With AI giving criminals new tools to cheat and steal, cyber security is becoming a key ESG concern. Here’s what you should know.
That’s the view from global financial services group Nomura, which also said cybersecurity was fast becoming the top global risk, alongside climate change and geopolitical conflict.
According to Nomura’s research – and perhaps somewhat unsurprisingly – cybercrime rates are growing in severity and frequency as the world becomes more digitalised.
For the latest investing news, sign up here for free Stockhead daily newsletters
In 2022, the average cost for a company that had its data breached reached $US4.35 million.
Ransomware has become a major concern, and in the US, the most commonly demanded ransom amount for companies is in the range of $US5-10 million.
All this meant that most firms have ramped up their budgets on cyber defences, with spending on cyber security estimated to reach $US1.75 trillion from 2021 to 2025.
How AI changes the game
The recent emergence of artificial intelligence (AI), particularly “generative AI”, has also transformed the way experts think about cyber security.
Generative AI is a form of machine learning able to produce text, video, images and other times of content. Think ChatGPT.
According to many research papers, cybercriminals are harnessing AI to launch sophisticated and novel attacks at large scale.
Generative AI is helping bad actors innovate and develop new attack strategies, enabling them to stay one step ahead of cybersecurity defences.
Mark Jones, senior consulting partner at ASX-listed cybersecurity company Tesserent (ASX:TNT), told Stockhead that AI presented some new challenges, mainly around the rate in which technology was used in cyber attacks.
“For instance, their ability to identify potential vulnerabilities in code, craft more specific and tailored phishing emails, and so forth,” Jones said.
Jones acknowledged that AI made launching cyber attacks a little easier for the threat actors.
“They now have more ability to automate attacks and develop better evasion and obfuscation methods,” he said.
“It also means that people with less knowledge of coding can gain access to information, attack methods and tools that were not possible before.”.
‘Focus on the basics’ to manage risks
Recent major cyber attacks have targeted hospitals and pharmaceutical companies, travel and leisure companies, financial services and energy infrastructure operators.
However, Jones said the threat of AI in cyber attacks did not make specific industries any more of a target than they already were.
“It just means the capability to target these sectors can be supported by AI-powered tools and techniques. The same principals apply to these new frontiers in the battle against the rise of cyber crime.”
MORE FROM STOCKHEAD: We need green financing explosion | E-waste recycling call to arms | Spectre of modern slavery
Jones also stressed that it was very important not to get caught up in the hype of new tech, adding that Tesserent’s experience as well as industry reports suggested that focus should be on the foundation-level controls before moving to more advanced problems.
“Our recommendation therefore is get all the basics working first, as this will be the most effective way to help manage cyber security risks,” he said.
“Like the rest of the technology sector, Tesserent is working with our clients to manage how AI affects their business. We are constantly alert to new cybersecurity threats and risks, and we work to mitigate them before escalation.”
Measuring ‘cyber hygiene’
Nomura said most cyber incidents and breaches were not publicly reported or acknowledged, making it difficult for investors to assess cybersecurity risks.
“Going forward, the systematic integration of cybersecurity risks in investment analysis will create demand for more material cybersecurity-related disclosures,” said Jason Mortimer, head of sustainable investment at Nomura.
Mortimer said that firms did not usually disclose meaningful details about their cybersecurity policies to public investors, and there were legitimate concerns that too much disclosure would only attract more cyber attacks.
“Together this implies that investors evaluating cybersecurity across companies will have to rely on forecasted measures of cybersecurity preparedness, and adherence to best practices as a proxy for cybersecurity risk,” he said.
To address these challenges, Nomura says it was focusing on measuring “cybersecurity hygiene,” a yardstick used to gauge best practice that an organisation took to keep its network and data secure.
Fortunately, the data required for comprehensively evaluating cybersecurity hygiene is becoming more widely available to investors.
“A variety of specialised data providers now provide ‘cyber risk ratings’ based on automated measurements of cyber hygiene,” Moritimer said.
Nomura has also integrated cybersecurity directly into its proprietary Credit ESG Scoring model as a “governance” factor for its corporate debt investments.
The NAM Credit ESG Score model, as it’s called, reflects Nomura’s view that cybersecurity performance reflects the company’s overall governance structure.
“The resulting ‘heat map’ of sector-specific cybersecurity materiality acts as a guide for our research and engagement with investee companies,” said Mortimer.
Cyber security stocks on the ASX
Of course, investors can approach cyber security from another angle – buying shares in companies that battle the bad actors.
Tesserent provides full service, enterprise-grade cybersecurity and networking solutions targeted at midmarket, enterprise and government customers across Australia and New Zealand.
The company’s Cyber 360 strategy delivers solutions covering identification, protection and 24/7 monitoring against cybersecurity threats.
Tesserent is currently a takeover target by Thales Australia, which has proposed to acquire 100 per cent of TNT shares at 13c.
On Monday morning, TNT was at 13 cents, up 4 per cent for the day.
Shareholders will vote on the takeover proposal on September 18.
Data-centric security tech company archTIS prevents malicious and accidental loss of information for its clients.
Its products NC Protect and Kojensi are multi-government certified platforms for the secure access to sensitive and classified information.
In July, archTIS signed a new agreement with the Bank of Finland (an existing customer), to license NC Protect and the NC Encrypt module. The purchase migrates the Bank of Finland from the previously acquired cp.Protect offering.
On Monday morning, archTIS shares were at 10 cents, down nearly 5 per cent for the day.
Visit Stockhead, where ASX small caps are big deals
Whitehawk offers an online tool that enables small and midsize businesses to take immediate action against cybercrime, fraud, and disruption.
Last month, Whitehawk announced that the US federal government contract for Cyber Risk Radar announced in July 2020 had been extended for fourth year.
That deal is valued at a $US672,000 base, with an option for additional $US505,000 services.
The Cyber Risk Radar is an annual software-as-a-service (SaaS) subscription service developed by WhiteHawk that enables clients to assess, identify, monitor, prioritise, and mitigate business and cyber risks of their supply chain vendors.
On Monday morning, Whitehawk shares were down nearly 3 per cent for the day, at 3.3 cents.
Senetas owns software tools that protect against malware and ransomware attacks.
The company has developed the technology that has the ability to proactively eliminate all known and unknown threats hidden in files.
In the latest update in June, Senetas said its segment sales pipeline was continuing to build with growth of over 100 per cent through FY23, and further sales momentum was expected over the next 12 months.
On Monday morning, Senetas was trading at 2.6 cents, no change for the day.
This content first appeared on stockhead.com.au
The views, information, or opinions expressed in the interview in this article are solely those of the interviewee and do not represent the views of Stockhead. Stockhead has not provided, endorsed or otherwise assumed responsibility for any financial product advice contained in this article.
Get the latest Stockhead news delivered free to your inbox. Click here