With cyberattacks and data breaches dominating news headlines since high profile incidents have impacted the likes of Optus and Medibank Private, investors are scrutinising the cyber practices of listed companies. Many are asking questions such as whether IT systems are up to scratch, what kind of sensitive data is held, and how capable are board directors in overseeing this rapidly evolving risk.
These are all valid questions to ask of companies. However there are a number of human capital and social related elements of cyber resilience which warrant greater consideration by companies and investors alike. One thing we know when it comes to cyber security is that the best IT systems and processes are still not enough to stop a cyberattack or data breach. We also know that protection is only part of the story when it comes to resilience – the way a company responds to an incident is just as important.
Human elements are integral to a company’s overall cyber resilience and its ability to limit potential financial impacts from an event – in particular, company actions which shape employees’ behaviour before and after an incident, as well as having a response plan informed by a customer-first mindset.
Company and investor approaches to cyber resilience should look beyond specific cyber capabilities and IT systems, and extend to human capital and customer management practices. In this piece, we outline five factors which we believe play an under-appreciated role. Companies can mitigate risk by seeking to address these, while investors can better protect returns by including these in their cyber resilience assessments.
It is important to not lose sight of how influential human error is enabling cyberattacks or data breaches. In its 2022 Global Risks Report, the World Economic Forum cited studies which found that up to 95% of cybersecurity issues can be traced back to mistakes made by people. Mistakes often relate to employees falling victim to phishing campaigns or other social engineering practices deployed by attackers, but can also include failure to properly secure credentials or equipment, mistakenly emailing or publishing information, as well as staff not realising they should not install certain applications on personal devices.
This reinforces the need for companies to carefully consider how to most effectively allocate capital and resources to cyber and data security. While investment in adequate IT systems is essential, this should be complemented by employee-focused initiatives targeted at reducing the likelihood of human error. This includes allocating resources to training and awareness building, as well as efforts to develop a cyber-aware culture amongst the workforce.
More effective training and awareness programs are regular; tailored as relevant to different business divisions, noting some teams will need deeper or more technical training; and as engaging as possible. Education on the proper collection and storage of personal data in the context of privacy laws will be expected for many businesses.
With respect to developing a cyber-aware workplace, leadership teams should be conscious of how they can set the tone from the top, recognising that this can shape employee behaviour. While staff should be expected to adhere to cyber policies and procedures, it is inevitable honest mistakes will occur. Leadership teams that demonstrate an acknowledgement that anyone can make a mistake could help avoid an individual delaying action in the event of a breach due to a fear of punishment. It is ultimately in a company’s interest for employees to feel comfortable enough to admit a mistake as soon as possible and alert necessary parties.
Human capital management strategies targeted at fostering a more inclusive company culture, which are often already in place at listed companies for other reasons such as employee engagement and retention, are also relevant to maintaining robust cyber and data controls. This should further strengthen the business case for such initiatives at companies looking to boost cyber resilience.
Inclusion is linked to more engaged employees. In our experience, staff which are engaged and find their respective employers a great place to work are going to be more motivated to act in the company’s best interests. This includes being more attentive to training and awareness and more inclined to act with greater care on cyber and data matters, in order to reduce potential harms to the business.
Cyber resilience is also enhanced by employees who speak up – whether this is to raise a concern about a weakness in cyber or data protections, or to come forward with new ideas about improving a process. Inclusion is an important driver of the settings in which staff feel confident in coming forward.
While it can be a tricky path to navigate, disincentivising poor cyber-related behaviour and rewarding good practices has an impact on a company’s overall resilience. As mentioned above, with so many breaches being tied back to actions taken by individuals, proactively seeking to shape staff performance in this area is important and incentives provide a means to do so.
Incentives do not necessarily need to be as formal as Key Performance Indicators (KPIs) for executives, although in some cases this will be appropriate. Good “cyber hygiene” and practices can be rewarded in other ways, such as positive acknowledgement in staff communications or prizes.
At times, it will be appropriate to hold individuals to account through disciplinary action in instances where they have breached cyber security policies and put the company at risk through negligent behaviour. Finding a balanced way to communicate internally that accountability does exist for non-compliance (while accepting honest mistakes occur) can drive staff to take cyber seriously and maintain familiarity with policies and procedures.
In the event of a cyberattack or significant data breach, the response and recovery can significantly influence the operational disruption and potential financial impacts a company faces. In the wake of Optus and Medibank, many companies will rightly be looking to develop or strengthen their response plan. Some may even be looking to run simulation exercises or undertake tests of their systems.
A large focus of any response and recovery plan should undeniably be on the technical aspects of understanding the extent of a breach, securing and recovering systems, and strengthening IT security, as well as complying with any regulatory requirements. However, we believe companies should also be factoring into plans how they will unlock agile collaboration across relevant business units in crisis settings. This kind of mobilisation of people and internal expertise at short notice requires pre-planning and practice.
