Given the recent string of high-profile cyber attacks against some of the world’s largest corporations, there is growing momentum worldwide for a new approach to cybersecurity. The current approach – in which investors play little or no role in advancing best-in-class cyber protections until it’s too late – is no longer working. What’s needed is a more proactive approach to cybersecurity in which investors play a very active role in incentivizing responsible and secure innovation. That’s the core thesis of a new World Economic Forum (WEF) report that attempts to develop a framework for investors to measure and address cybersecurity issues. As the WEF report makes clear, investors have both a responsibility and an opportunity to motivate companies to prioritize cybersecurity.
In short, investors cannot ignore the cyber resilience of their target companies. When thinking about making a new portfolio investment, these investors should be taking a closer look at both the overall cybersecurity efforts of the organization, as well as the specific cybersecurity features of their products. According to the WEF report (“Incentivizing Responsible and Secure Innovation: Principles and Guidance for Investors”), investors should reward companies that make cybersecurity a priority, while penalizing companies that fail to take best-in-class cybersecurity principles into account. As investors begin to place more and more emphasis on cyber due diligence, the net effect will be to boost consumer trust, protect investor returns, and create a more secure digital market for all.
WEF report outlines new cybersecurity principles for the investment community
The WEF report, presented at the World Economic Forum’s 13th Annual Meeting of the New Champions in China, marks a potential breakthrough in the way that investors think about their investment options. Currently, investors perform sophisticated due diligence of various aspects of an organization – such as the strength of the management team or the overall quality of product or service offerings – but may entirely overlook the company’s cyber efforts. If investors take into account the guidance offered in the WEF report, then they would make cyber a focal point of any investment decision. This, in turn, will force companies looking to attract investors to shore up their cyber defenses and boost their overall cyber resilience.
As the WEF report makes clear, there are five critical ways that investors can help to boost overall cybersecurity. For one, they can conduct cyber due diligence before investing a single dollar in a company. Secondly, they can incorporate a cyber risk tolerance threshold for determining how much overall cyber risk they are willing to take in proportion to the overall business risk of investing in the company. For example, investing in a data-centric company like Facebook or Google that primarily makes their money by trading in personal information and data might carry a higher risk premium than investing in a company in another industry.
New cybersecurity imperative for the Internet of Things
One takeaway from the WEF report is that the rapid advance of the Internet of Things (IoT) is forcing investors to take a closer look at cyber issues. Take, for example, the healthcare industry, where medical devices hooked up to the Internet are becoming an everyday reality. Investors that make cybersecurity a priority will, in turn, take a closer look at how medical device makers and other companies in the healthcare industry are minimizing cyber risk. Are they, for example, making cyber a priority in the early stages of product development?
Presumably, products that are built and engineered with security a priority will lead to safer products for the end consumer. A recent Bain & Co. study found that consumers will buy more products and pay higher prices if cyber issues are addressed at the outset. That could lead to a virtuous cycle of development, with an expanding marketplace for all participants, thanks to the attention paid to cyber concerns.
Cyber due diligence for the modern investor
Overall, the WEF report outlines six different high-level principles for the modern investors. By following these principles, investors will be able to boost their overall cyber expertise, while simultaneously boosting the performance of their portfolio companies. One of the most important of these principles is that investors must create a due diligence assessment framework. In layman’s terms, investors need to put together a “to do” list for what they will examine and analyze whenever they make an investment decision.
For example, as part of their due diligence, investors might check that a company has a C-suite executive (such as a CISO or CSO) responsible for cyber issues. Moreover, they might check that a company has a full-time staff responsible for regulatory compliance or cybersecurity preparedness issues, as well as for checking up on cyber governance issues (i.e. such as providing an updated cookie notice in response to GDPR demands). From a product security perspective, investors might check that products are built according to best-in-class “privacy by design” or “privacy by default” principles. And they might check that there is algorithmic transparency for any AI-enabled cyber processes. These simple steps would improve your experience as a consumer, as well as improve the experience on any website they visit.
Cyber threats and long-term market valuation
Worldwide, there is increased consumer demand for more secure products as well as increased investor demand for “safer” investment opportunities. What investor, after all, wants to target companies that could see tens of millions of dollars of market valuation lost overnight as the result of a major security breach or cyber attack?
The new WEF report, prepared by the World Economic Forum’s Centre for Cybersecurity, is an important step forward in helping the investment community understand the impact of cyber threats on long-term market valuation. In a perfect world, companies that pay the most attention to cyber due diligence issues would perform best according to key stock market indices, such as the S&P Global 1200 Index. Over time, cyber would become a central issue in any investment decision, and companies of all sizes would have new incentives in place to offer products that are safe, secure and built according to the very best cybersecurity and privacy standards.