“Institutional investors ‘shy away’ from hacked businesses” suggests KPMG survey

Malcolm Marshall: Global Head of KPMG’s Cyber Security Practice

Malcolm Marshall: Global Head of KPMG’s Cyber Security Practice

According to a new set of statistics, cyber attack episodes could cost a business its investor backing. A survey of global institutional investors conducted by KPMG has found that 79% of investors would be discouraged from investing in a business that has been hacked. The research surveyed 133 global institutional investors with USD$3+ trillion under management.

The survey findings* reveal that investors believe less than half of the Boards of the companies that they currently invest in have adequate skills to manage cyber risk. Furthermore, they believe that 43% of Board members have unacceptable skills and knowledge to manage innovation and risk in the digital world.

Indeed, this sentiment was mirrored in a recent KPMG survey of FTSE 350 businesses which found that 39% of Boards and management agreed they were severely lacking in their understanding of this area.

Malcolm Marshall, global head of KPMG’s cyber security practice, explained: “Investors see data breaches as a threat to a company’s material value and feel discouraged in investing in a business that has had its sensitive information compromised.”

Marshall continued: “Following a number of high profile breaches, we’re now seeing global investors waking up to the issue of cyber security. The ripple effect of this has witnessed investor appetite for cyber businesses increase, with the survey revealing that 86% of investors see it as a growth area.”

Better prepared for future risks

According to Marshall, there’s an expectation from investors for businesses to increase their cyber capabilities from top to bottom, including the Board.

“In a world where breaches are common,” asserted KPMG’s cyber security expert, “it’s reasonable to expect Boards to have prepared themselves. My personal experience of working with organisations where there has been a breach is that generally well run companies that understand risk are better prepared for future risks. A serious breach brings the competence and teamwork of senior executives and the Board into sharp focus.”

Marshall went on to state: “What we’re seeing is companies struggling to demonstrate to their existing and potential investor base that they’re taking cyber risk seriously. Any inability to demonstrate that a business is doing so could make it a less attractive investment proposition.”

The solution? “A good start would be for Boards to elevate cyber higher up the agenda and invest more time towards it. Our survey reveals that 86% of investors want to see an increase in the time Boards spend on cyber compared to last year.”

How to be ‘cyber secure’

If they wish to be ‘cyber secure’, Malcolm Marshall suggests that Boards of Directors need to:

*understand and approach cyber security as a business risk issue and not just a problem for IT

*understand the legal implications of cyber risks as they relate to their company’s specific circumstances

*have sufficient cyber security expertise, while discussions about cyber risk management should be given regular and adequate time on the Boardroom agenda

*set the expectation that management will establish a firm-wide cyber risk management framework that has adequate scope for staffing and budget

*include identification of which risks in the cyber arena to avoid, accept, mitigate or transfer, as well as detail specific plans associated with each approach

Meantime, commenting on new research which reveals that there’s a wide gap between perception and reality of perimeter security effectiveness, Matt White (senior manager in KPMG’s cyber security team) told Risk UK: “With trends such as Bring Your Own Device, mobile computing and smart devices the traditional model of perimeter security is no longer suitable for most networks. Instead, we’re seeing each user having their own perimeter that network administrators cannot secure with usual methods of firewalls and anti-virus.”

White concluded: “Until security technology catches up with consumers, the reliance on the basics such as user access management – in other words locking down who has access to what and how it’s accessed on different devices – must become greater.”

*The research was conducted by FTI Consulting on behalf of KPMG and surveyed 133 global institutional investors with USD$3+ trillion under management. The surveyed investors work for the following organisations: private banks, wealth management, investment and mutual funds, hedge funds, pension funds, insurance funds, sovereign wealth funds and endowment funds

About the Author
Brian Sims BA (Hons) Hon FSyI, Editor, Risk UK (Pro-Activ Publications) Beginning his career in professional journalism at The Builder Group in March 1992, Brian was appointed Editor of Security Management Today in November 2000 having spent eight years in engineering journalism across two titles: Building Services Journal and Light & Lighting. In 2005, Brian received the BSIA Chairman’s Award for Promoting The Security Industry and, a year later, the Skills for Security Special Award for an Outstanding Contribution to the Security Business Sector. In 2008, Brian was The Security Institute’s nomination for the Association of Security Consultants’ highly prestigious Imbert Prize and, in 2013, was a nominated finalist for the Institute's George van Schalkwyk Award. An Honorary Fellow of The Security Institute, Brian serves as a Judge for the BSIA’s Security Personnel of the Year Awards and the Securitas Good Customer Award. Between 2008 and 2014, Brian pioneered the use of digital media across the security sector, including webinars and Audio Shows. Brian’s actively involved in 50-plus security groups on LinkedIn and hosts the popular Risk UK Twitter site. Brian is a frequent speaker on the conference circuit. He has organised and chaired conference programmes for both IFSEC International and ASIS International and has been published in the national media. Brian was appointed Editor of Risk UK at Pro-Activ Publications in July 2014 and as Editor of The Paper (Pro-Activ Publications' dedicated business newspaper for security professionals) in September 2015. Brian was appointed Editor of Risk Xtra at Pro-Activ Publications in May 2018.

Related Posts