Some 79% of institutional investors would be reluctant to invest in a company that has suffered a cyber attack, according to a KPMG survey.
A poll of 133 global institutional investors with over $3trn (£2trn) under management also found investors believe less than half of the boards of the companies they invest in have adequate skills to manage cyber risk. They also feel 43% of board members have "unacceptable skills and knowledge" to manage innovation and risk.
Malcolm Marshall, global leader of KPMG's cyber security practice and partner with the UK firm, said: "Investors see data breaches as a threat to a company's material value and feel discouraged in investing in a business that has had its sensitive information compromised."
He said investors expected businesses to increase their cyber capabilities "from top to bottom", including the board.
"My personal experience of working with organisations that have been breached is that businesses that are generally well run and understand risk are better prepared for future risks. A serious breach brings the competence and teamwork of senior executives and the board into sharp focus," Marshall said.
The majority (86%) of investors wanted to see boards increasing their time spent on cyber issues compared to last year. Marshall urged boards to prioritise the issue and invest more time towards it.
He warned that firms struggling to demonstrate they are taking cyber risk seriously could make themselves a "less attractive investment proposition".
Marshall outlined the following measures for boards to be cyber secure:
- Board directors need to understand and approach cyber security as a business risk issue, not just a problem for IT.
- Directors need to understand the legal implications of cyber risks as they relate to their company's specific circumstances.
- Boards should have sufficient cyber security expertise, and discussions about cyber risk management should be given regular and adequate time on the boardroom agenda.
- Directors should set the expectation that management will establish a firm-wide cyber risk management framework that has adequate scope for staffing and budget.
- Discussions of cyber risk should include identification of which risks to avoid, accept, mitigate, or transfer, as well as specific plans associated with each approach.
