Cybercrime & bug bounty: curbing the unlimited threat

01 September 2020

By Ken Rayner, Verbatim RSMR Model Portfolio Manager

Cybercrime is evolving at an incredible rate. Attacks are taking longer to resolve, and protection is becoming an expensive business for companies across the globe. The increasing threat from malicious nation-states, indirect supply chain attacks and data exploitation is real. Organisations are introducing new technologies to drive innovation and growth faster than they can be secured and humans are increasingly targeted as the weakest link.

The New Zealand stock exchange was recently knocked offline two days in a row by a Distributed Denial of Service attack (DDoS). It’s a relatively simple type of cyber-attack where a vast number of computers try to connect to an online service at once, overwhelming its capacity. They often use devices compromised by malware and owners may not even be aware that they are part of the attack. Personal and financial information is not necessarily accessed but as a result of the attack, genuine traders may have had problems carrying out their business.

Equifax, one of the world’s largest consumer credit reporting agencies, holds a lot of high-quality data. A cyber-attack in 2017 resulted in the theft of 143 million records, prompting an immediate drop in the company’s share price of around 35%. Investor’s memories however are short and the share price has since recovered, but this type of cyber threat is clearly a huge issue.

In May 2017, a worldwide cyber-attack by the WannaCry ransomware cryptoworm targeted computers running Microsoft Windows by encrypting data and demanding ransom payments in the bitcoin cryptocurrency. It propagated through EternalBlue, an exploit discovered by the United States National Security Agency (NSA) for older Windows systems. Microsoft had released patches to close the exploit, but many organisations hadn’t applied them, or were using older Windows systems, allowing the cryptoworm to wreak havoc. The attack was halted within a few days but was estimated to have affected more than 200,000 computers across 150 countries, with total damages extending to billions of dollars. Security experts believed from preliminary evaluation of the worm that the attack originated from North Korea, or agencies working for the country.

Uber’s former Chief Security Officer, Joseph Sullivan, has recently been charged with obstruction of justice in the United States. Uber experienced a data breach in 2016 where data on 57 million people was stolen, including details of their own drivers and passengers. Uber admitted to paying a group of hackers a ransom of $100,000 in bitcoin to delete the data they had stolen. The payment was disguised as a ‘bug bounty’ reward, used to pay cybersecurity researchers who disclose vulnerabilities so they can be fixed and Joseph Sullivan is accused of taking deliberate steps to stop the Federal Trade Commission from finding out about the hack.

The reasons for the DDoS attack on New Zealand are unclear but in Uber’s case, the hackers were obviously motivated by money. Uber paid the ransom and an additional $148 million to settle a legal claim when they were sued by all 50 states in the US because of the data breach. For companies that are a target of cyberattacks, the ramifications are huge.

One recent report suggests that cybercrime could cost the world $6 trillion annually by 2021.With 20 billion devices in the world and valuable data at stake, there’s a lot to fear. It’s not just laptops and phones that are potential access points, data can be garnered through smart watches, smart meters, security systems and many other devices. There are also a staggering 26 billion credit and debit cards in circulation. With more devices and cards than there are humans on the planet, the scale of the threat is immeasurable.

Not surprisingly the bug bounty business is growing all the time. How can investors access this expanding area? Some funds that we rate allow you to invest in companies that provide bug bounty expertise and investment vehicles such as ETFs offer strategies that focus specifically on cybersecurity.

The US government spent $15 billion dollars on cybersecurity last year and the UK government £1.9 billion. Accenture Security professionals have examined the economic impact of cyber-attacks and have estimated that the average cost of cybercrime for an organisation is $13 million. The threat to businesses is real, vast and potentially catastrophic, making cybersecurity a very pricey but nondiscretionary spend for the foreseeable future.

The value of investments and any income from them can go down as well as up and is not guaranteed. Your clients could get back less than they originally invested. Past performance is not a guide to future performance. The portfolios' investments are subject to normal fluctuations and other risks inherent when investing in securities. Verbatim Asset Management has taken due care and attention in preparing this document, which is solely for the use of professional advisers. Verbatim cannot be held responsible for any inaccuracies arising out of information detailed within and will not accept liability for any loss arising out of or in connection with its use. The contents of this article should not be construed as advice and is for information only. Individual stock selection should only be performed by suitably qualified advisers.