Cyber Attackers Targeted 10% of Russell 3000 Companies in 2022-23, Study Says

Many corporations outsource their IT functions, which makes them especially vulnerable, an ISS report finds.

One-tenth of Russell 3000 companies got hit with cyberattacks in 2022 and 2023, according to a report by ISS Corporate, part of ISS STOXX, which owns CIO. There were roughly 700 digital incidents involving U.S. companies in the index in that time, the study found.

Thus far in 2024, digital assaults have affected such large companies as AT&T, Ticketmaster Entertainment and Bank of America. At AT&T, hackers accessed data on 7.6 million current and 66.4 million former customers. They stole Social Security numbers, account numbers and passwords.

Many companies, of course, outsource their infotech to cloud providers for back office and customer relations—and that makes them especially at risk, the report stated. So-called ransomware, when the hacker extorts a large sum, is the most well-known danger.

Trouble is, it’s hard to figure out just how vulnerable a company, per Ajit Jain, head of insurance for Berkshire Hathaway. A widely used web supplier “may accumulate into an aggregation of potential cyber losses,” the study quoted him as saying. If a large cloud provider’s platform were attacked and came to a standstill, the impact would be “huge,” and “that is what scares us,” he observed.

Want the latest institutional investment industry
news and insights? Sign up for CIO newsletters.

The jeopardy is broad-ranging. Some 90% of Russell 3000 corporations use third-party information technology providers, the study found. Companies with low cyber risk scores, as calculated by ISS Corporate, are the most at risk, the report warned. The score is computed by collecting data on a company’s digital security, then measuring it against those of other businesses.

Cybersecurity breaches are costly, and insuring against them is, too. From 2018 through 2022, the average claim cost for large companies (defined as worth $2 billion or more in yearly revenue) during that time span, was $13.8 million, the study said.  Ransomware costs were one-third of claims for large corporations, averaging $43.4 million.

The impact on stockholders is hard to measure, the study contended, “as the market seems to punish some firms quickly and excuse others indefinitely.” As an example of the former, the study pointed to MGM Resorts International, which suffered a breach that it disclosed last October. The casino and hotel company saw its shares tumble, but they recovered by year-end.

The Securities and Exchange Commission recently required public companies to disclose cyber incidents in a timely fashion. The ISS Corporate report noted that the SEC mandate “is already driving a change in behavior.” In February, about 35% of companies gave cybersecurity briefings to their boards of directors. As of June, this had grown to more than 98%.

Stepped-up cybersecurity defenses among companies also are on the rise. As the report concluded, “Being able to quickly assess potential exposure to a common catastrophic security flaw is quickly moving from ‘nice-to-have’ to ‘must-have’ for many firms.”

 Related Stories:

Fighting Cyberattacks Requires Top-Down Approach

How to Analyze Investments’ Hacking Vulnerability

CalPERS, CalSTRS, Genworth Among Those Affected by MOVEit Data Breach

Tags: , , , , , , , , ,

CDPQ Returns 4.2% in First Half of 2024

The returns raised the Canadian pension fund’s assets to C$452 billion, but its performance fell short of its benchmark’s 4.6% return.



Canadian pension fund Caisse de dépôt et placement du Québec
reported investment returns of 4.2% for the first half of 2024 to raise its total asset value to C$452 billion ($334.2 billion). The performance, led by the pension fund’s equity investments, matched its return from last year’s first half but fell short of its benchmark portfolio’s 4.6% return.  

“The first half of the year was characterized by several factors: strong stock market performance continued to be linked to a historic level of concentration in a handful of technology stocks, the U.S. Federal Reserve’s postponement of the many rate cuts anticipated at the beginning of the year, and modest global economic growth,” said CDPQ President and CEO Charles Emond in a statement.  

The pension fund’s equity investments returned 10.9% during the first six months of the year, missing its benchmark’s return of 11.7%. According to CDPQ, the performance by equities has been fueled by stocks related to artificial intelligence, which boosted the main indexes to record levels. Real assets returned 1.5% in the first half, below the 2.1% return produced by its benchmark, and CDPQ’s fixed-income assets declined 1.7% during the period, matching its benchmark’s performance.  

CDPQ also reported five- and 10-year annualized gains of 6% and 7.1%, respectively, topping its benchmark’s returns of 5.3% and 6.3%, respectively, during those periods.   

Want the latest institutional investment industry
news and insights? Sign up for CIO newsletters.

Over the past five years, equities were the pension fund’s top-performing asset class, rising 11.4%, just short of its benchmark’s 11.7% return over the same period. Real assets earned 4.7%, topping its benchmark’s five-year annualized return of 3%. CDPQ’s fixed-income investments have been flat over the past five years, compared with its benchmark’s loss of 0.9%.  

Equities were also the CDPQ’s top performer over the past 10 years, with an annualized gain of 10.9%, ahead of its benchmark’s return of 10%, while its real assets returned 6.8% over the same time period, beating its benchmark’s 6.1% return. The pension fund’s fixed-income assets have returned 2.2%, surpassing its benchmark’s return of 1.5%.  

Related Stories: 

CDPQ Announces 7.2% Return in 2023 

CDPQ Reports 4.2% Return for 1H 2023 

CDPQ Loses 7.9% in First Half, Writes Off Crypto Loss 

Tags: , , , , , ,

«