CFA Institute, Middle East and North Africa

Internet security blog posts are usually more at home on the inside pages of IT trade periodicals than on the front pages of international newspapers.  Yet the one written by Microsoft Corporate Vice President Tom Burt and published on March 2 was a notable exception.

It wasn’t long before the phones of help desks worldwide started to ring and IT managers’ social media feeds lit up.  It revealed that a new threat had emerged targeting the Microsoft exchange server software. This time the hackers had attempted to penetrate much deeper into the computer systems of their intended victims in order to lurk undetected for a long period of time. It may have compromised as many as 20,000 organisations.

Large scale attacks of this kind are becoming more common and their impact is increasingly visible to investment professionals. They are also more quantifiable.

To illustrate exactly what is at stake here, one 2019 study examined the average revenue growth of companies that had been affected by severe security breaches in the two years after they had occurred. Then it compared those results to industry peers not affected by cybercrime. The research covered some 432 companies over a six-year period and assessed 460 unique events.

It found that in the two years after a severe security breach, corporate revenues first declined by about 10 percent on average and then recovered slowly. After two years, revenues had only managed to recover to the same level they were at when the security breach happened. By contrast, the revenues of companies that did not suffer a security breach increased by almost 20 percent over the same time period.

The impact of a major security breach is not just reflected in a company’s earnings but also in its share price. Indeed, corporations that have suffered a severe security breach could see their share price drop by 10 percent or more over six months and remain depressed for a long time.

With such potentially enduring consequences, it is no surprise that companies are stepping up efforts to protect their data.

That task has, however, become so much more difficult over the last year as the pandemic has forced millions of people to work from home. This has increased the vulnerability of corporate data – especially from phishing attacks directed at employees.

Indeed, these attacks have become so widespread that many analysts are comparing the coronavirus pandemic with an emerging cyber pandemic of sorts — with us work-from home humans playing the role of trojans.

A recent report from the CFA Institute Research Foundation reveals the risks faced by corporations by the growing number of cyber threats that are emerging from both nation-states as well as criminal groups.

Author Joachim Klement warns that investors need to assess their potential exposure to such attacks which are already costing the average bank – with banks being the preferred targets of cybercrime – some $18.4 million-a-year, based on 2018 data. Model estimates for the global banking system range from $97 billion to $351 billion per year in potential losses — easily capable of triggering a financial crisis of global scale.

While the recent Microsoft attack attracted global attention, it was the eighth time in 12 months that the company had publicly revealed an attack by so-called nation-state groups targeting critical institutions — from health organisations fighting COVID-19, to political campaigns involved in the 2020 elections.

Within this unfolding global narrative, the Gulf states represent another complex and intriguing sub-plot, where geopolitical fault lines converge and where nation-state hackers have already had an impact in a region that is home to more than a third of the world’s oil.

Klement points out in his excellent analysis that after the 2019 drone attacks on Saudi Aramco facilities in Abqaiq, the US response was channelled through a cyberattack on Iranian infrastructure rather than any kind of show of military force.

Such attacks have encouraged a major push at the state level to bolster cyber defences. Saudi Arabia this month launched the largest digital operations centre of its kind equipped with a modern cybersecurity hub to identify emerging threats. Other Gulf states are engaged in similar efforts to shore up the weak points in their figurative firewalls.

The financial industry must now take a similar approach in investing to protect itself from emerging threats, which as the latest Microsoft hack highlights, are becoming more and more damaging.

Inevitably there is a cost to this, and many corporations will flinch at the required outlay of capital at a time when there is a desperate need to conserve cash in the wake of the coronavirus pandemic. But in order to prevent business disruption, information loss and revenue loss, this investment is absolutely necessary.

In this, the former US State Department official Richard Clarke may have some prescient insight.

“If you spend more on coffee than on IT security, you will be hacked. What’s more, you deserve to be hacked.”