Can Tools Help Companies Evaluate Cyber Risks of Vendors or Sectors?

Speaker discusses ways to gauge hacking vulnerability during PLANSPONSOR’s Cybersecurity livestream.

MGM stock is down nearly 13% since the beginning of a cyberattack that destabilized operations at the casino giant last month. This poses a big question for asset owners: How do you determine what stocks are safe to invest in from a cybersecurity standpoint? The MGM hack, and other incidents in recent years, have shown there are consequences not only for a company, but for other companies it does business with and its shareholders.

But how can plan sponsors insulate themselves from cyber risks when making business decisions? What industries are most susceptible to cyber-attacks? These questions were central to a presentation at PLANSPONSOR’s October 12 Cybersecurity livestream event, by Doug Clare, head of cyber strategy at ISS Corporate Solutions, which, like PLANSPONSOR, is owned by Institutional Shareholder Services Inc.

For more stories like this, sign up for the PLANSPONSOR NEWSDash daily newsletter.

ISS ESG Cyber Risk Score

ISS has developed a rating, the ISS ESG Cyber Risk Score, that evaluates a company’s susceptibility to cyberattacks. The metric aims to quantify what industries and companies within the Russell 3000 Index are exposed to digital threats.

The score is designed to measure the odds of a digital attack affecting the company within the next 12 months. The rating leverages data gathered on a continuous basis regarding network and domain posture, construction and evidence of compromise. The score is a scaled representation of the odds of a breach incident ranging from high risk (300) to less risk (850).

At Risk Industries

According to Clare’s presentation on sector-relative cyber risk, 33% of companies experienced a breach or disruption within the last 12 months. However, some industries are more at risk than others.

According to ISS research, the most at-risk industries in the Russell 3000 are technology, media and telecom. The least at-risk sectors are health care; energy and utilities; and finance and banking, all significantly lower than the average risk of all industries.

What It Means for Investors

The ISS ESG Cyber Risk Score can play a role in vetting vendors, contractors, partners or other service providers regarding the digital risks they could present. It is one tool institutions can use in the due diligence process.

“There is a documented impact on share price when breach events occur, the score does translate directly into breach incident odds, and I think it has a meaningful role to play in evaluating risk,” Clare said. “If cyber breach risk is something you are concerned about, this is a metric you could and should look at.”

As seen with MGM, cyberattacks can have double-digit impacts on the price of a company’s shares and add millions in cost to its spending. In the modern age, this is something investors should monitor and evaluate. The ISS ESG Cyber Risk Score offers a tool to develop a better understanding of a company’s potential exposure to such attacks.

«