Assessing cyber risks in a bond investing context
The covid-19 pandemic is having a profound impact on how companies do business. Fundamentally different ways of operating can have significant corporate risk implications, some of which may not be fully understood.
One of the main trends is the replacement of face-to-face interactions with digitalised communication. While this may spell opportunity for some, it also brings additional risks.
The lack of experience in the digital field for some companies means that such risks can sometimes not be adequately addressed. There is also a danger these risks are not recognised by investors. As bond investors, we have some concerns around data security and customer privacy.
However, help is potentially at hand. A useful starting point for many professional investors is the Sustainable Accounting Standards Board’s (SASB) ‘Materiality Map’. This tool can be used to highlight the well-established issues of concern for each sector. At present the concerns of ‘Customer Privacy’ and ‘Data Security’ are understandably highlighted for industries such as Telecoms & Internet Media. However, at present such risks are not flagged for sectors such as Media & Entertainment services, Food & Beverage or indeed most Consumer Goods.
We see at least two potential problems here. First, there is the increasing blurring of traditional sector categorisations – for example is Ocado a supermarket or a technology company? Second, increasing digitisation is very much a cross-sector trend. While nearly every industry was already heading in this direction, there is little doubt that covid-19 has accelerated this trend. In some cases, companies have needed to increase their online activities to ensure the sustainability of their business. The result of this is that more and more customer information is now being held online. This by itself suggests a generalised increase in cyber risks. However, the bigger issue we think can be companies’ own management of such risks.
Of course, pretty much any business can be targeted by cyber criminals or be prone to inadvertent data leakage. Typically, we find that companies that rely on high levels of consumer trust tend to have better controls regarding customer data and security etc. This applies particularly to finance and healthcare companies, especially larger ones. However, in recent years some companies that might be expected to have robust controls have been caught out. An example in late 2015 the consumer credit rating agency Experian revealed that the personal data of 15 million of its customers had been compromised. Such examples raise concerns about less specialised businesses rapidly changing their operating norms.
There are a number of questions that capital allocators, including bond investors, should consider carefully: is there any evidence of increased capital spending attributable specifically to cyber security? Are corporate governance structures adapting appropriately to ensure these new risks are recognised early and managed effectively? Quite often the best way to get a more complete handle on this is by engaging directly with company managers. Any unconvincing responses should set alarm bells ringing.
Possibly the biggest issue for companies dealing with adverse cyber incidents, is reputational damage. And the risks surrounding this are certainly growing because of increasing negative global publicity around such incidents. Reputational damage can bring not only higher costs but also reduced revenues as consumers switch to alternative, and perceived ‘safer’ suppliers (see chart below).
When it comes to bond investing, the importance of effective cyber risk due diligence is underscored by the proliferating ways in which this can affect companies’ credit worthiness. Owing to rapidly changing ways of doing business, spurred further by covid-19, traditional sector labels are becoming less relevant. In general, the ‘materiality’ of such risks is growing across all sectors, in terms of both potential vulnerabilities and likely business and financial impacts. We think this calls for much greater emphasis on assessing companies’ governance structures and their approaches to managing cyber risks. In our experience, we have found that direct engagement with companies on such matters can be an invaluable input for determining appropriate discount rates and assessing the attractiveness (or otherwise) of bond spreads.