Hundreds of fledgling security companies have sprung up in recent years, promising “next-generation” technologies to fight cyber criminals, government spies and hacker activists. Last year alone, investors poured a record $3.3 billion in capital into 229 cybersecurity deals.
The threats of cybersecurity attacks and breaches aren’t going away, making this market a tremendous growth opportunity for investment. But how many investors really understand the depth of the problem in ways that will enable better, smarter investment decisions?
In April 2016, the Council of Institutional Investors (CII), an association of large institutional investors, released five critical questions investors should ask board members about cybersecurity initiatives. Stating that directors “need not develop advanced technical expertise,” CII suggests three critical activities for them.
Directors should:
• Understand management’s cybersecurity strategy
• Learn where the company’s cybersecurity weaknesses lie
• Support informed, reasonable internal investment in the protection of critical data and assets
While the directors’ role is important, another concern remains: are investors knowledgeable enough about cybersecurity to ask the right questions and understand the answers they hear?
It’s not a question of just being smart. In a recent conversation, an extraordinarily successful portfolio manager with an Ivy League economics degree and a Harvard MBA admitted that he needs to learn more about the realities of cybersecurity to be a better investor.
For him and other investors, knowing more about cybersecurity is not just about investment decisions. Cybersecurity – the attacks, hacks and loss of revenue – was cited by nearly half (47%) the PwC 2015 State of Compliance Survey respondents as their top concern. Security is arguably the #1 topic for corporate boards so investors need to be primed and ready to support and advise on these issues.
For Jim Eckerle, a strategic management consultant and former senior executive at Bank of America and The Hartford, cybersecurity must take center stage at the board level and with senior management.
“For many companies, one of the largest and largely unknown risks is that of a cyber attack,” Eckerle told me. “Execs should understand the current state of their cyber protection and should be looking for ways to strengthen it. This can be processes, increased penetration testing and investment.”
When examining a potential company for investment, Eckerle looks at the known data breaches and site regulatory requirements, and specifically at the training and certification of the company’s Cybersecurity Operations Center (CSOC) team.
Others agree. Earlier this year the National Association of Corporate Directors (NACD) solicited input from investors representing $15.7 trillion in assets under management. NACD reported that oversight of risk management, including emerging and complex risks such as cybersecurity, was a key factor in their investment decisions.
“As the frequency and severity of cyber attacks against global businesses continue to escalate, both companies and their investors are coming to terms with a grim reality: data breaches, or cyber incidents, are no long a matter of if but when,” according to the CII. “Effective cybersecurity risk management starts with the board.” And investors need to know more.
When investors take the initiative to get smarter about cybersecurity, they are primed to make the most of new investments, to position their portfolios for acquisition opportunities, and to demonstrate that they are strategically valuable investment partners.
