Views on the crisis through a cyber-financial lens
Cyber governance performance is a key factor in determining how companies will manage through the crisis. Cyberhedge’s premium research on industries and companies impacted the most is available for all to read.
The cybersecurity sector is broken. But what really matters is how well or poorly companies are managing technology risk. Transparency and better governance are part of the solution.
Top cyber security experts highlight the difficulty in assessing the quality and capabilities of cybersecurity products has led to a broken market. In this market, customers have low confidence in their ability to properly analyze, assess and manage products on the market, as well as their own organizations overall cyber security posture.
Half-trillion-dollar cosmetics industry upended by digital, cyber risks are growing and investors should be asking the right questions
Technology and the COVID‑19 pandemic are combining to rapidly transform the beauty industry. Artificial Intelligence (AI) and Augmented Reality (AR) allow a degree of personalization that is helping offset the loss of in-person product sampling that has long been a cornerstone of the cosmetics industry. Imaging and analysis technologies can detect issues such as skin oiliness, wrinkles and dark spots in a way that previously could only be done face to face.
Employees want remote work to become permanent, requiring fundamental changes to enterprise cyber security
A Tessian survey of 250 IT leaders and 2,000 working professionals in the US and UK conducted in August revealed that 1/3 of employees will not consider working for a company that does not offer remote working, and only 11% replied that they want to work exclusively in an office post-pandemic. 75% of IT leaders agree that permanent remote or ‘hybrid’ work will become the norm post-pandemic, and 85% report that this will increase pressure on their and their team’s abilities to secure IT systems.
In wake of ransomware attack on billion-dollar eyewear giant Luxottica investors should ask the right questions
Billion-dollar eyewear giant EssilorLuxottica (EL) has reportedly suffered a ransomware attack that led to the shutdown of operations in Italy and China last week. It appears to have disrupted web-based commerce sites like Ray-ban and LensCrafters.
Airlines are heavily exposed to the revenues—and risks—of their credit card affiliation programs
Credit card affiliations at airline loyalty programs provide a significant revenue contribution to the airlines and have grown sharply during the COVID‑19 disruptions. Delta Air Lines received $4.1B in 2019 (approx. 9% of Group revenue) from their co-branded credit card program with American Express, up from $1.7B in 2012. Revenue from this program has been relatively stable in 1H20 (down only 5% from 1H19) as consumer spending using Delta-branded AmEx cards has been uncorrelated with the collapse in air travel. As a result of this stable credit card related revenue while airline ticket sales have collapsed, credit card affiliation revenue was well over 50% of Group revenue in 2Q20. United Airlines recent disclosures reveal that its credit card loyalty program is also a significant source of revenue.
Possible to know in advance what retail companies will be market leaders and laggards on the basis of digital transformation
As retail has been disrupted nearly as much as any sector in the wake of COVID‑19, there are some clear lessons learned on how the landscape has dramatically shifted. Companies that were executing well on digital strategies have outperformed while those that weren’t have not only underperformed but many are no longer in business.
Shift in focus from ‘efficiency’ to ‘resiliency’—in part due to cybersecurity concerns—will impact corporate Capex and Opex decisions
The US Department of Energy is expected to release detailed proposals by the end of September limiting the use of foreign equipment in the US power grid. These follow a May 1, 2020 Executive Order by President Trump ordering a ban on the use of utility infrastructure manufactured by ‘foreign adversaries’ due to the risk they pose to the power grid’s cybersecurity. Complying with the order will be complex due to the current reliance on foreign suppliers as well as global supply chains which stretch across many countries. In addition, vendor lists for utilities often number in the hundreds or even thousands and ensuring each one is in compliance will be a time consuming—and expensive—task.
Report makes the case that when it comes to the financial impact of ransomware, remediation is critical
Rubrik, a leading data center backup and recovery provider, recently released a report analyzing the best approaches to managing the financial cost of ransomware. It contends that one reason the financial cost of operational disruptions is so high is because most of the focus and resources are placed on prevention rather than recovery. The report claims that a ‘belt and braces’ approach—one that ensures back-ups cannot also be easily compromised when core IT infrastructure is impacted—helps limit data loss and operational damage. Yet in 23% of cases, backup data was affected prior to the ransomware attack being identified. 30% of those who had experienced a ransomware attack said that it took days to recover.
