U.S. equity investors are demanding higher risk premiums to compensate for rising cyber threats as the coronavirus pandemic pushes more businesses to move online.
That’s according to researchers at Michigan State University who found that funds adjust their positions according to the “cyber riskiness” of holdings, especially when data breaches are high. Hackers prefer larger and more visible companies with big customer bases and data sets, especially in industries including retail, services and finance, their research shows.
“We believe as more and more activities/services migrate to online, cyber risk will correspondingly increase,” said Naveen Khanna, chair of the university’s finance department in an emailed interview. “It has the potential to be much more damaging than many other risk as it can be scaled up quickly and at not much cost. No wonder it’s becoming a top concern for businesses and governments. Thus not surprising it is getting priced.”
The growing risk of cyberattacks comes as the pandemic forces more people to work from home and use networks that may be vulnerable to online attacks. In the latest example, New Zealand’s stock exchange was the target of distributed-denial-of-service attacks that overwhelmed its website and spurred trading halts over four days last week. The bourse’s shares fell 0.6% during the week, the worst in nine weeks.
The relation between cyber risk and required returns is statistically significant and economically large, a study co-authored by Khanna showed. An increase of one standard deviation in such risk makes investors demand an annual premium of 3.41%, it revealed.
The study also found that institutional investors’ reaction to cyber-risk appears similar to that for large shocks such as the global financial crisis and such behavior suggests high-cyber-risk stocks should offer greater compensation.
“The cyber premium is logical” said Sebastien Galy, a senior macro strategist at Nordea Investment Funds SA, which oversees about $255 billion in assets. It should also be a function of “economic and other objectives” of those doing cyber warfare and the extent of damage they can cause, he said.
Companies spent $112.7 billion on information security and risk management in 2018, and are projected to increase that outlay almost 9% more per year through 2022, according to research firm Gartner Inc.
“Investors view data breaches as the cost of doing online business,” said Olivier D’Assier, head of applied research for Asia-Pacific at Qontigo GmbH. “It’s a bit like parenting; yes you scold your child for doing something they were not supposed to, but you never stop loving them.”