Australia under cyber attack: Call for panic? Opportunity that can't be missed?
Judging by recent news headlines, one would likely conclude that Australia was suddenly under a coordinated cyber assault. Each week a different company discloses it has been the victim of a data breach: Medibank (ASX.MPL), Optus and Woolworths-owned MyDeal immediately come to mind. Telstra (ASX.TLS), Australian Clinical Labs (ASX.ACL), and EnergyAustralia have also been subject to smaller-scale events − and that’s only in the past six weeks.
The truth of the matter is that Australian companies have been fending off cyber assaults for some time. The Office of the Australian Information Commissioner (OAIC) received 464 notifiable breaches attaining to data breaches in the second half of 2021. That number was up 6% from the prior year but in line with the 460 recorded in 2018 and 537 in 2019.
Malicious or criminal activities account for 55 per cent of breaches. The remainder is mostly attributed to human error, such as emailing personal details to the wrong recipient or unintended publication. Fortunately, most breaches don’t lead to catastrophes. The most recent OAIC data shows that 71% of data breaches affected less than 100 people.
But it is the tail end of cyber attacks that causes the most damage. The Colonial Pipeline − which transports 45% of the fuel consumed on the East Coast of the United States, was halted after hackers gained access to its systems. Closer to home, Medibank is unsure what exactly the hacker has stolen but concedes that it had accessed the personal and medical data of 3.8 million customers.
These events are the nightmares of executives and boards. Most are ill-equipped to manage cyber-related events; watered-down media releases do little to assuage community concerns; and the true damage is not felt until months or years later.
Not Only a Financial Burden
The first-order costs to a company from a cyber attack are well known. Management resources are diverted to resolve the issue and a ransom may need to be paid to retrieve the data. In subsequent months the business will need to add additional resources to fortress against future attacks in addition to remuneration paid to customers or employees.
Much of this is a financial cost to the business, but there are also longer-lasting and more damaging impacts. A report recently published by S&P Global concluded that markets will ascribe a lower valuation to companies with insufficient cyber defences.
"An effective cyber strategy, including robust cyber defence and mitigation plans, is table stakes for companies engaging with capital markets," the report said. "In our experience, where cybersecurity is weak, overall risk management tends to be weaker, which could result in lower ratings than peers with similar financial metrics."
Then there is the reputational damage. After losing the data of 10.8 million customers in October, Optus was on the front page of every newspaper for the better part of a week. It was ridiculed by the government and is now the poster child of flimsy cybersecurity. The old adage 'all PR [public relations] is good PR' no longer rings true.
Never Waste a Good Crisis
With companies scrambling to bolster their data and prevent a potential PR disaster like that of Medibank and Optus, demand for cybersecurity has jumped. Gartner predicts that spending will increase 11% annually out to 2026 as companies fortress their systems from bad actors and human error. Winston Churchill once quipped "never let a good crisis go to waste", so we present a few different ways investors can achieve exposure to cyber-megatrend.
Recruitment outfit and current holding PeopleIn (ASX.PPE) recently noted it's benefitting from strong demand for cybersecurity roles. For a more in-depth review of the business, check out Inside Look: 3 Australian Small Caps.
IT distributor Dicker Data (ASX.DDR) is another company benefitting from bigger technology budgets. While it’s not a direct play on cybersecurity, it does provide exposure to the software and the internet of things tailwind. It has a long track record of earnings growth and is majority owned and managed by the eclectic David Dicker.
Down the smaller end of town, Tesserent (ASX.TNT) provides cybersecurity and networking solutions for enterprises and governments. Readers should note that the business has historically been quite acquisitive and is yet to demonstrate a robust earnings profile. Whitehawk (ASX.WHK) is another ASX-minnow, with the company a long way from profitability with cash receipts of just US$210,000 in the last quarter.
Given the limited options on the local bourse, investors could consider looking for exposure to cybersecurity in global markets, particularly the United States. This is where many of the big players reside including the likes of ZScaler (NASDAQ.ZS), Crowdstrike (NASDAQ.CRWD) and Palo Alto Networks (NASDAQ.PANW).
Independent of your interest in cybersecurity, it’s clear that all companies must take cyber -risks seriously. It’s not only the financial impact of extra costs but the more damaging effects of a lower valuation and brand dilution. It’s also a timely reminder to be prudent with one’s personal details, and be cognisant of who and how much data is given to businesses.
Disclaimer: ASX.PPE is currently held in TAMIM portfolios
Markets & Commentary
At TAMIM we are committed to educating investors on how best to manage their retirement futures.
Sign up to receive our weekly newsletter:
TAMIM Asset Management provides general information to help you understand our investment approach. Any financial information we provide is not advice, has not considered your personal circumstances and may not be suitable for you.