What a major cyber-attack could mean for markets

We see cyber-attacks as a persistent and growing risk whose potential impact may be underestimated. Isabelle explains.

The geopolitical risks that tend to have the greatest market impact? We find it’s the ones that investors aren’t focused on. One risk that falls into that category, according to our analysis: the risk of a major cyber-attack.

Cyber-attacks by state and non-state actors on critical physical, financial and technology infrastructure are increasing in sophistication, volume and intensity, and digital warfare is becoming an important tool for nation states to interfere in the domestic affairs of rivals. We see cyber-attacks on business-critical infrastructure and major elections as a persistent and growing risk whose impact markets are underestimating.

Our BlackRock Geopolitical Risk Indicator for a major cyber-attack(s) shows only modest market attention to this risk, implying that a cyber-attack could have an out-sized market impact. See the chart below.

We believe markets are underestimating the risks as a number of broad trends are converging. Both the opportunity for attack and the threat posed are rising as the world becomes increasingly digitized. The increased use of artificial intelligence in business and proliferation of Internet-connected devices heighten exposure to cyber risks, while availability of open source code has lowered the barriers to entry for cyber crimes.

icon-pointer.svg Read more on the risk of major cyber-attacks at our BlackRock Geopolitical Risk Dashboard.

Cyber attackers today vary in sophistication and capability, ranging from well-funded government agencies to poorly resourced criminal groups and terrorist networks. With regards to the former, digital warfare is becoming an important tool of statecraft, allowing countries to pursue their geopolitical and economic objectives through a wider variety of means. For instance, in 2016, NATO expanded its definition of “war domains” beyond air, land and sea to include cyberspace, and its members are now co-operating in this area. Meanwhile, defensive capabilities in the private sector have been slow to evolve. In fact, many organizations have effectively conceded that their infrastructure will be breached, and are instead focusing on minimizing the ensuing damage.

How frequent are cyber-attacks?

How frequent are cyber-attacks? Until recently this was very challenging to determine owing to a lack of obligation to report such attacks. Yet in the U.S., more than 50 federal, state and local laws now mandate disclosure of cyber breaches to regulators or affected consumers. In Europe, the recently implemented General Data Protection Regulation (GDPR) requires companies to publicly disclose data breaches to national data protection authorities and to individuals when the threat of harm is significant. Our market attention indicators picked up over 3,000 examples of content flagging cyber-related concerns in 2018, more than double the five-year average. Financial regulators are also increasingly focused on this issue, with FINRA among those publicly warning against rising cyber risks last year.

Cyber-attack possibilities with a potential market impact include threats to critical infrastructure such as attacks on the U.S. power grid, a breaching of the defenses of the global financial system, or hackers taking over key technology infrastructure and disrupting the operations of dependent industries. Our analysis of the potential impact of an attack on the U.S. power grid, for instance, shows likely equity market sell-offs, led by utilities and industrials while U.S. Treasuries, the yen and gold would likely rally given their safe-haven characteristics.

Investors also need to be cognizant of the risk posed by cyber-attacks aimed at specific corporations. Many companies have witnessed sharp share price declines after disclosing cyber-attacks in recent years. Attacks have typically targeted companies with large amounts of personal data. Data are a double-edged sword; they have huge value in allowing companies to understand customer trends, but also become an enormous burden to protect.

Quantifying the cost of cyber-attacks

Quantifying the cost of cyber-attacks to corporates is highly complex, and manifests over several years once the full effect of customer loss and the devaluation of a firm’s brand name are accounted for. The impact can also spread well beyond the company targeted: We observe examples where, following cyber-attacks, companies across the industry targeted have seen valuation multiples contract.

Major financial services and tech companies are often targets but tend to have advanced defenses. We see the utility, energy and defense sectors as among the most vulnerable, although they are now increasing their spending on cyber-security, a sector where we see potential opportunities as the risk of cyber-attacks grows. Improvements in blockchain technology are also spilling over into the cyber-security industry, offering improved data encryption capabilities as well as new more secure ways of controlling network access.

Across all industries, risks to watch include companies involved in drawn-out mergers, and firms that rely heavily on third-party vendors. A recent data breach affecting 500 million customers of a hotel chain illustrates the vulnerabilities of companies during extended merger periods.

Attention to the risk of cyber-attacks currently is limited, yet we do expect markets to pay increasing attention as the cyber threat to critical infrastructure and companies rises. Read more on the risk of major cyber-attacks at our BlackRock Geopolitical Risk Dashboard, where we analyze the likelihood and market impact of our top 10 geopolitical risks.

Isabelle Mateos y Lago is BlackRock’s Chief Multi-Asset Strategist. She is a regular contributor to The BlogHugh Gimber, a Multi-Asset Investment Strategist for the BlackRock Investment Institute, contributed to this post.

Investing involves risks, including possible loss of principal.

This material is not intended to be relied upon as a forecast, research or investment advice, and is not a recommendation, offer or solicitation to buy or sell any securities or to adopt any investment strategy. The opinions expressed are as of January 2019 and may change as subsequent conditions vary. The information and opinions contained in this post are derived from proprietary and non-proprietary sources deemed by BlackRock to be reliable, are not necessarily all-inclusive and are not guaranteed as to accuracy. As such, no warranty of accuracy or reliability is given and no responsibility arising in any other way for errors and omissions (including responsibility to any person by reason of negligence) is accepted by BlackRock, its officers, employees or agents. This post may contain “forward-looking” information that is not purely historical in nature. Such information may include, among other things, projections and forecasts. There is no guarantee that any forecasts made will come to pass. Reliance upon information in this post is at the sole discretion of the reader. Past performance is no guarantee of future results. Index performance is shown for illustrative purposes only. You cannot invest directly in an index.

©2019 BlackRock, Inc. All rights reserved. BLACKROCK is a registered trademark of BlackRock, Inc., or its subsidiaries in the United States and elsewhere. All other marks are the property of their respective owners.