Investors Value A Company's Cybersecurity Record

New HBGary report says majority of U.S. investors steer clear of investing in companies that have suffered multiple data breaches -- and they worry more about theft of customer data than intellectual property
SAN FRANCISCO -- RSA CONFERENCE 2013 -- Turns out most U.S. investors are wary of investing in companies that have a history of getting hacked, and they are twice as concerned about those whose customer data was stolen than those whose intellectual property was pilfered.

RSA Conference 2013
Click here for more articles.

New data released here today from a survey conducted by Zogby Analytics on behalf of HBGary found that close to 80 percent of American investors said they aren't likely to invest in a company that has suffered multiple cyberattacks, and 70 percent would research a publicly traded firm's cybersecurity practices and incidents.

"The fact that investors and customers care so much about this is why we are starting to see boardrooms take a lot more interest in the security of a company," says Ken Silva, senior vice president for cyberstrategy for the mission, cyber and intelligence solutions group at ManTech International Corp., of which HBGary is a subsidiary.

But investors weigh customer data breaches as worse than theft of IP: Fifty-seven percent said they consider a hack that compromises customer data as more worrisome, while some 29 percent rated intellectual property as the most worrisome.

"People can relate to [customer data theft] right now and can feel the shockwave. I think IP theft will start to show itself and its real impact a couple of years from now when stolen intellectual property starts to make its way through the system," Silva says. "That's as opposed to now, when we know it's happening, but we haven't actually seen the ramifications of it yet like we do with customer data. We're not seeing exact copies of the next tablet coming out before Samsung or Apple," for example, he says.

Cyberespionage concerns are gaining some political clout, with the Obama administration last week announcing its plans to crack down on IP theft. And more and more big companies of late are coming clean that they have been infiltrated, including major media outlets like The New York Times, The Wall Street Journal, and The Washington Post.

[Finally, convincing evidence of a long-suspected Chinese military link to cyberespionage against U.S. firms: A prolific and especially persistent cyberespionage group out of China has been tied to the People's Liberation Army and has been behind attacks on a minimum of hundreds of companies across 20 major industries mainly in natively English-speaking countries. See Chinese Military Tied To Major Cyberespionage Operation. ]

HBGary's report, which gathered data from 405 U.S. investors surveyed, also found that 66 percent of investors said they would likely research whether a company had been fined or disciplined for a security breach.

ManTech's Silva says the most shocking finding of the survey was that 78 percent said they weren't likely to invest in a company that had suffered multiple security breaches. "That's an incredibly high number, and that shows just how seriously investors are really taking [cybersecurity]," he says.

The report also found that investors care about how companies handle breach disclosure. "Given all of the publicity around breaches in the last two years, we're almost numb to hearing about it. But when a breach is poorly handled, boy, does it make the headlines," Silva says. "If you're hiding it, not disclosing, taking too long to disclose it, or if no one knew" for a long time about the breach, that shakes investors' confidence in the victim organization, he says.

Silva says investors traditionally have been all about the bottom line, but the survey shows that they are savvy about the potential impact of cybersecurity problems on companies they are looking to invest in: "If this says anything, it's that cybersecurity is a fiduciary responsibility," Silva says. "So boards of directors need to treat cybersecurity as their fiduciary responsibility."

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.