Investors lose interest in breached companies

Institutional investors are pressing for company boards to sharpen up their cyber-security knowledge and practices, according to a new report conducted by FTI Consulting on behalf of KPMG.

Investors take the issue so seriously that a cyber-attack could even cost a business its financial backing, according to KPMG. The report found that 79 percent of these investors would be discouraged from investing in a business that had been hacked. The report is based on a survey of 133 institutional investors from around the world who together manage over US $3 trillion worth of investments.

“Investors see data breaches as a threat to a company's material value and feel discouraged in investing in a business that has had its sensitive information compromised,” said Malcolm Marshall, global leader of KPMG's cyber security practice.

Investors believe that less than half of the boards of the companies that they currently invest in have adequate skills to manage cyber risk.

Furthermore, they believe that 43 percent of Board members have unacceptable skills and knowledge to manage innovation and risk in the digital world.

This sentiment was mirrored in a recent KPMG survey of FTSE 350 businesses which found that 39 percent of boards and management agreed they were severely lacking in their understanding of this area.

“Following a number of high profile breaches, we are seeing Global investors waking up to the issue of cyber security,” Marshall said.

A knock-on effect of the awareness of cyber risk is an increasing appetite among investors for cyber security businesses, with 86 percent of investors identifying this as a growth area.

Marshall spelled out five tasks for boards to undertake to satisfy investors they are addressing cyber security:

1.    Understand and approach cyber-security as a business risk, not just an IT problem.

2.    Understand the legal implications of cyber risks as they relate to the company's specific circumstances.

3.    Discuss cyber-risk management regularly at board meetings.

4.    Establish a company-wide cyber risk management framework which is adequately staffed and budgeted.

5.    Identify risks to avoid, accept, mitigate or transfer and develop specific plans for each approach.