Investors reluctant to put funds into hacked businesses, warns KPMG

Four-fifths of big fund managers polled by KPMG would think twice before investing in cyber-compromised companies

Investors are reluctant to put their money into organisations that have been hacked, a study by KPMG has claimed, with the professional services firm warning that some boardrooms still fail to take cyber security seriously.

KPMG queried 133 global institutional investors with a combined total of more than $3tr under management about their thoughts on cyber security and the answer was clear: investors are likely to steer away from investing in a company that has been the victim of a significant cyber attack.

According to KPMG, 79 per cent of investors said that they would be "discouraged" from investing in a business that had been hacked by cyber criminals.

The findings also revealed that investors believe that some board members have "unacceptable skills and knowledge to manage innovation and risk in the digital world".

"Investors see data breaches as a threat to a company's material value and feel discouraged in investing in a business that has had its sensitive information compromised," said Malcolm Marshall, global leader of KPMG's cyber security practice.

He argued that "high-profile breaches" - such as the massive attack against Sony Pictures - mean that investors are "waking up to the issue of cyber security".

Marshall also described how investors expect businesses to be increasing their cyber capabilities "from top to bottom, including the board".

He continued: "In a world where breaches are common, it is reasonable to expect boards to have prepared themselves. A serious breach brings the competence and teamwork of senior executives and the board into sharp focus.

"What we are seeing is companies struggling to demonstrate that they are taking cyber risk seriously to their existing and potential investor base. The inability to demonstrate that a business is doing so could make it a less attractive investment proposition," Marshall said.

"A good start would be for boards to elevate cyber security higher up on the agenda and to invest more time towards it," he concluded.

KPMG argued that the board needs to understand cyber security is a "business risk issue, not just a problem for IT" and therefore take the necessary measures to increase cyber security.

A previous KPMG survey suggested that one way UK companies are looking to boost cyber defences is by hiring a hacker or someone with a criminal record to ensure they can deal with cyber security threats.

Computing'sEnterprise Security and Risk Management Summit takes place later this year and is free to attend for qualified end users.