Levi’s is accelerating digital transformation in face of declining revenues
Following a reported 62% drop in revenue in Q2, Levi’s is outlining the steps it is taking to accelerate its own digital transformation amid COVID‑19. Steps include investing in online sales growth and direct-to-consumer sales in addition to scaling down physical store growth from the planned 100 this year to 70.
CEO Chip Bergh’s comments during the company’s recent earnings call captured this strategy well.
1-Star UK Industrial Melrose is missing the paradigm shift of digital transformation.
As retail bankruptcies continue, a look at how well or poorly companies are executing digital transformation strategies can tell investors who might be next
In the words of one commentator, COVID‑19 has been the final blow for several retailers that were considered ‘the walking wounded’ prior to the pandemic. The two dozen Chapter 11 filings this year have exceeded 2019’s total and show no signs of slowing down as the disruption and uncertainty continues into the second half of the year.
IBM Cloud revenues surge 30% amidst overall company revenue decline of 5.4% in 2Q20
IBM 2Q 2020 earnings are a tale of two business models. Revenue from its cloud-related businesses surged 30% to $6.3b, while overall group revenue declined 5.4% to $18.12b. 2Q net income was $1.36b. Services and Consulting businesses were weak spots as client companies look for cost savings and postpone spending in the wake of COVID‑19, with CFO Kavanaugh noting that “many clients continued to delay projects, defer purchases, and favor opex over capex spending.”
SEC issues warning on increasing ransomware threat to financial services firms
The SEC’s Office of Compliance Inspections and Examinations (OCIE) warned of a recent increase in the sophistication of ransomware targeting financial service providers. The OCIE issued guidance on tactics and techniques organizations can use to guard against these attacks, broken down into six key areas:
Incident response and resiliency policies, procedures and plans, Operational resiliency, Awareness and training programs, Vulnerability scanning and patch management, Access management, Perimeter Security.
Operational disruption risks on the rise for industrial companies, putting a further premium on strong cyber governance
The Honeywell USB Threat Report 2020 called attention to the rising threat facing industrial control systems (operational technology) amid the continued digitization of industrial processes. According to the report, “as the second most prevalent attack vector into industrial control and automation systems, USB devices continue to play an important role in these types of targeted attacks.”
Latest Citrix patches another reminder of operational risks facing companies today
Citrix has issued patches for 11 CVE-listed security vulnerabilities in its various networking products. This is the third in a series of ‘must patch’ vulnerabilities in recent months for Citrix, and it comes on the heels of a public breach the company announced in March of 2019.
Most ESG Indices outperforming non-ESG peers in 2020
The Financial Times reports that over the first 4 months of 2020, the S&P 500 ESG Index outperformed the normal index by 0.6%, and the MSCI Emerging Markets ESG Index and Asia-focused Asia ESG leaders index outperformed their parent indices by 0.5% and 3.83% respectively. Blackrock also reports outperformance by most ESG indices globally over their non-ESG peers.
DXC Technology breach the latest example of how cyber governance of a service provider can create financial risks for clients
DXC Technology, an already struggling IT services provider, was hit by a ransomware attack that has paralyzed part of its business. According to the company, the part of its business impacted was Xchanging, “primarily an insurance managed services business that operates on a standalone basis.” As of July 5th, DXC indicated it was confident the damage was confined to this part of the business.
Swiss Re calls for more transparency on cyber risk
Swiss Re, the world’s second largest reinsurer, has called for companies to release ‘cyber resilience’ reports, saying there needs to be more transparency into how prepared they are to defend against attacks. The company indicates that in the wake of COVID‑19, there will be greater pressure on companies to demonstrate how resilient they are in the face of increasing risks.
