Technology and financial services companies are critical infrastructure too

Cyber performance of some companies matters not just to shareholders but to the entire financial system

Tale of two companies

This third installment in our series centers on one technology company and one financial services company. Both MarketAxess (MKTX) and Fidelity National Information Services (FIS) serve as critical financial infrastructure in the digital age but have different track records on cyber / technology governance.

Both $20+bn dollar companies and technology is their primary asset.

In contrast

Approach to cyber from Management are studies in contrast

Governance approaches

Governance is rarely a newsworthy topic until things go wrong. For cyber, it is a difference maker

Navigating the Trilemma

4-5-Star rated companies find the right balance between revenue growth, cost controls and cybersecurity. 1-2-Star companies tend to lean too heavily on growth and/or cost at the expense of security


Market performance

Digitally-powered Outperformance

MKTX versus capital markets peers since onset of COVID-19

MKTX US Equity KCE US Equity
Source: Bloomberg
MKTX: Market Axess; KCE: SPDR® S&P® Capital Markets ETF

FIS underperforming peers in key growth areas: Mobile and FinTech

Evidence of weakness in digital transformation, this should concern investors

Source: Bloomberg
FINX: Global FinTech ETF; PMobilen: Global Mobile Payments ETF

Deemed critical: A billion-dollar digital trading platform and an essential cog in the global payments machine

MarketAxess embraces business-critical nature of cyber

Typical of a CBH 5-Star company, MKTX understands the business-critical nature of cyber and the need to invest accordingly:

“We experience cyber-attacks and attempted security breaches. Cyber security incidents could impact revenue and operating income and increase costs. We therefore continue to make investments, which may result in increased costs, to strengthen our cybersecurity measures”.

(MKTX 10-Q, June 2020) Its Q2 financials reported a 32% YoY increase in technology and communications.

This is an example of a company that understands how to navigate what we refer to as the digital transformation trilemma for management: how to allocate IT investment for the goals of—1) Top-line Growth, 2) Cost savings 3) Security. Companies can’t have all three simultaneously, but rather they have to choose only two.

Buoyed by strong market performance, MKTX also makes investments in technology and security from a position of financial strength, like most 4-5-Star rated companies. It reported extremely strong financials across the board in Q3, including revenues (25%+), operating income (33%+), operating margins (50%+) and EBITDA (32%+).

Governance is rarely a newsworthy topic until things go wrong. For cyber, it is a difference maker. Five MKTX board members have experience with and oversight over ‘technology/cyber’ under the Risk and Audit Committee—an important indicator of how cyber is prioritized at the board-level. Unlike many companies that delegate security responsibility to third parties, MKTX appears to own it internally at the highest level.

MKTX also explicitly recognized the elevated risks and strains created by the pandemic:

“an increase in the number of points of potential attack, such as laptops and mobile devices (both of which are now being used in increased numbers) to be secured, and any failure to effectively manage these risks, including to timely identify and appropriately respond to any cyberattacks, may adversely affect our business.”

Where MKTX differs from most other high performing companies is a lack of explicit discussion of a digital transformation plan or strategy. This is because digital transformation is core to the company’s DNA. This continues to serve the company, shareholders and a capital markets system that depends on data security all quite well.

This is not to say that cyber weaknesses don’t exist for MKTX, but the risks appear to be prioritized as business-critical issues, not esoteric technical problems to simply be outsourced to a third party for remediation.

Fidelity National Information Services’ poor cyber governance poses risk to future growth

FIS is also at the center of global capital markets (as well as merchant solutions and banking) as a provider of critical payments infrastructure. But in contrast to MKTX, its low cyber governance rating is an indication of not well managed digital technology. This despite the fact that this is the company’s most valuable asset, and in a year in which digital payments and financial technology are growing exponentially. Consider this comment from Chairman, President and CEO, Gary Norcross, from the Q3 earnings call:

“…you've got to go back to almost five years ago, when we really put the company through just a huge pivot toward next-generation technology and transformation. We invested heavily in cloud-based computing. We then brought on our application stack and start investing heavily there to take advantage of the cloud. And so now, if you look, what's different is we're really at a really differentiated level at this point in time.”

