The devastating impact of the pandemic has rightly prompted businesses and investors to scour the horizon for other risks they may be overlooking. Most of the focus has been on climate change, but the spotlight should also be turned onto cyber risk, with experts warning that the shutdown of the massive Colonial pipeline in the US could merely be a taster of what it is to come.
There is one obvious difference between pandemics and climate-change risk. Until the beginning of last year, almost no companies or portfolio managers paid any attention to the threat of pandemics, despite countless reports warning of the likelihood of an outbreak that would cause massive economic damage. In contrast, no chief executive or fund management boss could afford to play down climate-change risk. Indeed, some observers, such as former Bank of England governor Lord Mervyn King, believe the ever-increasing focus on climate change may distract attention from other equally serious risks, such as a further pandemic outbreak or cyber-attacks.
Even so, cyber has had a great deal more attention at the very highest level than pandemics did before last year. Two years ago, Jamie Dimon, CEO of JPMorgan Chase, warned that cyber risk “may very well be the biggest threat to the US financial system”. JPMorgan spent $600m on cyber defences in 2020 — more than three times its budget 10 years ago. Even for JPMorgan, $600m is real money, and other big companies invest huge sums trying to keep ahead of the hackers.
Nonetheless, some investors are very nervous about the threat. “There is a high risk that a large company or an entire economy could be hit by an attack that would cause serious, lasting damage. The problem is there is no way of predicting which one and protecting yourself,” says one seasoned portfolio manager.
As far back as 2017, Eric Knight, founder of fund manager Knight Vinke, was suggesting that investors should put excess cash into short-term Treasuries rather than take a risk with bank deposits. “Thinking longer term, we all need to consider the possibility that at some point in the future a cyber-attack might succeed in bringing down a major bank. Some banks receive (literally) thousands of cyber-attacks per day. The last crisis was about banks losing their capital, but a major bank losing its deposits (which are typically 10-20 times the capital base) would be infinitely more devastating,” Knight wrote in a letter to investors.
However, apart from such extreme action there is a limit to what investors can do to protect their portfolios. If you had known there was going to be a pandemic you could have taken some precautions. Even if you didn’t know the nature of the pandemic you could have been confident that some sectors — travel, for example — would be particularly vulnerable. But since almost every business these days is highly dependent on digital communications, there is virtually no company that is safe from a cyber-attack.
One relevant lesson from the pandemic is the importance of making sure that any cyber-related business interruption insurance is as watertight as possible. Another parallel is that previous incidents were bad but not devastating. Most investors who thought about the risk of pandemics probably assumed the next outbreak would be like Sars or Ebola. These were tragedies for those affected but did not turn into global disasters.
Similarly, even the most serious cyber-attacks have so far proved containable. It is tempting to think this was for the same reason: if the effects were too disastrous, it would not be in the interests of the attacker. A virus that kills all its victims defeats its own objects. And a cyber extortionist who causes too much damage risks retaliation and capture rather than a pay-off. Yet state-sponsored cyber terrorists do not face the same constraints and it is they who now pose the biggest threat.
Although large companies are spending heavily on their defences, cyber experts say many smaller businesses are much less well protected. In the fund management world, many firms outsource large parts of their operations and are critically dependent on the precautions taken by their contractors.
Ultimately, as with pandemics, much depends on individuals following the rules. There has been a huge surge in cyber-attacks during lockdown, partly because good cyber hygiene is more difficult to observe with staff working from home. And in the rush there was little chance for much training.
Just as some elements of social distancing may persist after lockdown, more care also needs to be taken over digital mixing. We may have to put up with more cumbersome identity authentication.
As always it would be helpful to have some leadership from the top. So it is perhaps encouraging that, 15 years after it was published in a press release, the Prime Minister has finally changed his mobile phone number.
To contact the author of this story with feedback or news, email David Wighton