IBM survey of remote workers shows companies slow to respond to new challenges
IBM Security Work from Home survey of more than 2,000 newly remote work employees in the US reveals unpreparedness for remote work, and also provides a picture of companies slow to implement new training in response to this increased threat environment.
Cognizant hit by attack that raises future risks both for itself and its clients
Cognizant, one of the world’s largest IT outsourcing companies, disclosed this spring that cybercriminals “exfiltrated” data related to employees’ corporate credit cards among other personal data including Social Security numbers, tax IDs, financial account information, and driver’s license and passport details.
Solarium Commission correct to draw parallels between the pandemic and significant cyber attack
The US Cyber Solarium Commission’s recently released white paper, Cybersecurity Lessons from the Pandemic draws parallels between the disruptions of the pandemic and the disruptions the US would experience during a significant cyber attack.
Accelerated by COVID‑19, L’Oreal’s digital shift helped stem sales losses and positions company well for future if it can effectively secure online assets
L’Oreal, the largest cosmetics company in the world, has seen a huge increase in digital engagement and online sales during the COVID-19 shutdowns, and expects these trends to stick and even increase in the coming years. Echoing other companies that have seen a similar acceleration due to the pandemic on their digital initiatives, Chief Digital Officer Lubomira Rochet remarked: “In ecommerce, we achieved in eight weeks what it would have otherwise taken us three years to do.”
Ransomware attack on Lion shows how technology governance matters more today than ever for every company, even a brewer
Australia and New Zealand’s largest drinks manufacturer, Lion, was hit by a ransomware attack on June 9th. As of Monday June 15th, systems were still ‘partially down’.
Per Lion: “Our investigations have shown that a partial IT system outage at Lion is a result of a ransomware attack. In response, we immediately shut down key systems as a precaution. We have made good progress, however there is still some way to go before we can resume our normal manufacturing operations and customer service.”
Zara owner Inditex to close 1,200 stores as part of its digital transformation strategy
Zara owner Inditex reported that it will permanently close 16% of its global outlets (1,200 stores) by the end of 2021 and shift towards a strategy more focused on online sales. This trend of increasing online sales was already growing pre-COVID‑19, but has accelerated due to the pandemic. Inditex’ online sales increased 95% in April, and the company estimates that online sales will account for more than 25% of total sales by 2022, up from 14% in 2019. Inditex will spend 1b euros on digital investments over the next three years to support its online sales efforts. Most of the store closures will take place in Europe and Asia.
Ransomware hits cyber governance underperformer Honda at an already difficult time
A ransomware attack disrupted Honda’s global operations on Monday, and is suspected to have penetrated the company’s corporate network. This comes at a time when Honda was just getting operations back to fuller capacity after the Covid-19 driven complete suspension at major facilities, and while it is struggling with a drop in auto and motorcycle sales in every major market. Honda staff were advised not to access their work computers on Monday, and to take paid leave on Tuesday if possible.
“Now is the time to expedite digital transformation”—ECB President Lagarde
ECB President Christine Lagarde’s comments to the Committee on Economic and Monetary Affairs of the European Parliament positioned digital transformation as an important priority for Europe’s economic recovery effort.
Lagarde: “Another key dimension is the digital transformation. Here, the recent lockdowns have accelerated the adoption of digital technologies on a broader basis. Now is the time to expedite the digital transformation on a more permanent basis and bring the EU to the frontier of the digital economy.”
Manufacturers digitizing at a faster pace as Kaspersky warns of targeted attacks on industrial systems
Industrial companies are greatly increasing their use of data management tools both as a response to Covid-19 workforce reduction issues, and due to the productivity improvements good data monitoring, analysis and control can provide. Annual spending on these tools is forecast to increase from $5b/year today to $20b/year by 2026.
Meanwhile, Kaspersky detailed a series of attacks in Japan, Italy, Germany and the UK which targeted suppliers of equipment and software for industrial companies.
Macy’s $1.1 billion bond sale a reminder of financial constraints
Macy’s announced a $1.1 billion bond sale to help shore-up the struggling retailers balance sheet as it navigates the COVID‑19 shutdown. The fresh injection of capital is needed to pay down short term debt maturing in January 2021 and fund operations in the immediate term.
