How to Analyze Investments’ Hacking Vulnerability

Can tools like the ISS ESG Cyber Risk score help institutional investors navigate exposure to digital attacks?

Reported by Matt Toledo


MGM stock is down nearly 13% since the beginning of a cyberattack that destabilized operations at the casino giant last month. This poses a big question for asset owners: How do you determine what stocks are safe to invest in from a cybersecurity standpoint? The MGM hack, and other incidents in recent years, have shown there are consequences not only for a company, but for its shareholders.

But how can institutional investors insulate themselves from cyber risks when making investment decisions? What industries are most susceptible to cyber-attacks? These questions were central to a presentation at CIO’s Cybersecurity livestream event, by Doug Clare, head of cyber strategy at ISS Corporate Solutions, which, like CIO, is owned by Institutional Shareholder Services Inc.

ISS ESG Cyber Risk Score   

ISS has developed a rating, the ISS ESG Cyber Risk Score, that evaluates a company’s susceptibility to cyberattacks. The metric aims to quantify what industries and companies within the Russell 3000 Index are exposed to digital threats.

The score is designed to measure the odds of a digital attack affecting the company within the next 12 months. The rating leverages data gathered on a continuous basis regarding network and domain posture, construction and evidence of compromise. The score is a scaled representation of the odds of a breach incident ranging from high risk (300) to less risk (850).

At Risk Industries

According to Clare’s presentation on sector relative cyber risk, 33% of companies experienced a breach or disruption within the last 12 months. However, some industries are more at risk than others.

According to ISS research, the most at-risk industries in the Russell 3000 are technology, media and telecom. The least at-risk sectors are health care; energy and utilities; and finance and banking, all significantly lower than the average risk of all industries.

What It Means for Investors

The ISS ESG Cyber Risk Score can play a role in vetting investments, especially for institutional investors concerned about digital risks. It is one tool institutions can use in the due diligence process. 

“There is a documented impact on share price when breach events occur, the score does translate directly into breach incident odds, and I think it has a meaningful role to play in evaluating risk,” Clare said. “If cyber breach risk is something you are concerned about, this is a metric you could and should look at.”

As seen with MGM, cyberattacks can have double-digit impacts on the price of a company’s shares and add millions in cost to its spending. In the modern age, this is something institutional investors should monitor and evaluate. The ISS ESG Cyber Risk Score offers investors a tool to develop a better understanding of a company’s potential exposure to such attacks.

How To Vet a Provider’s Cybersecurity Processes 
How Private Equity Firms Can Protect ‘Treasure Trove’ From Digital Threats 
Cybersecurity Breaches at UK Pensions Soar More Than 4,000% in 1 Year 

Tags
CIO, Cybersecurity, Doug Clare, Institutional Shareholder Services, ISS ESG Cyber Risk Score,