Similar news stories about cyber attacks abound, and there is an emerging consensus that the federal government is going to keep funding for cybersecurity products and services steady or even increase it despite other massive cuts. Investors have taken note, and have been pouring dollars into cybersecurity companies. According to the National Venture Capital Association, venture capitalists alone invested $1 billion in cybersecurity startups in 2012.
Investors – especially institutional investors - as well as market analysts, need to start thinking bigger about cybersecurity. Specifically, they cannot focus solely on companies offering cybersecurity solutions. They also need to look at what companies are doing to protect themselves from cyber threats.
Much of the recent “success” of cyber attacks is due to a combination of the sheer volume of attacks mixed with the traditionally lower priority assigned by companies to investing in internal cybersecurity. While cyber criminals and state actors are innovating and investing in attacks, corporations – especially at the C-suite level –focused their attention on other risks. It is no surprise then that cyber attacks result in tens if not hundreds of billions of dollars in losses annually to companies.
This equation has to change quickly, and investors and analysts can make that happen more quickly than government. Smart investors and analysts have to ask questions about what companies are doing to protect themselves from cyber attacks. Such questions are especially important given that some of the more sophisticated attacks underway could dramatically affect a company’s bottom line.
The real cyber dangers we face are not ATM hacks, but the theft of intellectual property, trade secrets, and other valuable business information, along with the potential use of cyber tools to disrupt or destroy data and physical assets. Such attacks are growing exponentially as cyber criminals and state-level actors have figured out that the money isn’t in cash, but in valuable business information that can quietly be stolen and then used at their leisure.
The leverage that can be gained from stealing valuable blueprints, business plans, and sensitive information on natural resources is almost immeasurable. And once out in the wild, there is little to no chance to recover the value of those lost assets. We should also shudder at the thought that with a few keystrokes, critical assets across the country could be disabled or destroyed.
So, what does that mean for the investment community? Put simply, start asking questions – lots of questions – about a company’s cybersecurity posture, especially if part of the investment calculation is based on whether the company has some sort of “secret sauce.”
Analysts and investors alike should know some basic facts like: what kind of priority the C-suite is attaching to cyber security?; does the company have a secured supply chain to prevent counterfeit parts with built-in malware from entering into its IT systems; has the company taken measures such as using layered cyber defenses, and acquiring defenses against “Advanced Persistent Threats” like detonation chambers to combat sophisticated cyber attacks, and; does the company have a plan to systematically search for cyber attacks as well as respond to them?
It is simple math really – in the 21st century, if you are going to invest in a company, find out if its digital assets have been compromised. Those assets are at risk, and waiting for the SEC or other government agencies to force such disclosures will not suffice. Investors and analysts have the power to demand answers. One would like to think they have a stake in knowing whether they are investing in a secret sauce if it isn’t really a secret.
Finch is a partner at Dickstein Shapiro LLP in Washington, D.C., and also is an adjunct law professor at The George Washington University Law School.