2020 will be long remembered for several historic events. While the COVID-19 pandemic and its dramatic impact on the global economy, societal norms, and everyday life has understandably captured most of the headlines, 2020 also saw significant developments in cybersecurity, with cyber-attacks on organizations increasing enormously and elevating cyber governance to a top issue that all enterprise stakeholders need to prioritize. From being seen historically as a regrettable but manageable nuisance, in 2020 there has been increased recognition of the seriousness of the threat.
Four critical issues defined cyber governance in 2020, and will likely continue to dominate the strategic agenda for enterprise leaders:
- The rise of Ransomware, which is a growing financial threat to companies in a way that previous generations of cyber threats were not
- COVID-19 driven changes in how companies operate ‘digital-first’, the impact this has on security threats and the subsequent necessary changes in cyber architecture
- Digital Transformation as the key factor differentiating between ‘winners’ and ‘losers’, across all sectors, and all markets
- While ESG is rising in the Asset Management industry, cyber governance measures and forecasts the effectiveness of Digital Transformations
The rise of Ransomware
Ransomware attacks exploded in 2020, with reliable estimates that more than half of all companies have been attacked at least once in 2020, that the average ransom amount has tripled since 2019, and that the average ransomware attack in 3Q20 resulted in 19 days of downtime for the breached company.
Big ransomware attacks over the past 18 months have resulted in average 24% shareholder losses in the months after the breach. In 2020, Finablr did not recover at all, filing for bankruptcy. ISS World reported hundreds of millions in losses following an attack in February and is still dealing with the financial fallout.
While it is clear that all companies are vulnerable to ransomware and that attacker’s tactics continue to evolve and become more dangerous, some companies are more vulnerable than others.
Cyberhedge ratings have accurately predicted significant attacks against public companies
COVID-19 driven changes to cyber security architecture
IT networks became less safe overnight as a key feature of overall security architecture—perimeter security—ceased being as effective a first line of defense following the transition to remote work. Almost no organization was prepared for such a rapid transition. Many are still coming to grips with issues such as the use of personal devices to access corporate networks, and the use of corporate devices for personal functions such as children’s remote learning needs, among other risks. But companies that are leaders in cyber governance and which were already more advanced in their Digital Transformation strategies handled this transition more effectively than those struggling with a rushed transition to digitize their workflow and processes.
With corporate IT budgets getting squeezed across the board in response to COVID-19 related disruption at a time when many need to increase spend to better control new vulnerabilities, corporate leaders face a huge challenge in how to balance cost controls against security. Tools that help companies rationalize security budgets and increase the efficiency of spend, such as security validation, are enormously helpful in this environment.
Digital Transformations separate winners from losers
The digital explosion in 2020 means that the necessity of protecting digital assets has never been greater and will only increase in coming years. Those that manage this best will be rewarded by financial markets and continue outperforming peers that lag in cyber governance. Indeed in 2020 there was marked divergence between cyber leaders and laggards in every sector and market. Home Depot (HD)—rated by Cyberhedge as a sector leader in cyber governance—is an example of a company whose pre-COVID-19 Digital Transformation strategy positioned it well to adapt to the pandemic’s disruptions and facilitated a huge increase in digital sales, resulting in increased market share and profitability vs. competitors.
HD was not an isolated example of this. Indeed the Cyberhedge Cyber Governance Indices are market based proof not only that cyber governance matters, but that it is quantifiable, predictable and persistent.
Cyberhedge ratings across every market and sector since launch in January 2018
While ESG is rising in the Asset Management industry, cyber governance measures and forecasts the effectiveness of Digital Transformations
2020 saw a record increase in assets managed according to ESG principles, with inflows to ESG ETF’s alone increasing 4x over 2019. And while there is understanding and acceptance of some of the factors that go into ESG—Environmental factors such as carbon emissions and recycling; Social factors such as ensuring that human rights, health and safety are honored throughout company supply chains; and Governance factors such as accountancy standards, audits and shareholder control—there is still a great deal of debate over how to quantify ESG’s impact on investment performance, and very little understanding about the central role that cyber governance plays in ESG.
Indeed, as the Cyberhedge Cyber Governance Indices show, not only can cyber governance be measured, but it also has a material and quantifiable impact on company share price. Unlike ESG, cyber governance is not yet mainstream, but it has proven objectively quantifiable in a way that ESG has not. The reason why these cyber governance ratings have been so effective is because they are essentially a measurement of the effectiveness of a company’s digital transformation. This provides predictive insight into how well or poorly a company will perform in the future. The same cannot yet be said of ESG.
As discussed above, during the pandemic this has been the biggest differentiator between company outperformance or underperformance. As Microsoft CEO Satya Nadella said at the end of April, ‘We’ve seen two years’ worth of Digital Transformation in two months’. In contrast, the Asset Management industry as well as the ESG industry have struggled to analyze and measure technology management, or digital transformation, within companies.
And cyber poses a larger financial risk than ESG in the foreseeable future. Just in the past month, McAfee put a $1 trillion dollar price tag on cybercrime for 2019. That number will surely rise for 2020. This should make cyber governance one of the key factors that the Asset Management industry incorporates into company financial models. And with the ratings industry working to incorporate cyber ratings into overall corporate ratings, and governments and regulators also paying much closer attention to cyber governance, Asset Managers risk suffering poor performance if they continue to downplay the clearly demonstrated impact of cyber on their investment portfolios.
While there is increasing awareness by company Boards and C-Suites of cyber governance’s critical importance to achieving corporate objectives, many are still grappling with issues related to limited and non-standardized quantitative data and performance metrics. This hinders the creation of KPIs and questions that a Board can ask in the same way that they can to measure and judge sales, financials and other operational data.
But effective measurements do exist, and those companies that are further along in understanding and implementing measurements and incentives that help them achieve better cybersecurity are further along not only in cyber governance, but in overall market performance as well.