Why it pays asset owners to invest in cybersecurity
There are more traps lurking on the Internet than just phishing attacks, trojan horses and viruses.
Cyber criminals continue to develop a variety of smart tools to plot hacking schemes and data breaches in today’s intricately connected digital world, in which almost everyone’s data is stored, processed and accumulated. Anybody can become a target.
In what was dubbed the “worst cyberattack” of Singapore, the personal data of 1.5 million SingHealth patients was stolen from the country’s largest healthcare group in July 2018. The outpatient prescriptions of Prime Minister Lee Hsien Loong and that of a few other ministers was leaked as a consequence.
Incidents like that one underline the importance of cyber security. It requires a lot more than just the ceremonial step of installing anti-virus software.
The financial and investment industries, where so much money resides, are particular targets. Close to 150 million people’s sensitive financial information was stolen in a 2017 hack from US credit reporting agency Equifax, leading to a whopping $795 million in fines. US regulators found the theft could have been prevented had the firm taken “basic security measures” to patch its systems.
Asian regulators are beginning to take the danger seriously. The Monetary Authority of Singapore issued new rules on August 6 to urge financial institutions to bulk up on their cyber resilience.
Meanwhile, asset owners are becoming more alarmed about the risks of a successful hack. Chairman of Australia’s Future Fund, Peter Costello, told AsianInvestor that the sovereign wealth fund considers cyber risk to be “a very major threat”. He added that the Future Fund has developed “a very sophisticated programme to deal with it and to protect ourselves”.
Similarly, in its 2019 annual report, the Canada Pension Plan Investment Board indicated that cybersecurity is an integral part of its risk management strategies.
Taking cybersecurity seriously means companies and asset owners need to spend money on information security products and services. Specialist services firm Varonis estimates that company cyber security budgets rose by 141% between 2010 and 2018, and that worldwide spending on information security could total $124 billion in 2019 as companies spend more to ensure they protect themselves and comply with privacy laws.
However, while asset owners are having to spend time and money to counteract the dangers of cyber-crime, the danger it poses to all industries is now offering asset owners investment opportunity.
The cybersecurity sector globally attracted about $5.3 billion of venture capital funding in 2018 and has spawned a steady stream of mergers and acquisitions over the past three years. The private equity world is eager to capitalise on the burgeoning industry, and some institutional investors are becoming eager too.
“Clearly cybersecurity is a growing trend; it has become more pronounced now compared to five years ago,” said Steven Seow, founder of Singapore Consultancy.
NASCENT INVESTOR INTEREST
In Asia, one active asset owner has taken a particular interest in the cybersecurity sector: Temasek.
Singapore’s sovereign investment company agreed to purchase crypto-technology firm D’Crypt from Starhub in August for up to $133.6 million, and is placing it within the Ensign family, a security solutions platform that is comprised of Ensign Infosecurity and direct investments in other cybersecurity companies such as Israel-based Sygnia.
“Those are the companies we have invested in as part of our global platform. Having them work together with Ensign in Asia Pacific provides our cybersecurity platform with a compelling proposition,” said Yeoh Keat Chuan, managing director with Temasek’s enterprise development group.
On top of that, Temasek has committed to venture capital funds that are solely dedicated to cyber security investments.
“We have invested in three such funds. The first is Israeli origin, it’s Team8, the second and third are American funds, 1011, and ClearSky,” Yeoh told AsianInvestor.
In truth, Temasek stands as an outlier among its asset owner peers in Asia Pacific. The interest of most other institutional investors has been mixed, to say the least.
A consultant for a UK-headquartered company, who declined to be named, said he hasn’t seen Asia Pacific institutional investors expressing any interest in cybersecurity-related private mandates so far.
Hank Thomas, co-founder and chief executive for US-based investment firm Strategic Cyber Ventures, said he’s seen demand from a few institutional investors from China, Singapore and Japan, but political concerns constrain how much his company can work with some of these institutions.
“We have received some interest from Chinese investors, but due to the fact that we are an American cyber security focused venture capital firm, we have chosen not to work with mainland Chinese investors or Chinese [portfolio] companies,” he told AsianInvestor.
It’s understandable why not; China is widely considered to be the US’s largest cyber adversary. In June, a US cyber security firm Cybereason concluded
with a “high level of certainty” that hackers affiliated with China, and are “highly state-sponsored”, have breached cellular networks of global telecommunications providers, stealing users’ call details. These details indicate the physical location and duration of a call.
“Taking Chinese money would be would mean we were working with our enemy,” Thomas said.
That said, he believes non-Chinese Asian investors “would clearly be a fantastic option to consider” as additional investors in the future.
In Thomas’s experience, institutional investors with a demonstrated willingness to invest heavily in the technology space are the most likely to put money into cyber security funds, although a few generalists sometimes join small groups of investors for earlier stage investments.
Temasek offers a case in point. Yeoh told AsianInvestor that the sovereign investor has grown more interested to put money to work in the sector in recent years. That helps to explain why the sovereign fund set up Ensign InfoSecurity in September last year. It is joint venture formed with telecommunications company Starhub, to provide cyber security solutions.
“It’s very much in line with the trends we are looking at, whether it’s a more connected world and smarter systems,” he said. “Secondly, it’s just the growth in digitalisation that really requires a secure environment. That’s why we started looking at cyber security about five years ago, and more actively about two years ago.”
This article was adapted from a feature focused on asset owners and cybersecurity investing, which originally appeared in AsianInvestor's Summer 2019 edition.