Global equities: What equities investors need to know about hack attacks

It’s become increasingly important for equities investors to understand how companies in their portfolios are protected from data breaches, says Pendal’s SUE SCOTT

• Increased focus on cyber security
• Investors need comfort from cyber policies
• Find out about Pendal Concentrated Global Share Fund

AFTER the recent Optus and Medibank data breaches, stockmarket investors may be wondering what to look for when assessing how vulnerable a company is to a hack attack.

Big, listed companies can make attractive targets for hackers.

“The larger the company, the more data it has and the more critical it is to society,” asks Sue Scott, a senior analyst in Pendal’s global equities team.

“These companies are more likely to be targeted for a cyber-attack,” Scott says. “Given our investment philosophy, it’s a particular risk for several of our portfolio companies.

“Understanding the risk, and what is being done by management to mitigate the associated with a cyber-attack on that business is critical.”

Scott use the example of Spanish financial services giant CAIXA, which Pendal has assessed for cyber-security risks.

Find out about Pendal Concentrated Global Share Fund

Read more

CAIXA has the largest IT platform in Spain and processes some 30,000 transactions per second.

“They receive 74 attacks every hour and the number of attacks has increased 2.6 times in 2022 compared to 2021,” Scott says.

Yet CAIXA hasn’t experienced a successful critical attack, says Scott.

What to look out for

Before investing, Pendal scrutinised the policy framework CAIXA has in place to understand preparedness for cyber-attacks and mitigation efforts.

“Importantly we saw that there are very clear roles and responsibilities defined within CAIXA.

“It has a cyber policy that’s corporate wide and mandatory for everyone to comply with.

“They have a specialised Cyber Security Committee which includes executive management representation; an audit team which presents to the board regularly; and three board members with specific technical expertise.  

“Board members receive training and it’s reflected in the KPIs of management.”

An important addition at CAIXA is the Cyber Risk and Compliance role, separate from the Chief Technology Officer role.

“CAIXA felt when tackling cyber security, it’s important to have someone with a technical focus, and someone focused on governance.

“It also undertakes independent assessments of their cyber security capabilities twice a year, as well as complying with  all European regulation regarding cyber safety,” Scott says.

Danger from within

Risks can also come from staff — whether intentional (such as a dissatisfied employee) or unintentional.

CAIXA monitors unusual behaviour among staff and their use of data.

“If there’s any abnormalities exposed then they investigate further,” Scott says.

“For non-intentional risks CAIXA has comprehensive training programs for staff and customers.”

One challenge is the ability to attract the relevant talent into a cyber security division.

“Everyone wants technical talent now to negate cyber risk. The fact that CAIXA has scale and is heavily resourced has helped attract people and keep the attrition rate very low,” Scott says.  

“It gives us a lot of comfort talking to them, helping us understand what good looks like in terms of a cybersecurity policy and implementation of that policy.

“While good policy and technical expertise aren’t enough to prevent all attacks, they do mitigate the risk of an attack where critical business functions are affected, and reputational damage is inflicted.”