Hacker attacks and data breaches have pushed cyber and data security to the top of company agendas everywhere. Investors must get to grips with the governance issues and growing business risks as a digitally powered world grapples with the need for more secure defenses.

Cyber and data security is a hot topic across sectors. Ever-evolving threats are forcing companies to continuously evaluate their defenses and readiness—to help minimize the damage of a potential attack. Public statements of preparedness often overstate the actual level of defenses in place.

Despite company awareness, cybersecurity isn’t a high priority for many investors. We think that’s a mistake—especially since governance issues are an important component of an environmental, social and governance (ESG) focus. Unprepared companies risk financial losses, penalties and reputational damage that can undermine a business, brand and compromise a stock or bond’s return potential. We spoke with cybersecurity professionals across multiple fields and reviewed the regulatory landscape to provide guidelines for investors on assessing cyber-risk management.

Counting the Costs of Escalating Attacks

Cyberattacks are very costly. In the first half of 2022, at least 2.8 billion malware attacks were recorded globally, an increase of 11% over the previous 12 months, according to cybersecurity company SonicWall.

The cost of a data breach reached a record $4.4 million per breach on average globally in 2022, based on a study by the Ponemon Institute and IBM Security. Recovery costs vary depending on the sophistication of a firm’s systems, and whether remote work was a factor, which tends to increase the expense.

Some industries are more at risk than others (Display). Yet in today’s online world, no company is safe. Increased risk has prompted increased regulation. In the US alone, three new regulations were released in the past year: the SEC cybersecurity rule, the Cyber Incident Reporting for Critical Infrastructure Act, and the Ransomware and Financial Stability Act of 2021. Meanwhile, governments are on high alert as state-sponsored cyberattacks surged at the onset of the Russia-Ukraine war. In this evolving environment, companies can’t afford to ignore the problem.

What Are the Biggest Challenges for Companies?

Many companies are addressing the risks by shifting on-premise data centers and security to cloud-based solutions. The pace is accelerating as issuers with smaller cloud storage capacity migrate to better synchronize their systems. But cloud-based security raises new concerns. We’ve heard several common themes from cybersecurity professionals.

Building the Infrastructure: Organizations face two key dilemmas—choosing from a large swathe of security providers and vendors, and managing them. Creating a single dashboard to manage a network of diverse solutions, ranging from end point protection to cloud systems parameter solutions, is a common problem, says one vendor who installs different cloud security platforms. And with so many similar options available, some organizations are paralyzed; they take too long to get the perfect fit rather than establishing an initial infrastructure to update over time.

Monitoring, Training and Governance of Systems: After completing the infrastructure, companies need properly trained staff to monitor and run the systems, as well as a governance structure to maintain its integrity. Streamlining various internal systems and security vendor products takes time and resources, a challenge further complicated because many major security providers are active acquirers of smaller companies, which can throw products out of sync.

What defines a strong cybersecurity governance structure? First, we think a clear reporting structure to the board committee responsible for oversight is essential, with jargon-free reports that can be easily understood by directors without cyber expertise. Similarly, a simple matrix classifying “High, Medium, Low” risks is helpful, as well as reports on mitigation action and threat taxonomies. The general counsel, board and business managers should interact with the information security team more frequently as governance matures. Oversight must extend to the employees running and monitoring systems. And companies should be aware that the vendors they choose matter; services that are more common will have more professionals available to run the systems.

Rising Costs of Implementation/Resourcing: Many CIOs told us they are struggling with costs. In some cases, engineers can make a single change on one server that dramatically increase overall costs for an entire system over time. What’s more, many vendors do not clearly outline the rising costs of monitoring and maintaining a robust cybersecurity infrastructure. Checks on employee additions and a forward-looking infrastructure cost model can help avoid these pitfalls, especially at companies with fewer dedicated cyber resources. Cyber insurance costs are another factor; insurance benefits may be reduced when new vendors are added and systems are updated, or if coverage decreases. For example, Lloyd’s of London recently announced it will stop selling insurance for state-backed cyber-attacks.

How Can Investors Evaluate Cyber Risk Management?

Investors must ask the right questions and focus on budgets to gauge a company’s cyber-strategy and actions. How are cyber issues reported to the board? How are risks monitored and escalated? What types of system tests and response plans are being deployed? Are employees prepared for an attack?