McAfee reports 630 percent increase in external attacks on Cloud based services
Data from 30m McAfee MVISION Cloud users worldwide between January and April 2020 show external attacks by hackers on companies’ cloud-based systems have increased 630 percent following the mass migration to work from home. Overall enterprise use of cloud services has increased by 50 percent over the same time period. Use of Cisco Webex has increased 600 percent, Zoom by 350 percent, Microsoft Teams by 300 percent and Slack by 200 percent. Attacks by ‘insider threat’ categories (i. e. employees working from home) have remained the same, indicating that employees do not ‘attempt to steal more data because they are working from home’.
HTZ the latest example of the COVID‑19 acceleration of outperformers and underperformers. One difference maker? Digital technology.
A WSJ article chronicled how HTZ was struggling long before COVID‑19, including reference to its belated digital shift relative to peers and repeated missteps with regard to its digital strategy. This reportedly included adverse impacts on fleet management while it cycled through four CEOs in less than 10 years.
EasyJet breach a one-off or evidence of a larger problem? The answer will tell investors how well or poorly the carrier is positioned to weather the COVID‑19 crisis
British low-cost carrier EasyJet (EZJ) disclosed a customer data breach that the company says impacted 9 million customers. A majority of the data stolen was reportedly email and physical addresses, but a smaller percentage of customers reportedly had credit card details stolen. EZJ first became aware of the breach in January.
UK survey reports 51 percent of companies spend at least 40 percent of their IT security budget on compliance
Companies are struggling with increasing compliance burdens that are taking up significant portions of corporate IT budgets and time. 51 percent of respondents report that compliance requirements take up 20,000 hours of resources annually. In addition, 58 percent of companies report that compliance requirements are a barrier to entering new markets. 70 percent say they must manage at least five different compliance projects at any given time, while 7 percent work on 50 or more projects at any given time.
A well-managed company overall, FERG has executed effectively on its digital strategy and invested sufficiently in security to manage the downside financial risks associated with its increased digitization. Strong execution on e‑commerce, its customer sales and maintenance and back-end operations has yielded tangible benefits to the business, helping management deliver on key KPIs including solid margins. This has contributed to FERG’s 4-Star cyber governance rating (out of 5) on a regional basis and 5-Star rating on a relative basis among European industrials.
The failures of J. Crew and Neiman Marcus highlight the importance of applying a Cy-Fi lens in today’s market
A NYT Times story explains how the fall of two retail giants—J. Crew and Neiman Marcus stemmed not only from the pandemic but also from the involvement of private equity firms and the financial over-engineering they deployed. The longstanding weaknesses of some traditional bricks and mortar retailers which include belated or poorly executed digital strategies are also directly related to an inability to make big investments due to being overleveraged. These weaknesses were further exposed by the pandemic, resulting in the recent bankruptcy filings.
Vulnerability in Cloud server infrastructure software SaltStack infects servers, leaving them vulnerable to breach
Vulnerabilities in SaltStack software were used as a vector to infect cloud servers with malware or other exploits, with over 6,000 master servers reportedly infected and directly exposed to the internet according to the company, allowing them to be breached. The vulnerabilities were discovered about two weeks ago, and several networks have already reported that they have been breached and had cryptocurrency mining malware deployed onto their servers. More damaging attacks such as data theft and ransomware are possible. A patch is now available for the vulnerability.
Pitney Bowes latest ransomware breach further evidence of persistently poor cyber governance
Pitney Bowes Inc. (PBI) experienced a second ransomware attack in seven months on May 4th. The ransomware gang Maze claimed to have breached and encrypted the company’s network. The incident was confirmed by PBI in a statement: “Recently, we detected a security incident related to a ransomware attack. We are investigating the scope of the attack, specifically the type of data that had been accessed, which appears to be limited.”
PBI is working with its security partner IBM Iris to complete forensic analysis on the attack.
