Cybersecurity Is a Top Investor Concern

3 May 2024

The institutional investment landscape is changing, leaving the participating parties with new questions, concerns, and priorities. Cybersecurity is one of many topics on their minds, especially with so many communications, transactions, and other business operations happening online or through digital and cloud-based platforms.

The recent interest in cryptocurrencies as investments emphasizes that many people are ready to embrace the digital realm. However, investing in digital commodities or aligning with companies offering online platforms and services requires understanding the modern world’s cybersecurity impacts.

What Are Institutional Investors’ Chief Concerns?

A July 2023 McKinsey & Company report interviewed senior executives at 40 of the world’s leading pension and sovereign-wealth funds. The goal was to identify their biggest concerns and their respective coping mechanisms. One takeaway was that respondents aimed to sharpen performance-related competitiveness through purpose, portfolio construction, and proficiency. Many recognized the need for evolving strategies in an increasingly uncertain world.

Interviewees mentioned shifts in the following areas:

  • The world order
  • Technology platforms
  • Demographic forces
  • Resource and energy systems
  • Capitalization

Changes in the world order were significant factors, with 90% of respondents citing them as concerns. Some respondents said geopolitical tensions may necessitate limiting information sharing and dividing their investment operations, while a possible increase in economic regionalization could pose further challenges. This concern also relates to cybersecurity since some wars now feature online attacks from adversaries.

More than four-fifths of respondents chose technology as a focus, and the increasing use of technological platforms caused concerns for some. Besides more investors using tech-centered processes, they’re more aware of cyberattack risks, with such incidents rising globally and across industries. Then, 76% of respondents raised demographic-related concerns, such as aging populations, income inequality, and political polarization.

The results of a different study about family offices featured findings to explain an even stronger cybersecurity connection to demographics. As wealthy people age, they think about how they’ll pass their wealth to younger individuals, usually through inheritances.

Family offices are privately held service providers that assist ultra-high-net-worth individuals with strategic investments to transfer their wealth across generations. The 2024 study from J.P. Morgan polled 190 family offices worldwide, finding nearly 25% had experienced cybersecurity breaches or financial fraud. Additionally, only 1 in 5 had security measures, but 40% identified cybersecurity as a top area of improvement.

Why Do Institutional Investors Care About Cybersecurity?

Institutional investors cannot afford to ignore cybersecurity. Attacks could severely disrupt operations and erode clients’ trust. One study indicated asset managers have already heard feedback from institutional investors. More than 71% mentioned cybersecurity as the top concern expressed.

Emerging Regulations

In 2023, the United States Securities and Exchange Commission established new policies requiring a four-day window for disclosures of significant breaches by public companies. Additionally, these entities must create internal protocols to ensure compliance. Some may request two 30-day extensions of the four days, but only by appealing to the U.S. Attorney General’s office that mentioning the issue sooner would compromise public safety or national security.

People commenting on the developments said companies would need time to comply and invest in cybersecurity accordingly. Some believed company-wide training sessions were essential for teaching employees to recognize and document cyberattacks in progress, especially due to the short reporting period. Although education is a good start, employees also need a reason to care about cybersecurity and understand why they must collectively uphold it. Those ideals will come when the organization has a strong security culture.

A Lack of Risk Specificity

In the United Kingdom, a 2022 report from the Financial Reporting Council warned about the insufficiency of boilerplate cybersecurity disclosures. Publicly traded companies in the region are legally obligated to disclose principal risks for investor transparency.

However, the coverage expressed how failing to disclose cybersecurity risks or using non-customized language to describe them could be red flags that the company has not adequately prioritized digital systems security.

Institutional investors want assurances companies have followed all recommended best practices for preventing cyberattacks. And — if such events have already happened — that the affected parties have done everything necessary to stop repeat occurrences. Otherwise, any investor associated with the attacked companies could experience adverse ripple effects.

Financial Firms Increasingly Breached

Institutional investors’ cyberattack fears are not unfounded. A 2023 study of United Kingdom cyberattacks reported to the Information Commissioner’s Office showed pension firms had only six data breaches from June 30, 2021, to June 30, 2022. However, that number rose to 246 in the following year. Incidents associated with all other financial firms also climbed over that period, with 181 in 2021-2022, and 394 in the following year.

Richard Breavington, a partner and the head of cyber and tech Insurance at RPC, conducted the study. He acknowledged although the prevailing assumption may be that major financial services businesses have robust cybersecurity defenses, attackers still find it worthwhile to attempt infiltration. That could be due to the lucrativeness of successful breaches and the valuable data types institutional investors hold.

Environmental Activists Launching Cyberattacks

Societal trends towards increased sustainability may also spark new cyber risks. For example, one survey found 14% of investors had a requirement to invest in socially responsible products. Another 29% anticipate having one in the next two to three years. Many people with such commitments care deeply about the planet and sustainability, which is good.

However, a small but notable subset has used that passion to launch cyberattacks. In one example, a group of so-called “environmental hacktivists” leaked emails associated with Central and South American mining companies.

New and established knowledge reveals many things that harm the planet — from plastic waste to fossil fuels. Institutional investors could align with companies some people perceive as bad for the planet. If such feelings gain enough traction, hackers could target the digital infrastructures of those businesses, believing their efforts will help the Earth by causing hassles for known polluters.

Institutional Investors Want to See Cybersecurity Preparedness

Tight security measures reduce attack risks, but shareholders benefit from them too. A 2024 study revealed how companies demonstrating advanced security performance have 372% higher shareholder returns than their less cybersecurity-competent peers.

The research also indicated companies become better cybersecurity performers after establishing specialized risk or audit committees to provide board oversight and recommendations. Another takeaway was that heavily regulated industries — such as financial services and health care — achieved the highest cybersecurity ratings. Conversely, the communications sector lagged due to its traditionally less stringent requirements.

Institutional investors seek evidence that companies have preventive measures and can swiftly recover from attacks. When entities have quick, decisive, and transparent responses, such reactions show planning occurred, and leaders are ready to overcome adverse circumstances.

Potential investors should ask for details about a company’s cybersecurity and data protection measures, including:

  • Industry-specific risks and compliance requirements
  • Information about the company’s cybersecurity team
  • How the organization handles internal and external data
  • How much the company relies on external service providers
  • Whether the business has had previous cyberattacks
  • The responses and outcomes of such incidents
  • If the company follows a specific cybersecurity framework
  • The organization’s remote working cybersecurity policies

Third-party audit frequency details are also helpful because they show the company has committed to continual improvement and regular assessments. Specific information will help institutional investors review all the details and reach confident conclusions. No company is perfect, but one with robust preventive measures against cyberattacks demonstrates a strong security posture investors should appreciate.

Awareness Before Acting

All investments include risks, and today’s institutional investors must be proactive in examining companies’ cybersecurity stances before showing serious interest. That approach allows the maximum awareness associated with particular investment decisions, allowing people to study all the variables and determine if they fall within their risk tolerance.

Then, institutional investors can act in their clients’ best interests and protect their businesses and reputations in an increasingly digital, online world with frequent, severe cyberattacks.