Earlier this year, on Friday, May 12, somewhere in Europe someone reportedly opened an attachment in an email that quite literally went viral. This was the beginning of an outbreak spread via file-sharing networks, which resulted in over 10,000 organizations’ and 200,000 people’s computers in 150 countries being infected by the sinisterly named WannaCry software. By exploiting a weakness in unpatched versions of Windows, the rogue software encrypted files on the computers and demanded $300 in bitcoin for the key to unlock them. Whoever paid must be wondering how long they will be on hold on the hackers’ helpline.
It is reported that the hackers only managed to scam $30,000 before being stopped by an entrepreneurial young security researcher who noted a reference in the bug’s code to an unregistered domain name. This domain name, which the self-taught IT expert registered for under $11, acted as a kill switch, neutralizing the software.
Worryingly, but unsurprisingly, there are already allegations of a second version of the bug circulating, possibly without this kill switch in the code. The origins of the attack are as yet unknown; however, one computer giant’s chief legal officer explained that the method was, insidiously, “drawn from exploits stolen from the National Security Agency … in the United States” and “provides yet another example of why the stockpiling of vulnerabilities by governments is such a problem.”
While the bug was disarmed before many ransoms were paid, it did cause significant disruption to businesses and public services globally. In the UK, 48 NHS trusts were hit, causing them to cancel and delay treatments, and across Europe, the US and Russia numerous other businesses and public services reported similar issues and disruptions.
The sheer number of companies affected is perhaps an insight into the quality of global corporate IT systems –a patch to this vulnerability had been issued in March of this year – but we believe it is also an indication of the extent of the challenge to update and protect critical systems and sensitive data from cyber attacks. For example, while it might be easy to update a computer terminal sitting on a desk in an office with the latest security patches, it is much less simple to protect a piece of hospital equipment or critical infrastructure that might be running a version of a piece of software that is no longer supported.
It is particularly interesting to note the breadth of the sectors that quickly discovered they were vulnerable. While it might be tempting to assume cyber risks are material to only a small few sectors, Verizon’s 2017 Data Breach Investigations Report (DBIR) confirms that cyber security is an issue that all companies should assess. Even if a company’s own systems are sufficiently protected, supply chains and service providers can create vulnerabilities – take for example the large number of incidents reported in the professional sector listed in the chart below.
Our suspicion is that many businesses are woefully unprepared for this risk; PWC’s 2016 Cybercrime survey found that only 37% of the organizations surveyed had a cyber incident response plan. To add to the issue, the hackers are able to act much more quickly than companies in defending themselves, and the trend appears to be getting worse. As the below chart shows, while the time taken for systems to be compromised is often very short, the time taken to discover the hacking is far longer.
Source: Verizon DBIR 2016
Another piece of work by PWC found that while 61% of CEOs surveyed are concerned about cyber security, less than half of board members request information about their organization’s preparedness for a cyber attack. Research by EY revealed that 87% of board members and C-suite executives lack confidence in their organization’s level of cyber security. These statistics suggest a significant need to improve board-level, strategic understanding of cyber risks at companies; for this reason it is a key responsible investment research and engagement topic at Newton across all sectors.
However, we believe this also presents potential investment opportunities in companies that can help businesses protect themselves. IDC assesses that the amount of digital data is doubling every year and by 2020 will reach 44 zettabytes (that’s 44 trillion gigabytes to us), much of which will be sensitive and need protecting. The regulatory backdrop is moving quickly as well: for example, under the EU General Data Protection Regulation that comes into force in May 2018, companies will be liable for fines of up to 4% of annual global revenues for privacy and data breaches.
Stock selection in this area can be challenging given the rapidly evolving nature of the threats and the speed with which technologies can become redundant. However, we believe our ‘security’ and ‘net effects’ investment themes provide us with vital perspective on this landscape, highlighting the potentially attractive backdrop for demand for cyber protection, driven by the digitization of data and the ‘connectivity of things’.
 http://www.discus.co.uk/2017/05/twenty-per-cent-of-nhs-trusts-affected-by-wannacry-ransomware; https://www.nytimes.com/2017/06/27/technology/ransomware-hackers.html?mcubz=0
This is a financial promotion. Material in this publication is for general information only. The opinions expressed in this document are those of Newton and should not be construed as investment advice or recommendations for any purchase or sale of any specific security or commodity. Certain information contained herein is based on outside sources believed to be reliable, but its accuracy is not guaranteed. You should consult your advisor to determine whether any particular investment strategy is appropriate. This material is for institutional investors only. Any reference to a specific security, country or sector should not be construed as a recommendation to buy or sell this security, country or sector. Please note that strategy holdings and positioning are subject to change without notice.
This is a financial promotion. Issued by Newton Investment Management Limited, The Bank of New York Mellon Centre, 160 Queen Victoria Street, London, EC4V 4LA. Newton Investment Management Limited is authorized and regulated by the Financial Conduct Authority, 12 Endeavour Square, London, E20 1JN and is a subsidiary of The Bank of New York Mellon Corporation. 'Newton' and/or 'Newton Investment Management' brand refers to Newton Investment Management Limited. Newton is registered in England No. 01371973. VAT registration number GB: 577 7181 95. Newton is registered with the SEC as an investment adviser under the Investment Advisers Act of 1940. Newton's investment business is described in Form ADV, Part 1 and 2, which can be obtained from the SEC.gov website or obtained upon request. Material in this publication is for general information only. The opinions expressed in this document are those of Newton and should not be construed as investment advice or recommendations for any purchase or sale of any specific security or commodity. Certain information contained herein is based on outside sources believed to be reliable, but its accuracy is not guaranteed. You should consult your advisor to determine whether any particular investment strategy is appropriate. This material is for institutional investors only.
Personnel of certain of our BNY Mellon affiliates may act as: (i) registered representatives of BNY Mellon Securities Corporation (in its capacity as a registered broker-dealer) to offer securities, (ii) officers of the Bank of New York Mellon (a New York chartered bank) to offer bank-maintained collective investment funds, and (iii) Associated Persons of BNY Mellon Securities Corporation (in its capacity as a registered investment adviser) to offer separately managed accounts managed by BNY Mellon Investment Management firms, including Newton and (iv) representatives of Newton Americas, a Division of BNY Mellon Securities Corporation, U.S. Distributor of Newton Investment Management Limited.
Unless you are notified to the contrary, the products and services mentioned are not insured by the FDIC (or by any governmental entity) and are not guaranteed by or obligations of The Bank of New York or any of its affiliates. The Bank of New York assumes no responsibility for the accuracy or completeness of the above data and disclaims all expressed or implied warranties in connection therewith. © 2006 The Bank of New York Company, Inc. All rights reserved.