Discussions with directors and management can yield important evidence of cyber proficiency. In recent engagements, we found that companies with a strong sense of the risks are more willing to discuss the topic and provide details on governance, reporting and training. Vague or standard responses could indicate that a company is less prepared for threats, lags peers—and is more vulnerable to attack. Cyber budgets offer important insight into strategy and action. Transparency on spending for cyber insurance, resourcing, vendors, or in-house build helps complete the picture.

Coherent Strategies for Complex Threats

As threats increase, companies must step up efforts to combat attacks and secure their data and systems. Small- and medium-capitalization companies may face greater risks, as many are relatively early in their cybersecurity journeys and have gaps in their systems that could attract attacks.

For companies of all sizes, investors should scrutinize cyber systems in place and dig deeper into the governance, resourcing and reporting on security. With coherent strategies in each area, companies will be more prepared to prevent and respond to cyber-attacks. By engaging with management regularly on these issues, investors will be better equipped to incorporate a company’s cybersecurity profile into a broader risk assessment of portfolio candidates and holdings.

Robert Keehn, Proxy and ESG Engagement Associate from AB’s Responsible Investing team, contributed to this analysis.

The views expressed herein do not constitute research, investment advice or trade recommendations and do not necessarily represent the views of all AB portfolio-management teams and are subject to revision over time.

Learn more about AB’s approach to responsibility here

AllianceBernstein

AllianceBernstein

AllianceBernstein (AB) is a leading global investment management firm that offers diversified investment services to institutional investors, individuals, and private wealth clients in major world markets.

To be effective stewards of our clients’ assets, we strive to invest responsibly—assessing, engaging on and integrating material issues, including environmental, social and governance (ESG) considerations into most of our actively managed strategies (approximately 79% of AB’s actively managed assets under management as of December 31, 2024).

Our purpose—to pursue insight that unlocks opportunity—describes the ethos of our firm. Because we are an active investment manager, differentiated insights drive our ability to design innovative investment solutions and help our clients achieve their investment goals. We became a signatory to the Principles for Responsible Investment (PRI) in 2011. This began our journey to formalize our approach to identifying responsible ways to unlock opportunities for our clients through integrating material ESG factors throughout most of our actively managed equity and fixed-income client accounts, funds and strategies. Material ESG factors are important elements in forming insights and in presenting potential risks and opportunities that can affect the performance of the companies and issuers that we invest in and the portfolios that we build. AB also engages issuers when it believes the engagement is in the best financial interest of its clients.

Our values illustrate the behaviors and actions that create our strong culture and enable us to meet our clients' needs. Each value inspires us to be better: 

• Invest in One Another: At AB, there’s no “one size fits all” and no mold to break. We celebrate idiosyncrasy and make sure everyone’s voice is heard. We seek and include talented people with diverse skills, abilities and backgrounds, who expand our thinking. A mosaic of perspectives makes us stronger, helping us to nurture enduring relationships and build actionable solutions.
• Strive for Distinctive Knowledge: Intellectual curiosity is in our DNA. We embrace challenging problems and ask tough questions. We don’t settle for easy answers when we seek to understand the world around us—and that’s what makes us better investors and partners to our colleagues and clients. We are independent thinkers who go where the research and data take us. And knowing more isn’t the end of the journey, it’s the start of a deeper conversation.
• Speak with Courage and Conviction: Collegial debate yields conviction, so we challenge one another to think differently. Working together enables us to see all sides of an issue. We stand firmly behind our ideas, and we recognize that the world is dynamic. To keep pace with an ever changing world and industry, we constantly reassess our views and share them with intellectual honesty. Above all, we strive to seek and speak truth to our colleagues, clients and others as a trusted voice of reason.
• Act with Integrity—Always: Although our firm is comprised of multiple businesses, disciplines and individuals, we’re united by our commitment to be strong stewards for our people and our clients. Our fiduciary duty and an ethical mind-set are fundamental to the decisions we make. 

As of December 31, 2024, AB had $792B in assets under management, $555B of which were ESG-integrated. Additional information about AB may be found on our website, www.alliancebernstein.com.

Learn more about AB’s approach to responsibility here.

More from AllianceBernstein