OPINION
Digital and Tech
January 24, 2019

Fintech on Friday: Time cyber security took a seat in the boardroom

By Elliot Smither

Data is the most valuable asset some companies hold, but do senior executives really know how their digital defences stack up?

A glance look at the changing line-up of the largest companies in the world over the last decade – from PetroChina, Exxon and General Electric in 2008, to Apple, Google and Microsoft in 2018 – goes a long way towards proving the saying “data is the new oil”.

Other entries in the 2018 top 10 include Amazon, Facebook and Tencent, companies at the forefront of the digital revolution. Technology has come to dominate both the corporate world and our everyday lives, but has brought with it a new set of risks.

Rising levels

So-called cyber threats are very real and hit all sorts of organisations, and the volume and impact of these attacks is increasing. The UK government’s National Cyber Security Programme’s latest Cyber Security Breaches Survey found that in 2018, 43 per cent of UK businesses and 19 per cent of charities suffered a cyber breach or attack.

For example, the NHS, the UK’s health service, was hit by the WannaCry ransomware attack, causing almost 20,000 appointments to be cancelled and cost £92m ($120m) to clean-up. Ticketmaster admitted it suffered a security breach which impacted up to 40,000 UK customers. In the US, the Department of Justice indicted nine Iranian hackers over an alleged spree of attacks on more than 300 universities. Meanwhile, Under Armour’s MyFitnessPal app was breached by hackers, compromising the details of approximately 150 million users.

One company which has spotted an opportunity among the mayhem is Luxembourg-based Cyberhedge, founded by former asset manager Ryan Dodd.

“I’ve been managing money since about 2005 and I came across a very real problem about two years ago,” he explains. “It occurred to me that I had a number of companies in the portfolio whose primary source of value was data, but they hadn’t disclosed what they were doing to protect it. So I went to the companies and started asking. And no one had a good answer.”

So Mr Dodd set up Cyberhedge, the premise behind it twofold: one, to be able to show companies how their cyber security procedures measure up; and two, to show investors if there are risks in their portfolios related to cyber and which companies are taking sufficient steps to protect their data.

It took two years to develop the data platform that powers Cyberhedge. “Information networks often leave traces,” says Mr Dodd. “We buy data sets that collect those traces. They are hard to acquire but part of what we do that is different is we are pretty avid data buyers.”

Part of the problem with the way companies have approached cyber security has been the fact that responses have been led by IT departments rather than tackled at a board level, claims Mr Dodd, meaning senior executives simply do not know how effective their processes are. Cyberhedge’s reports are aimed firmly at the C-Suite and are presented in a language they will understand.  

“Ultimately the product is a financial assessment of how much financial impact your cyber governance is causing, which ultimately is a roadmap to fix it. We are saying here are the issues we see. Fixing these things will provide the biggest impact to value.”

Ahead of the curve

Cyber attacks can lead to loss of earnings and considerable brand damage, and CEOs are aware of the risks, meaning budgets to tackle the threat are considerable. And financial institutions are ahead of the curve on this, claims Mr Dodd.

“The financial services industry certainly has the green light to spend more money on cyber protection than other industries. They feel the urgency.”

In most cases, the problem is not that resources are lacking, rather it is almost always that they are not managed properly, he claims. “There has been very little focus on governance from the top level, and the approach has been much more fix and patch,” says Mr Dodd.

While companies are obliged to carry out financial audits and pass health and safety requirements, there is currently no need to undergo digital health checks. Mr Dodd believes regulators will eventually insist on external cyber audits.

“I hope that we eventually have a system similar to the credit rating agencies, with Moody’s, Fitch and S&P, well we would like to be one of say, four, cyber rating companies which you have to go to establish the health of your cyber security,” he says. “And I don’t think this is all that far down the line.”

Name and shame

Mr Dodd is far from alone in calling for greater transparency in how companies are combating the threat of cyber crime. In January, academics at King’s College London published a report which urged the UK government to publicly identify companies with poor cyber defences. Researchers at the university’s Cyber Security Research Group argued consumers deserve greater insight into how firms are protecting their data.

Greater transparency around businesses’ cyber defences would force poorly performing companies to boost security, which should lead to a reduction in crime, finds the report.

Read next
Business models OPINION
April 23, 2024

Adapting the lessons of retail to wealth management

By Matt Ryan

Both luxury and consumer retail outlets offer valuable lessons for wealth managers, with data-driven insights key to taking engagement to the next level. Rapid digitalisation of the global economy has...
read more
FT Wealth Management
April 22, 2024

The changing role of relationship managers

By Ali Al Enazi

The role of the relationship manager in wealth management is professionalising, with advisers needing to be increasingly agile and informed, though technology is there to help. With 1,000 billionaires poised...
read more
A service from the Financial Times