Last week’s data breach at TalkTalk put the personal financial data of millions of customers of this British telecoms company at risk. The full financial costs may never be known, as cyber criminals start to use this stolen data to target customer bank accounts.
As a technology stock analyst, I use data points like this to predict how investment themes will develop over time. Normally, investment themes run their course over two or three years. But the cyber security investment theme may run for much longer, because CEOs of major global corporations are still in denial about the cyber risks their businesses face.
When TalkTalk customers signed up for a telecoms contract, they expected to receive world class digital security as an integral part of the overall service.
Yet, like many companies focusing on short term profits, TalkTalk management did not take their responsibilities for the protection of their customers’ digital data seriously enough.
Many CEOs still see the IT department as a cost base that needs to be cut rather than a customer facing product. But in the internet era, digital security is very much an integral part of any product.
What is even more surprising is that TalkTalk management had the means to address this risk (they could have encrypted all customer data) and were fully aware of the personal risks to their own careers of failing to do so (other CEOS have been fired for data breaches).
In May 2013, I published a research note called “Cyber Security: the tech sector’s next big rally” in which I argued that most cyber security stocks were undervalued. At the time, this was a highly controversial statement, because most cyber security stocks were already amongst the most expensive stocks in the global technology sector.
My thesis back in May 2013 was that most CEOs did not understand cyber security risk, but that pretty soon things would change. I predicted that the catalyst for this change would come “when a respected CEO gets fired for mishandling cyber risk.” Corporate boards, asleep at the wheel, would then substantially increase the amounts they spent on cyber security, sparking a rally in cyber security stocks.
A few months later, Target, a US retailer, suffered a data breach in which 40 million customers’ financial data was stolen. Target had to pay millions of dollars in a settlement to MasterCard, Visa and others for its past negligence. Some time later, Target’s CEO was fired, primarily in relation to this single cyber attack.
All this led to a rally in cyber security stocks generally. Many rose by 200% or 300%. It appeared, prima facie, that corporate executives had woken up to the cyber risks their businesses faced and had learned from the Target saga.
Perhaps not. Last week’s shenanigans with TalkTalk illustrate that nothing substantial seems to have changed in corporate board rooms when it comes to risk management around cyber security issues.
Whilst no company can guarantee customers that their online data will always be safe, they can implement best practice procedures (such as encrypting sensitive customer data) to ensure that the risk of future data breaches is minimised.
The CEO of TalkTalk, by her own admission, failed to encrypt customer data, citing as her defence that there was “no legal requirement” to do so.
Two and a half years after I predicted a cyber security stock rally on the back of poor understanding of cyber security risk at CEO level, few lessons seem to have been learned.
This investment theme may have years to run yet.
Expect more CEOs to get fired. And expect another rally in the cyber security sector.
This article was first published here and is reproduced with kind permission.
Recent Comments