• Why cybersecurity is emerging as an ESG factor for investors
  • What impact Artificial Intelligence has on the cybersecurity sector
  • Stockhead reached out to Tesserent’s senior consulting partner, Mark Jones


Cyber security is emerging as a major ESG factor for investors, and should be integrated into the investment decision-making process.

That’s the view from Nomura, which also said that cybersecurity is fast becoming the top global risk, along with climate change and geopolitical conflict.

According to Nomura’s research, cybercrime rates are growing in severity and frequency as the world becomes more digitalised.

In 2022, the average cost for a company that’s had its data breached reached US$4.35 million.

Ransomware has become a major concern, and in the US, the most commonly demanded ransom amount for companies is in the range of US$5-10 million.

All this meant that most firms have ramped up their budgets on cyber defences, with spending on cyber security estimated to reach US$1.75 trillion from 2021 to 2025.


How Artificial Intelligence changes the game

The recent emergence of artificial intelligence (AI), particularly Generative AI, has also transformed the way experts think about cyber security.

According to many research papers, cybercriminals are harnessing AI to launch sophisticated and novel attacks at large scale.

Generative AI is helping bad actors innovate and develop new attack strategies, enabling them to stay one step ahead of cybersecurity defences.

Mark Jones, senior consulting partner at ASX-listed cybersecurity company Tesserent (ASX:TNT), told Stockhead that AI presents some new challenges, mainly around the rate in which technology is used in cyber attacks.

“For instance, their ability to identify potential vulnerabilities in code, craft more specific and tailored phishing emails, and so forth,” Jones said.

Jones also acknowledged that AI does make the ability to launch a cyber attack a little easier for the threat actors.

“They now have more ability to automate attacks and develop better evasion and obfuscation methods.

“It also means that people with less knowledge of coding can gain access to information, attack methods and tools that were not possible before,” Jones told Stockhead.


‘Focus on the basics’ to manage cyber security risks

Recent major cyberattacks have targeted hospitals and pharmaceutical companies, travel and leisure companies, financial services and energy infrastructure operators.

However, Jones said the threat of AI in cyber attacks doesn’t make specific industries any more of a target than they already were.

“It just means the capability to target these sectors can be supported by AI powered tools and techniques. The same principals apply to these new frontiers in the battle against the rise of cyber crime.”

Jones also stressed that it’s very important not to get caught up in the hype of new tech, adding that Tesserent’s experience as well as industry reports suggest that focus should be on the foundation level controls before moving to more advanced problems.

“Our recommendation therefore is get all the basics working first, as this will be the most effective way to help manage cyber security risks.

“Like the rest of the technology sector, Tesserent is working with our clients to manage how AI affects their business. We are constantly alert to new cybersecurity threats and risks, and we work to mitigate them before escalation,” Jones said.


Measuring ‘cyber hygiene’

Meanwhile, Nomura says that most cyber incidents and breaches are not publicly reported or acknowledged, making it difficult for investors to assess cybersecurity risks.

“Going forward, the systematic integration of cybersecurity risks in investment analysis will create demand for more material cybersecurity-related disclosures,” said Jason Mortimer, head of Sustainable Investment  at Nomura.

Mortimer said that firms do not usually disclose meaningful details about their cybersecurity policies to public investors, and there are legitimate concerns that too much disclosure would only attract more cyber-attacks.

“Together this implies that investors evaluating cybersecurity across companies will have to rely on forecasted measures of cybersecurity preparedness, and adherence to best practices as a proxy for cybersecurity risk,” he said.

To address these challenges, Nomura says it’s focusing on measuring “cybersecurity hygiene,” a yardstick used to gauge best practice that an organisation takes to keep its network and data secure.

Fortunately, the data required for comprehensively evaluating cybersecurity hygiene is becoming more widely available to investors.

“A variety of specialised data providers now provide “cyber risk ratings” based on automated measurements of cyber hygiene,” Moritimer said.

Nomura has also integrated cybersecurity directly into its proprietary Credit ESG Scoring model as a “Governance” factor for its corporate debt investments.

The NAM Credit ESG Score model, as it’s called, reflects Nomura’s view that cybersecurity performance reflects the company’s overall governance structure.

“The resulting ‘heat map’ of sector-specific cybersecurity materiality acts as a guide for our research and engagement with investee companies,” said Mortimer.


Cyber security stocks on the ASX

Tesserent (ASX:TNT)

Tesserent provides full service, enterprise-grade cybersecurity and networking solutions targeted at midmarket, enterprise and government customers across Australia and New Zealand.

The company’s Cyber 360 strategy delivers solutions covering identification, protection and 24/7 monitoring against cybersecurity threats.

Tesserent is currently a takeover target by Thales Australia, which has proposed to acquire 100% of TNT shares at 13c.

Shareholders will vote on this proposal on 18 September.


archTIS (ASX:AR9)

This data-centric security tech company prevents malicious and accidental loss of information for its clients.

archTIS’ products NC Protect and Kojensi are multi-government certified platforms for the secure access to sensitive and classified information.

In July, archTIS signed a new agreement with the Bank of Finland, an existing customer, to license NC Protect and the NC Encrypt module. The purchase migrates the Bank of Finland from the previously acquired cp.Protect offering.


Whitehawk (ASX:WHK)

Whitehawk offers an online tool that enables small and midsize businesses to take immediate action against cybercrime, fraud, and disruption.

Last month, Whitehawk announced that the US Federal Government contract for Cyber Risk Radar announced in July 2020 has been extended for fourth year, valued at US$672k base, with an option for additional US$505k services.

The Cyber Risk Radar is an annual Software-as-a-Service (SaaS) subscription service developed by WhiteHawk that enables clients to assess, identify, monitor, prioritise, and mitigate business and cyber risks of their supply chain vendors.


Senetas (ASX:SEN)

Senetas owns software tools that protect against malware and ransomware attacks.

The company has developed the technology that has the ability to proactively eliminate all known and unknown threats hidden in files.

In the latest update in June, Senetas said its segment sales pipeline continues to build with growth of over 100% through FY23, and further sales momentum is expected over the next 12 months.


ASX cyber security share prices today:


The views, information, or opinions expressed in the interview in this article are solely those of the interviewee and do not represent the views of Stockhead.

Stockhead has not provided, endorsed or otherwise assumed responsibility for any financial product advice contained in this article.