Some companies slow spend on digital transformation but larger trend is still clear
Citing a recent report by market research firm Canalys, the WSJ depicts a mixed picture on market-wide digital transformation prospects. Though Microsoft’s year-on-year enterprise cloud growth grabbed headlines, also included in results was the company’s admission that multi-year licensing deals were slow to complete in the final weeks of the quarter —just as the COVID‑19-induced slowdown was taking hold. Some analysts see a positive long-term trend towards digital being brought forward by the pandemic. Others see a slowdown in IT spend and longer-term licensing commitments and investment in cloud initiatives like further AI adoption in the short term as companies scramble to cut costs.
In the wake of COVID‑19 and the global lockdown, IWG has lost two-thirds of its market value in the span of two weeks. Though it was considered to be in a strong position to take advantage of WeWork’s financial governance failure heading into 2020, the Cyberhedge cyber-financial model alerted us to the potentially negative impact of its weak cyber governance prior to the current market troubles.
Survey reveals significant deterioration in corporate cyber governance amidst transition to COVID‑19 remote work
A survey by Barracuda of over 1,000 business decision makers in the UK, US, France and Germany reveals significant cyber security deterioration from the recent sudden shift to remote working. 51 percent have seen an increase in email fishing attacks, 51 percent say their workforce is not proficient or properly trained in the cyber risks associated with remote working, 46 percent are not confident that their web applications are secure, 50 percent allow employees to use personal email addresses and personal devices to conduct company work, 49 percent fully expect to see a data breach or cybersecurity incident in the next month due to remote working. Despite this clear increase in the threat surface, 40 percent of the companies have cut their cybersecurity budgets as part of COVID‑19 cost saving measures.
Fitch expects COVID‑19 related economic impacts to test the growing cyber insurance market due to risks around cloud-related breaches and other operational disruptions that could result in capital constraints and impact ratings.
“Two years’ worth of digital transformation in two months”
“We’ve seen two years’ worth of digital transformation in two months. From remote teamwork and learning, to sales and customer service, to critical cloud infrastructure and security—we are working alongside customers every day to help them adapt and stay open for business in a world of remote everything,” said Satya Nadella, chief executive officer of Microsoft on the announcement of strong Q3 results today.
Less than four months after cyber breach, Travelex puts itself up for sale
Travelex announced that it is seeking offers and that interested parties should contact PricewaterhouseCoopers. Travelex’s business was severely impacted by its December 2019 cyber breach, which put the company in a very difficult financial position even before COVID‑19 disruptions hit.
Underprepared employees increase cyber risk, and are one reason some companies are less resilient in face of COVID‑19 disruptions
A survey of 2,000 remote workers in the UK reveals that two-thirds have not received cybersecurity training over the past year, and 61 percent said they were using personal devices to work remotely instead of corporate-issued devices. Despite these shortcomings, 77 percent reported that they are not worried about security while working from home.
Corporate and internal IT networks primary source of breaches
A recently published Trustwave report looking at cybercrime globally found that far and away the most common environment breached is corporate and internal IT networks (54%), followed by ecommerce (22%) and the cloud (20%). In the thousands of incidents studied, the report found that 50% of breaches across all environments stemmed from phishing and social engineering.
Though Home Depot (HD) was caught up in the early COVID‑19 market turmoil, it is better positioned to weather the crisis thanks in part to consistently above-average cyber governance overall (4-star rating out of five stars) and a 5-star leader in its peer group. This takes on greater importance for a consumer staples company with a business-critical digital strategy that drives greater margins and improved productivity. HD was already well-along in the execution of this strategy before the lockdowns commenced—a strategy Cyberhedge views as a solid hedge against macro events such as COVID‑19 and a recession.
Cyber Governance Alert:Ryanair
Ryanair entered 2020 in decent financial shape relative to other low cost airlines. But in addition to the COVID‑19 disruption, poor cyber governance poses a risk to the company’s industry-leading operating margins, the key enabler for RYA’s aggressive pricing and thus market share growth post-COVID‑19.
Exponential rise in ransomware attacks is not just a cyber risk, it’s also a primary financial risk
Zurich Insurance outlined how companies can defend against ransomware at a time when cyber vulnerabilities have increased amidst the COVID‑19-induced shift to remote work. The approach leverages the NIST framework, widely seen as the global standard for improving cyber defense.