Companies will need to consider how the incident or breach intersects with each and every team or business unit and consider developing a cross-function response team with relevant representatives. From past incidents, we’ve learned that impacted companies have had the effectiveness of their response and recovery reduced due to internal siloes remaining, and individual roles and responsibilities being unclear. In a time of crisis, problem solving and execution can be strengthened by collaboration, such as between IT and cyber security, senior leadership, customer-facing teams, and the key contact personnel for regulators and media. If in the course of ordinary business forums to bring these functions together don’t exist, it is unlikely rapid mobilisation and an agile cross-business response will be able to occur without dedicated preparation as part of cyber resilience planning.
It is worth reiterating that each cyberattack or data breach will play out differently, whether this is in how the event occurs in the first place or the environment in which the company must respond and recover. Information will be fluid, stakeholder reactions will be varied, and the cyber criminals may have different motivations, making it challenging to pre-empt. This all reinforces the need for companies – in order to support an orderly response and to mitigate reputational damage – to proactively create the settings in which agile collaboration can occur, and that all relevant personnel are included and have clear responsibilities.
A communications and remediation plan will support stakeholder management and mitigate reputational damage which have the potential to translate into financial impacts. High profile cyberattacks on corporates have demonstrated that in many ways a poor communications plan can cause more harm than the operational disruption or initial reputational damage from the event itself.
In our view, a superior communications and remediation plan is one that puts customers first, subject to any legal requirements or advice from relevant authorities. In these situations there is strong alignment between the interests of a company’s customers and its investors. If the company puts customers at the heart of any communications and remediation plan, shareholder value will be better protected.
Proactive planning can help companies to most effectively keep customers informed of developments in the wake of an incident, at a time when there is heightened customer stress and media scrutiny. Companies should consider how they can stay on top of direct communications with customers and have internal plans to brief customer-facing teams in a timely manner. The more customers feel they have insufficient information or that they hear new information through the media, the more this may place stress on customer service teams dealing with a surge in inbound calls. Long wait times to connect to call centres or service representatives being unsure of reported developments and support available will only further exacerbate negative experiences for customers.
Messaging and services offered to customers should also be cognisant that for many, any breach of personal information could cause significant stress and in some cases compromise safety. While some people are not concerned about generic personally identifiable information being leaked, for others even information such as an address – let alone medical history or passport details – can be highly sensitive, for example domestic violence survivors or police. For this reason, communications should acknowledge customers as the victim and be informed by the varied potential reactions and impacts across the customer base.
Companies would also be well served by putting in place a framework outlining what kinds of support or compensation might be available in the event of an incident. Not only should this assist in managing customer relations, but it could also mitigate potential class action risks. Examples of financial compensation we have seen to date include reimbursing the cost of ID replacement, waiving service charges for a period, and paying for credit monitoring subscriptions. Other forms of support include provision of counselling, cyber security resources, personal duress alarms for particularly vulnerable customers, and dedicated customer apps and hotlines.
People (employees and customers) are integral in shaping a company’s overall cyber resilience and its ability to limit potential financial impacts from an event through a well-managed response. While it is essential that companies (and their investors) reflect whether IT systems, policies and procedures, and cyber capabilities are adequate, we encourage greater consideration of how these aspects of cyber resilience intersect with human capital and social related factors.
In our own assessments of investee companies’ cyber resilience, Paradice is working to more deeply understand this rapidly evolving space and take a holistic approach in determining the appropriateness of company controls. This includes looking at the five factors mentioned above and encouraging due consideration of such practices when engaging with companies on cyber resilience.
By Maddy Dwyer & Julia Weng
Disclaimer:
This information is prepared by Paradice Investment Management Pty Ltd (ABN 64 090 148 619, AFSL No. 224158). This material (or contribution to it) is not intended to constitute advertising or advice (including legal, tax or investment advice or security recommendation) of any kind. It may contain certain opinions that are based on the assumptions and judgments of Paradice which are difficult or impossible to predict accurately and are beyond the control of Paradice. Because of the significant uncertainties inherent in these assumptions, opinions and judgments, you should not place undue reliance on this information. The information and opinions contained herein, including information obtained from third party sources which are considered to be reliable, are not necessarily all-inclusive and, as such, no representation or warranty, express or implied, is made as to the accuracy, completeness or reasonableness of any assumption contained herein and no responsibility arising for errors and omissions (including responsibility to any person by reason of negligence) is accepted by Paradice, its officers, employees or agents. The content of this publication is current as at the date of its publication and is subject to change at any time. It does not reflect any events or changes in circumstances occurring after the date of publication. This material is not to be distributed and must not be copied, reproduced, published, disclosed or passed to any other person at any time without the prior written consent of Paradice.
Copyright © 2022 Paradice.
Important Notice
We are aware that our brand name has, on occasion, falsely been used by individuals impersonating members of Paradice’s investment or support teams through email and LinkedIn. These are not legitimate approaches from Paradice, and we urge investors to be vigilant about unexpected and suspicious emails that claim to represent Paradice. If you have any concerns, queries, or would like to report fraudulent activity, please do not hesitate to contact us at: investorrelations@paradice.com
Copyright © 2024 Paradice Investment Management Pty Ltd
Subscribe to our newsletter for updates.
Visit our site for individuals and financial advisors.
Visit our site for institutional investors.