Investors intensify focus on cyber security

Cyber security as the main topic at the annual Finsif seminar last Wednesday sends a strong signal that the issue is likely to increase in importance for investors over the coming years.

Cyber security is perhaps not the first thought that springs into mind when thinking about investments but it is becoming increasingly important, whether that relates to a company's processes and systems or an investor doing due diligence into potential opportunities.

In its annual seminar in Helsinki last Wednesday, Finland's Sustainable Investment Forum (Finsif) gathered some of the biggest players in the Finnish financial market to discuss cyber security and why should investors keep on top of the issue. Although many would have brushed off the topic a decade ago as being more of a concern for technology companies, investors are becoming increasingly aware of the importance of cyber security and the fact that it should not be ignored any longer. “The importance of cyber security and issues relating to it has grown together with the importance of technology,” says Hanna Hiidenpalo, chief investment officer of the EUR 23.7 billion Elo. She says that investors’ increased capacity to take advantage of different data sources, analytics and an application programming interfaces (APIs) has intensified the focus on cyber security. “Every company is a software company one way or another. There’s really no new development without cyber security being part of the equation,” Hanna Hiidenpalo tells FBNW. She says this is one of her main take aways from the conference.

Her statement echo those of Mikko Hyppönen, chief research officer for the Finnish cyber security and privacy company F-Secure, who, in his presentation “The state of the net” presented case studies and figures on how much ignoring cyber security could roughly cost a company. The latest addition to OP’s ESG team, Annika Manninen, tweeted about a case study presented by Mikko Hyppönen, where hackers managed to cause a few thousand euro in losses to a farmer by hacking the farm’s milking equipment.



However, as Mikko Hyppönen notes, the losses are not always on the scale of a few thousands but can add up to hundreds of millions of euros. That was the case for the Danish shipping giant Maersk that lost 40,000 laptops, several internal servers, priceless amount of data and suffered USD 300 million in losses after being hit by the infamous Petya ransomware. The company was only rescued by a random server in Africa that had been offline due to a power outage.

Events such as these should get investors to comb through future investment opportunities with a closer focus on issues surrounding cyber security. For instance, is a company collecting data from its customers and how is the data stored? How is the company protecting its servers and is it even considering cyber security beyond the random firewall? Ethical issues, such as how the data that many companies are collecting is being used, will also come to play in the long run now that regulators have woken up to the fact that all companies, no matter how small, are using some type of software programs when conducting operations.

Annika Tanttinen from KPMG also shared insights into how dealing with cyber security can increase the value of a company and benefit the investors. “Organisations must have insight into what’s at stake – mapping the crown jewels is key to building a successful cyber strategy,” she noted in her presentation. The evening’s first speaker, Jarno Limnéll, professor of practice, cyber security at Aalto University, also pointed out that cyber security is increasingly viewed as a competitive edge for companies by the investors. This is not least as the amount of data around has grown a tenfold between 2010 and 2017 and it is expected to grow 10,000 times by 2050 from the 2017’s 18.3 zettabytes.

“As an investment case, cyber security is a big financial risk for many companies,” says Hanna Hiidenpalo, who also took part in the panel talk at the seminar. She adds that privacy and data security is part of Elo’s ESG screening process. However, she points out that the pension company relies exclusively on information that is available through public channels but questions whether that is enough. “Many companies are very reluctant to speak about matters of cyber security and it’s hard for us investors to get information on these matters,” she says, adding that perhaps third party auditing or even increased reporting could be part of the solution.