World’s second largest container shipping company MSC suffers a network outage, possibly due to a cyber attack
MSC reported Friday that a network outage is affecting systems at its Geneva headquarters, and that a cyber attack might be responsible. As of Tuesday 16:00 GMT, the MSC website is still down and the company has released very little new information. General operations appear not to be widely impacted yet, but precedent shows that an operational disruption can be extremely value destructive to a company like MSC.
US Department of Justice calls for mandatory data breach reporting
At a hearing on March 4 before the U. S. Senate Judiciary Committee, Department of Justice (DoJ) Deputy Assistant Attorney General for National Asset Protection in the National Security Division Adam Hickey called upon Congress to enact legislation that would create a uniform nationwide data breach disclosure law and include a requirement that companies report breaches not just to customers but also to law enforcement.
Absence of ceasefire by ransomware hackers towards the healthcare industry means providers still need to maintain focus on cyber to reduce risk of additional shocks
Ransomware attacks on the healthcare industry continue at the same frequency as before COVID‑19, despite recent promises by some hacker groups to avoid targeting the industry during the current crisis.
Corporate bond downgrades increase financial constraints on companies needing to improve cyber governance
A Wall Street Journal article outlined the accelerated pace of corporate bond downgrades amidst the COVID‑19 pandemic and economic crisis. It has been the swiftest pace of downgrades on record over the last two weeks. Ford was the latest big name to be downgraded to junk, while approximately $90bn of debt was downgraded in March, and some estimate the number to reach $200bn this year.
Benefits of company digital tools like Zoom come with cyber and financial risks
As Zoom’s popularity has exponentially increased in recent weeks due to the mass migration to remote work, reports on security flaws continue to trickle out. Former NSA hacker Patrick Wardle shared with TechCruch two new security flaws that can be exploited to grant hackers physical control of a victim’s computer. Malicious code can be injected into a computer via a Zoom installer to gain root access—the highest level of user privileges.
Enterprise VPN and RDP use soars as COVID‑19‑driven remote work increases breach risks
Enterprise use of VPNs has increased by 33 percent, and use of Remote Desktop Protocols (RDP) has increased by about 40 percent over the past month as companies respond to COVID‑19 by having employees work from home. These systems increase the risk of a breach of company IT systems as they are inherently less protected than onsite systems and as employees use external access systems that they are less familiar with.
Macy’s e-commerce business has gone from rare nice growth story to a lifeline for a company fighting to survive in face of COVID‑19
Macy’s announced it is furloughing a majority of its 130,000 staff globally in the midst of the COVID‑19 crisis that has ground brick-and-mortar retail to a halt. Staff that remain will maintain e-commerce, distribution, and call centers operations.
Marriott customer data breach is a continuation of a concerning trend for the world’s largest hotel chain, which lacks the financial capacity to fix what is a structural problem, not a one-off incident.
Update to Cyber Governance Alert:Hertz
COVID-19-related travel disruptions are having a material impact on Hertz’s (HTZ’s) operations and financial position, as well as an increased likelihood of an operational problem related to its poor cyber governance.
Update to Cyber Governance Alert:Informa
COVID-19 disruptions to travel and global business operations are having a significant negative impact on Informa’s (INF’s) core customer events business and its financial position.
Update to Rapid Response:Travelex/Finablr
A cyber attack stopped Travelex’s operations. It never fully recovered due to lack of cash to respond. The COVID-19 pandemic will weaken many companies’ cash positions in the coming months, also resulting in an inability to adequately respond to cyber attacks.
Companies face increased IT threats from targeted COVID‑19‑themed phishing attacks
The unprecedented challenges posed by the COVID‑19 outbreak extend to securing companies’ IT networks, and this event may be the biggest cybersecurity threat ever. Threat surfaces are also increasing dramatically as large numbers of workers are forced to work from home, often with systems and procedures that are different from those they are trained on and familiar with in their workplace.