Cybersecurity: a key ESG challenge

If you have any personal information or account information stored on any site, there may be a chance  your information has been hacked, possibly without you ever knowing. From Equifax to Yahoo to Sony, companies, individuals and governments around the world are constantly facing cyber security threats. Just ask Hilary Clinton how far reaching the consequences can be. Now the European Union (EU) wants to tighten up data and privacy regulations.

There has been a great deal of discussion about the EU’s General Data Protection Regulation (GDPR) over the last couple of months. However, what exactly is the GDPR and what are the implications for investors?

 The EU wants to give individuals greater control over how their personal data is used, stored and erased. From 25th May 2018, GDPR will require organisations to categorise data, specify how long it has been held and whether it will be erased. Users will also have the right to obtain their personal data and to have it erased. The current Data Protection Regulation is outdated and does not consider new technologies such as the cloud, big data and social media.

GDPR applies to any information an organisation holds which relates to an identified person, also known as the data subject. This includes information on a person’s physical, physiological, mental, economic, cultural or social identity. However, GDPR goes further and includes identifiable information such as location data and online identifiers such as an IP address.

The legislation however is not constrained to companies within the parameters of the EU. International companies outside of the EU are subject to the regulation, so long as they are dealing with information belonging to EU residents. For example, a company such as Facebook, which has web presence in the EU and markets its products or services to residents within the EU will also be impacted by GDPR.

GDPR introduces tougher fines for breaches and non-compliance. The maximum fine that organisations could face is 4% of their annual global turnover or EUR 20 million (whichever is greater). Currently, for example in the UK, the maximum fine the Information Commissioner’s Office can impose is £500,000. GDPR therefore is financially material for companies which fail to comply with the legislation. Take for example a company like Google. If Google was fined for the most serious breach, the fine would translate into approximately $4bn.[1]

The vast majority of data breaches have historically been unreported. If we take Yahoo as an example, we only learnt in December 2016 that more than 3 billion accounts had been hacked in August 2013. Information which was hacked included email addresses, passwords, and birth dates. Under GDPR,  a breach must be reported to an EU regulator or supervisory authority within 72 hours of the breach. This is a radical change compared to current practices. Furthermore, if the personal data breach is likely to result in a high risk to the rights and freedoms of an individual, the individual person must also be notified.

GDPR presents significant risks for some companies as they will need to conduct data audits to assess all types of personal data they hold. In particular, companies in the hospitality, travel, software services and e-commerce sectors will need to assess their online marketing practices to ensure they are GDPR compliant. Gartner expects that only 50% of organisations will be GDPR compliant by the time the legislation comes into effect. This inevitably opens up companies to potentially being fined.

The legislation does however present growth opportunities for cyber security companies. IT departments across organisations will have to increase investment in security spending. According to IDC, GDPR presents a significant opportunity for security vendors, with the estimated market size set to increase from $160m in 2014 to $1.9bn in 2019. Many security companies claim they will benefit from GDPR but we believe only a few will truly benefit from this regulation. Varonis is one of them in our opinion. Varonis offers a range of data management solutions, which includes helping companies prepare for GDPR readiness. The solutions allow companies to categorise data, provide audit trails, document files and alert users on suspicious behaviour. Varonis is uniquely positioned in that it offers both user analytics and data management solutions.

The legislation may force privacy standards to rise outside of the EU. Whether or not companies will be GDPR compliant by 25th May 2018 remains to be seen. At DPAM, we are convinced that there is a growing universe of companies operating within this sector and investors can gain exposure to this theme through the DPAM Sustainable NewGems Fund.

 [1] Based on Google’s 2017 turnover of $110.8bn

Author: Degroof Petercam Asset Management


If you would like to write a contribution as Associate member, please send a mail to 

  • facebook
  • twitter
  • linkedin