Investors are used to weighing up the potential risk and return of any investment vehicle. For individual investors, that has traditionally been a calculation based on things like capital guarantees and appetite for risk.
Today, cyber risk should also be factored in. Whether you’re an individual looking for a home for your nest egg or considering a punt on the stock market, it’s an area that must be addressed. But where to start?
An annual report is a good place, suggests Colm McDonnell, head of risk advisory at Deloitte.
For individuals looking to do due diligence ahead of an investment decision, one of the best indicators that the institution or organisation you are considering investing in takes the issue of cyber risk seriously is the way it addresses the topic in its annual report.
Look for evidence it takes the subject seriously. Its top table matters in this respect. Regardless of the sector it operates in, every business is now a digital business, McDonnell says. It’s a fact which should be reflected in the composition of its board, so look for an IT professional or cyber risk expert at director level.
“What you want is to see people you believe have the skills and expertise to manage cyber risk,” he says. Make sure they talk about cyber risk specifically. Simply talking about their digital strategies or investment isn’t enough, he warns. Next, check them against their competitors to see how they compare.
If you’re considering a direct investment in a company, make sure it has its intellectual property locked down. Be particularly cautious where a company’s biggest asset is its so-called “secret sauce”, the innovative process or ingredient that, if copied, will considerably undermine its value.
Taking a risk
Unfortunately, the hardest part about assessing cyber risk is that doing it involves taking a risk. “You have to furnish yourself with the facts, and then decide for yourself,” he says.
For example, if, through your due diligence, you discover a company’s website has had a recent “outage” as a result of a cyberattack, you have to consider whether that’s a sign of a lax attitude to cyber risk on its part, or whether, as a result of that attack, “it’s the safest place in town”, he explains.
Looking for cybersecurity accreditations, such as ISO 27001 for information security management, can help. You don’t have to understand the nitty gritty but it will at least indicate that cyber risk is a matter the business takes seriously enough to put time and money into.
Equally, pay attention to evidence of good governance generally. “Cyber risk has to be a really important part of your investment decision-making. You can’t avoid cyber risk, whether you are doing something as simple as putting money in the post office, buying bitcoin or investing in an Irish or global PLC,” says McDonnell.
Technology is ubiquitous, so too is the risk. “Don’t make the mistake of thinking that just because it’s not an online business you’re investing in, the risk doesn’t apply. Computers are now in every part of our life, and in every sector, including manufacturing.”
Hacking has “been professionalised”, he points out. The best safeguard for your investment, therefore, is ensuring you are getting involved with an organisation that takes a similarly professional approach to the risk.
That’s not about simply throwing money at the problem, it’s about choosing an investment vehicle that invests in risk mitigation wisely, “and that goes all the way back to good governance”, he says.
Cyber isn’t an IT issue, it’s a human issue, he points out. Evidence of a strong risk culture is to the good for potential investees.
“It’s an arms race out there,” says McDonnell. “The best you can do is try to stay ahead by not allowing yourself to be the low-hanging fruit, so furnish yourself with the facts before investing.”