The geopolitical risks that tend to have the greatest market impact? We find it’s the ones that investors aren’t focused on. One risk that falls into that category, according to our analysis: the risk of a major cyber-attack.
Cyber-attacks by state and non-state actors on critical physical, financial and technology infrastructure are increasing in sophistication, volume and intensity, and digital warfare is becoming an important tool for nation states to interfere in the domestic affairs of rivals. We see cyber-attacks on business-critical infrastructure and major elections as a persistent and growing risk whose impact markets are underestimating.
Our BlackRock Geopolitical Risk Indicator for a major cyber-attack(s) shows only modest market attention to this risk, implying that a cyber-attack could have an out-sized market impact. See the chart below.
We believe markets are underestimating the risks as a number of broad trends are converging. Both the opportunity for attack and the threat posed are rising as the world becomes increasingly digitized. The increased use of artificial intelligence in business and proliferation of Internet-connected devices heighten exposure to cyber risks, while availability of open source code has lowered the barriers to entry for cyber crimes.
Cyber attackers today vary in sophistication and capability, ranging from well-funded government agencies to poorly resourced criminal groups and terrorist networks. With regards to the former, digital warfare is becoming an important tool of statecraft, allowing countries to pursue their geopolitical and economic objectives through a wider variety of means. For instance, in 2016, NATO expanded its definition of “war domains” beyond air, land and sea to include cyberspace, and its members are now co-operating in this area. Meanwhile, defensive capabilities in the private sector have been slow to evolve. In fact, many organizations have effectively conceded that their infrastructure will be breached, and are instead focusing on minimizing the ensuing damage.
How frequent are cyber-attacks?
How frequent are cyber-attacks? Until recently this was very challenging to determine owing to a lack of obligation to report such attacks. Yet in the U.S., more than 50 federal, state and local laws now mandate disclosure of cyber breaches to regulators or affected consumers. In Europe, the recently implemented General Data Protection Regulation (GDPR) requires companies to publicly disclose data breaches to national data protection authorities and to individuals when the threat of harm is significant. Our market attention indicators picked up over 3,000 examples of content flagging cyber-related concerns in 2018, more than double the five-year average. Financial regulators are also increasingly focused on this issue, with FINRA among those publicly warning against rising cyber risks last year.
Cyber-attack possibilities with a potential market impact include threats to critical infrastructure such as attacks on the U.S. power grid, a breaching of the defenses of the global financial system, or hackers taking over key technology infrastructure and disrupting the operations of dependent industries. Our analysis of the potential impact of an attack on the U.S. power grid, for instance, shows likely equity market sell-offs, led by utilities and industrials while U.S. Treasuries, the yen and gold would likely rally given their safe-haven characteristics.
Investors also need to be cognizant of the risk posed by cyber-attacks aimed at specific corporations. Many companies have witnessed sharp share price declines after disclosing cyber-attacks in recent years. Attacks have typically targeted companies with large amounts of personal data. Data are a double-edged sword; they have huge value in allowing companies to understand customer trends, but also become an enormous burden to protect.
Quantifying the cost of cyber-attacks
Quantifying the cost of cyber-attacks to corporates is highly complex, and manifests over several years once the full effect of customer loss and the devaluation of a firm’s brand name are accounted for. The impact can also spread well beyond the company targeted: We observe examples where, following cyber-attacks, companies across the industry targeted have seen valuation multiples contract.
Major financial services and tech companies are often targets but tend to have advanced defenses. We see the utility, energy and defense sectors as among the most vulnerable, although they are now increasing their spending on cyber-security, a sector where we see potential opportunities as the risk of cyber-attacks grows. Improvements in blockchain technology are also spilling over into the cyber-security industry, offering improved data encryption capabilities as well as new more secure ways of controlling network access.
Across all industries, risks to watch include companies involved in drawn-out mergers, and firms that rely heavily on third-party vendors. A recent data breach affecting 500 million customers of a hotel chain illustrates the vulnerabilities of companies during extended merger periods.
Attention to the risk of cyber-attacks currently is limited, yet we do expect markets to pay increasing attention as the cyber threat to critical infrastructure and companies rises. Read more on the risk of major cyber-attacks at our BlackRock Geopolitical Risk Dashboard, where we analyze the likelihood and market impact of our top 10 geopolitical risks.
Isabelle Mateos y Lago is BlackRock’s Chief Multi-Asset Strategist. She is a regular contributor to The Blog. Hugh Gimber, a Multi-Asset Investment Strategist for the BlackRock Investment Institute, contributed to this post.