Yet, cybersecurity (protecting downside financial risk) only merits one passing mention in Q2 and Q3 disclosure material.

Poor cyber governance should be a concern to investors because weaknesses pose an elevated downside financial risk of a ransomware-like operational disruption that can adversely impact revenue, cashflow and margins for multiple quarters post-breach. FIS’ statement in its 2019 10-K suggests that it understands the potential downside risks, including with respect to the Worldpay acquisition:

“…cybersecurity is one of the principal operational risks FIS faces as a provider of services to financial institutions. If FIS fails to maintain an adequate security infrastructure, adapt to emerging security threats, or implement sufficient security standards and technology to protect against security breaches, the confidentiality of the information FIS secures could be compromised. Unauthorized access to the computer systems or databases of FIS could result in the theft or publication of confidential information, the deletion or modification of records, damages from legal actions from clients and/or their customers, or otherwise cause interruptions in FIS' operations and damage to its reputation. These risks are greater with increased information transmission over the Internet, the increasing level of sophistication posed by cyber criminals, nation state-sponsored cyber-attacks and the integration of FIS systems with those of acquired companies such as Worldpay.”

Yet cybersecurity does not merit much attention in quarter-by-quarter company disclosures.

FIS’ cyber governance performance should also be a yellow flag for clients that rely upon its infrastructure for the security of their own operations and transactions.

The company’s strategy of “accelerating revenue growth, expanding margins (including cost cutting) and maximizing shareholder value” hasn’t left room for investing sufficiently in security. FIS’ poor security significantly increases the risk of a cyber-related operational disruption causing an adverse impact on all three of these metrics.

Though characteristic of the payments industry in recent years, FIS’ significant M&A activity (chasing growth), including the purchase of Worldpay for $35bn in 2019—the largest acquisition ever in the industry at the time—has created a drag on the company’s cybersecurity performance. M&A generally creates significant cyber risks for the acquiring company because of the challenges of absorbing a new corporate network into its own, and the ‘IT complexities’ this introduces. More complex networks increase risk because with an enlarged threat surface, they are more difficult and more expensive to protect. Marriott discovered this in the wake of its large data breach in 2018, which stemmed in part from its earlier acquisition of Starwood.

A second strategic challenge stemming from the company’s poor management of its digital transformation is its underperformance relative to peers in mobile payments and FinTech. This puts the spotlight on Merchant Solutions, the most tech-enabled part of its business, ~30% of FIS’ total revenues and its highest growth area.

Competitive pressures to invest further in tech-enabled parts of the business, including integrating payments into software, are substantial. ‘Tech-enabled vs. Traditional’ is a metric the market is examining closely, thus FIS messaging around being a “Global Leader in Digital Payments, Banking and Investments”.

But despite aggressive M&A and investments in tech in recent years, FIS underperformance relative to peers in this space (see above chart) is evident.

For more information, including company coverage, contact us at

This information represents Cyberhedge’s opinion only and is not investment advice or an investment recommendation. See full Disclaimer.

Subscribe to know first
who is up and who is down

This article is one in a series of upcoming articles over the coming months focused on why since COVID-19 the difference between best and worst technology governance has never been more important for companies and investors alike.


Check your e-mail to confirm subscribtion

We use cookies to make our website more user-friendly and effective

The Cyberhedge Indices Cookie Policy

What are the Cyberhedge Cyber Governance Indices?

These first ever benchmarks prove good cyber governance matters to shareholder value. They measure stock market performance of companies with good and with bad cyber governance scores. Scores are based on Cyberhedge’s proprietary cyber governance rating methodology. Market performance is tracked by an independent firm. The results show that companies with good cyber governance outperform their peers in US, UK, and EU markets.

Information that we collect

Here you can see and customize the information that we collect about you. To learn more, please read our privacy policy

Continue on website