Cybersecurity – expert views on how to shelter your portfolio

Cyberspace is the Wild West of our digital age. But the currency isn’t gold, silver or counterfeit bank notes, it’s data.

In 2023, nearly one third of all UK businesses faced a cybersecurity breach or attack, increasing to just over two thirds for large companies. These attacks can be expensive – the average cost of a data breach globally reached $4.45 million last year, up 15% over three years.

But good cybersecurity isn’t just about companies safeguarding their own operations and cash. They need to make sure companies in their supply chains have strong controls too. Suppliers, usually smaller companies with limited resources, can inadvertently introduce vulnerabilities and cause some chinks in the armour.

As companies struggle with this new cyber secure reality, investors are taking note of how important protecting data is to the value of their investments. Understanding exposure to companies with poor cyber controls is key to making sure your investment doesn’t just grow, but can survive the high noon showdown of digital threats in cyberspace.

How some of the fund managers from our Wealth Shortlist have managed cybersecurity risk in their portfolio.

This isn’t personal advice. Remember, all investments and any income they produce can fall as well as rise in value – you could get back less than you invest. If you’re not sure an investment is right for you, ask for financial advice.

Matt Evans, Ninety One UK Sustainable Equity

Cybersecurity is a universal risk, especially impactful on data-focused businesses.

Last year, one of the fund’s holdings, Morgan Advance Materials, suffered a cyber incident which led to significant operational challenges. The firm has recovered from this incident but had to manage a fall in sales of £10m as they couldn’t process business.

Morgan Advance have taken exceptional costs in experts to rectify issues of around £15m and pulled forward planned spend in IT to strengthen their systems of over £10m. The short-term sales loss and exceptional costs will not be recovered but the investment in IT will improve business operations going forward, improve efficiency and lead to far better cybersecurity.

This underscores the imperative of constant cybersecurity investment and robust defence mechanisms needed for all businesses, as risks persist and evolve.

James Thomson, Rathbone Global Opportunities

Visa and MasterCard are both holdings in the fund and face the risk of a systematically significant event should either of their payment networks face a breach. As such it is vital both firms maintain strong and resilient cybersecurity controls.

My previous conversations with the CEO of Visa indicated that this area has an unlimited budget and is a standing agenda item at every board meeting. The network itself cannot be breached using traditional cyber hacking techniques and would need to be physically breached at their network data centre (location undisclosed) but the security there is not dissimilar to Fort Knox.

Kirsty Desson, Abrdn Global Smaller Companies

In assessing a company’s resilience to cyber-attacks, we consider multiple factors including the company’s policies and procedures, country jurisdiction, history of breaches, evidence of system audits, staff training, board or senior management data security oversight and independent validation.

An example of a holding where cybersecurity is core to the company’s operations, is Altair. The business offers cloud-based design simulation tools for high-end product design and development. Due to the nature of Altair’s business, the company works closely with customers in the early product design phase, which is highly sensitive.

In our conversation with management, it was flagged that the company stores a minimal amount of customer data on site and conducts regular data security resilience checks. Over time, Altair has strengthened its data privacy measures and dedicated oversight of its security framework, evidencing strong management of this ESG risk.