Data released this week confirms that investors are likely to shy away from businesses that have been hacked or are too laid back when it comes to cyber security.

A cyber attack – a very real and significant threat to the wealth management sector – could cost a business its investor backing (and clients), according to new research by KPMG.

The financial services giant surveyed 133 global institutional investors with a combined $3 trillion under management and of these 79 per cent said they would be discouraged from investing in a business that has been hacked.

The findings are extremely relevant to the wealth management industry, as end-clients too become more cognizant of the overall strength of the firms in which they are entrusting their assets and personal details.

“Investors see data breaches as a threat to a company’s material value and feel discouraged in investing in a business that has had its sensitive information compromised,” said Malcolm Marshall, global leader of KPMG's cyber security practice. “Following a number of high profile breaches, we are seeing global investors waking up to the issue of cyber security," Marshall said.

In October 2014 JP Morgan said some 76 million households and 7 million small businesses were affected by a cybersecurity attack against the firm, which, according to reports, was one of the biggest disclosed breaches to hit a financial institution. Since then, it has been claimed that the breach could have been avoided by a simple measure; according to the New York Times, the hackers could have been foiled if the bank had put in a simple security fix to an overlooked server in its network. 

Meanwhile, in January this year, Morgan Stanley Wealth Management dismissed an employee for stealing partial account information of up to 10 per cent of its clients (see more on that here.)

Weak focus

Investors believe that less than half of the boards of the companies they currently invest in have adequate skills to manage cyber risk, KPMG said.

More seriously, they see 43 per cent of board members as having “unacceptable” skills and knowledge to manage innovation and risk in the digital world. Echoing this, 39 per cent of boards and management agreed they were “severely lacking in their understanding of this area,” according to another recent KPMG survey of FTSE 350 businesses.

The ripple effect of this has driven up investor appetite for cyber businesses, the firm said, with 86 per cent of investors regarding the sector as a growth area.

“There is an expectation from investors for businesses to increase their cyber capabilities from top to bottom, including the board,” Marshall continued. “In a world where breaches are common, [it] is reasonable to expect boards to have prepared themselves...A serious breach brings the competence and team work of senior executives and the board into sharp focus."

Many companies are struggling to show existing and potential investors that they are taking cyber risk seriously, which could dilute the strength of its investment proposition, he said.

Marshall said board directors need to understand and approach cyber security as a business risk issue and not just an IT problem in order to get a strong handle on data security.

They also need to realize the legal implications of cyber risks and give related risk management regular and adequate time on the boardroom agenda, he said.

“Directors should set the expectation that management will establish a firm-wide cyber risk management framework that has adequate scope for staffing and budget.”