Advice For Investors: How Are Executives Managing Cybersecurity Risks?

Recently the news brought word of three different cybersecurity incidents that occurred within about a five-month span. These news stories are worth review by investors.

In the first event, a US intelligence community analyst illegally shared classified information with a social media site because he personally disagreed with US policy and he wanted to alert anyone on the site about what was happening. Releasing classified information to a social media platform is a felony.

In the second event, about 100 personnel across the US intelligence community were suspended or fired for misusing internal chat rooms by engaging in what we might gingerly call "not suitable for work" banter (NY Times summary: "Officials confirmed that the N.S.A. managed a system that had been used for sexually explicit chats and L.G.B.T.Q. discussions"). To add on, these discussions came to light because a social media platform host gained access to chatroom logs, which should be if not classified then not releasable or FOIA-able under normal circumstances.

In the third event, about 20 personnel at Meta, parent company of Facebook, were fired for "leaking confidential information" about upcoming changes in policy or products ("And we expect there will be more" firings said a Meta spokesman). 

In two of these cases, one in the US intelligence community and one at Meta, people released proprietary or classified information not for personal gain but for personal reasons -- grudges, ego needs, etc. Insider threats are real and not movie or novel plotlines. In the chatroom situation, it's not clear how someone without access got printed chatroom logs, but again there were likely personal reasons that led to disclosures.

Here's why investors should pay attention when evaluating prospects and ask how executives would manage similar situations.

Normally one might think that a cybersecurity threat is about stealing something, such as intellectual property or money, or denying service until a ransom is paid. But cybersecurity risks can be more broadly defined as misuse of system access for personal reasons. An investor might want to know how executives have balanced the risks of over-limiting systems access with the potential gain of enabling access to create faster or more innovative services. 

Some managers use performance monitoring tools, which employees greatly resent. Naturally there is academic literature about this. In brief monitoring does not decrease bad behavior as much as it stresses employees, though it is also the case that transparency about how and what is being monitored increases employee satisfaction. 

Assessing cybersecurity risk management should be a normal part of due diligence. Pythia Cyber's diagnostic approach to cybersecurity risk management helps investors make better-informed decisions about the capacity of organizational leadership to manage through these issues.