The relentless attention being paid to cyber-attacks is driving companies to increase cyber security budgets and purchases. In turn, this has led institutional investors and asset managers to see potentially massive returns associated with companies in the cyber security market. Indeed a number of companies that have gone public have had phenomenal success, and the constantly morphing nature of cyber-attacks means that purchasing trends are not likely to slow down any time soon.
However, it is critical to keep in mind that just as cyber security capabilities can be a very attractive component in evaluating a potential investment; it also could lead to potentially negative consequences. Ignorance of some key legal and policy considerations could lead to an improper assessment of the value/future earnings potential of technology investments. These considerations are true regardless of whether or not the technology or service has a core “security” component.
Below are some key issues to consider when making cyber security investment decisions:
- Cyber security matters in every investment
- It is a simple fact that every company faces cyber threats. Multiple studies have demonstrated that essentially every company has been or is currently subject to cyber-attack and that most if not all have already been successfully penetrated at least once. This leads to a key consideration: every company’s cyber security posture should be considered when making investment decisions. For example, a company selling information technology that is less prone to cyber-attacks should be viewed as a better investment than competitors who pay little to no attention to how their products can be breached.
- Cybercrime is cheap
- The cost of conducting cyber-attacks is depressingly cheap: $2/hour to overload and shutdown websites, $30 to test whether malware will penetrate standard anti-virus systems, and $5,000 for an attack using newly designed methods to exploit previously undiscovered flaws. Indeed it is now so cheap to create malware that the majority of malicious programs are only used once – thereby defeating many existing cyber security systems which are designed to recognize existing threats. This all adds up to a cost/benefit analysis that is irresistible for cyber-attackers, and essentially guarantees that the pace and sophistication of attacks will not let up any time soon.
- Cyber security should be in the company’s DNA
- Whether a company is offering a service or a technology, a critical factor to consider is its approach to security. Companies that consider security a key functionality that needs to be integrated from the start of the design process are far more likely to go to market with an offering that has higher degree of security. Security as an afterthought is just that – an afterthought. Weaving security into the DNA of a service or technology will be extremely helpful in decreasing security risks. Just remember though that no security program or process is flawless, and no one should expect perfection.
- Is there a nation-state problem?
- An R&D or manufacturing connection to countries known for conducting large-scale cyber espionage causes heartburn for companies and governments alike. Too many instances have occurred where buying items from companies owned by or operated in problem nation states have resulted in cyber-attacks. In some cases, Federal agencies are prohibited from buying IT systems from companies with connections to specific governments. Investors and managers need to stay abreast of problem countries, and also examine whether the product or service has a connection to such countries. Failure to do so can lead to investments in companies that have limited market potential.
- Do your homework and forensic analyses
- There’s nothing like buying a trade secret only to find out it really isn’t a secret. Before investing in any company, conduct due diligence to determine how good the security of the company is and whether IP or trade secret information has been compromised.
- If the government cares, so should you
- The Federal government is stepping up its requirements regarding cyber security in procurements. That means that all federal contractors (not just defense contractors) are going to have to increase their internal cyber security programs if they want to win government contracts. Failure to have a good cyber security program could lead to lost contracts, and thus decreased growth.
- Words matter
- Companies have been too lax in negotiating terms that explicitly set forth security expectations for IT products as well as who will be liable should there be a breach/attack. Judicious reviews of terms and conditions can help avoid liability following a cyber-attack. For example, companies should not accept boilerplate language regarding the following of “industry standards” or “best practices” with respect to cyber security. Instead, specific obligations and benchmarks need to be agreed upon before signing any agreement. Further agreements should be drafted to that make clear that security measures are the obligation of the other party. That way the investor has set up a stronger argument for recovering losses as well as shifting liability away from itself.
- Insurance isn’t everything
- Companies may be tempted to think that if a company has a cyber-insurance policy, they are protected in the event of a cyber-attack. The reality is that there is an enormous chasm between buying coverage and having claims paid. Cyber policies are increasingly being written and interpreted to cover fewer types of attacks, and so do not be tempted to think that cyber insurance can fully protect an investment.
- SAFETY Act
- Under the Support Anti-Terrorism by Fostering Effective Technologies Act (SAFETY Act), cyber security services, policies, and technology providers are all eligible to receive either a damages cap or immunity from liability claims. The SAFETY Act also protects cyber security buyers, as they cannot be sued for using SAFETY Act approved items. Possessing SAFETY Act protections should be considered a positive sign and indicative of potential earnings growth.
There is no doubt about it; cyber risks are here to stay. Addressing those risks should be a core component of any business or investment strategy, because even if “today’s problem” is solved the introduction of new technologies will just mean a new threat vector for adversaries to exploit.
It is not all doom and gloom, however. Paying attention to cyber security trends and doing some simple due diligence will go far in minimizing digital risks. Make no mistake: defenses will always be incomplete and successful attacks will happen. However, with the right processes and approach, the bad outcomes can be minimized and investments will be protected.