by Nawar Alsaadi.

Weak cybersecurity management can hurt companies’ valuations.

On the weekend of July 2, 2021, the corporate world endured a massive cyberattack, with between 800 and 1500 companies across multiple industries affected. As a result of the attack, Coop, a supermarket chain in Sweden, had to close 500 stores after its cash registers were remotely disabled. Meanwhile, on the other side of the world 11 New Zealand schools were shut as a consequence of the attack. As of the latest tally, the attack reached businesses in 17 countries, and the attackers are demanding US$70M to cease their attack.

What’s troubling about this latest attack is that it is part of an escalating pattern. These attacks which are mostly tied to 6 ransomware groups have extorted $45M in ransom money so far. The most notable attack undertaken by these groups was the cyberattack against The Colonial Pipeline in April, which disrupted the distribution of critical fuels to the eastern seaboard of the U.S. The Colonial Pipeline was forced to pay $4.4M in Bitcoin to regain control of the pipeline. Another notable cyberattack took place against JBS, the world’s largest meat processing company. The attack, which shut 13 processing plants, caused a slump in Australian beef exports and forced the company to pay $11M.

Cyberattacks and/or ransomware attacks tend to fall into 2 categories. The first pertains to operational risk, where business operations are halted or disrupted as highlighted by the examples above. The second pertains to data loss risk tied to either the loss of sensitive customer or business data. A famed example of a data breach is the theft of 56M customers’ debit and credit card details at Home Depot in 2014 which cost the company $179M in direct compensation payments and fines (excluding legal or reputational costs). Another famed data breach is the cyberattack that compromised the personal data of 147M customers at Equifax in 2017, which cost the company over $1.4B in incident response and mitigation costs. Most recently, a new alliance made up of NATO member states, the European Union, Australia, New Zealand, and Japan blamed China for a massive cyberattack on Microsoft Exchange email servers earlier this year. State-sponsored cyberattacks, unlike the previous 2 categories, are concerned with political and economic espionage, intellectual property theft, and identifying potential strategic vulnerabilities.

The rise of cryptocurrencies has amplified the growth in ransomware attacks due to their anonymity and the relative ease in collecting the ransom.

 

Crypto ransom payments

               *includes Bitcoin Cash, Bitcoin, Ethereum, Tether, as of May 10, 2021. Chart data source: https://www.statista.com/chart/25245/total-value-of-cryptocurrency-received-by-known-ransomware-addresses/

 

Aware of the growing role of cryptocurrencies in ransomware attacks, the Biden administration announced in June that it is examining strategies to better trace ransomware payments.  The worrying growth in cybercrime and its potential impact has not gone unnoticed by investors, as evident from a key report by Pentland Analytics. The report states:

“Where, initially, cyber-attacks were viewed as bad luck, they are now viewed as bad management, and companies are held responsible for their decisions concerning data protection and the mitigation of harm.”

What the above statement means is that cyberattacks have become a measure of management and governance quality and that poor cyber security management can lead to a permanent discount to a given company valuation.

The impact of cyberattacks on targeted companies’ stocks is more persistent today than it once was. The Pentland report shows that targeted companies’ stocks appear to be subject to a permanent valuation discount especially in the case of repeated breaches. This development greatly underscores the value of ESG analysis and validates responsible investors’ focus on issues such as cybersecurity in their valuation models and engagement priorities. A conventional value investor buying a seemingly cheap stock with a poor cybersecurity record might misconstrue a legitimate ESG cybersecurity discount as a market inefficiency. Hence, the next time you invest in a meat producer, a grocer, or a pipeline company, make sure to examine their cybersecurity infrastructure with the same degree of care you allocate to examining their income statement and balance sheet.