Cybersecurity as a Competitive Advantage: Introducing the Solactive BitSight Cyber Risk Indices
Cybersecurity is gaining in importance, and investors are increasingly concerned about cyber risks to their investments. Companies that are well-prepared for the challenges of our digitalized world have a competitive advantage. Our data provider BitSight quantifies the cybersecurity performance of individual organizations. We use the BitSight Security Rating to construct the Solactive BitSight Cyber Risk Indices.
In these indices, only companies with comparably superior cyber risk management systems are selected. Historical performance analyses show that better cybersecurity ratings would have paid off over the past five years.
Incorporating Cybersecurity Ratings into the Investment Strategy
Investors are increasingly concerned about cyber risks to their investments. Virtually every company in the world now faces cyber risk due to their reliance on information technology. However, organizational cybersecurity performance and effectiveness varies dramatically from company to company, and sector to sector, due to a variety of factors, including prioritization, regulation, expertise, and focus. Investors concerned about cyber risk have faced challenges in continuously collecting objective data about cybersecurity performance across a broad range of organizations. Our data provider, BitSight, evaluates the cybersecurity performance of individual organizations through a continuous, non-intrusive data collection process to create the BitSight Security Rating, a quantifiable measurement that is widely adopted in the marketplace by businesses, insurers, and government agencies. We use the BitSight Security Rating to construct the Solactive BitSight Cyber Risk Indices.
For investors, cybersecurity performance data is a critical addition to their investment strategy. Imagine two listed companies that only differ in their level of commitment and capacity to manage their IT and cyber risks but are otherwise equal. If investors price in the risk of a data breach, then the company with the weaker cybersecurity capabilities would have a lower stock price valuation due to a larger (tail) risk of data breaches. If this leads to detrimental effects on trust besides other indirect disadvantages, a careless attitude towards cyber risks could lead to direct effects on this company’s bottom line. In the Solactive BitSight Cyber Risk Indices, only companies with comparably good cyber risk management systems are selected. Historical performance analyses show that better Security Ratings seem to pay off. Back-tests reveal a solid outperformance of the Solactive BitSight Cyber Risk Indices between the beginning of 2015 and end-September 2020.
New opportunities for criminals – New challenges for companies
In 1798, $162,821 was stolen from the Bank of Pennsylvania without the use of weapons. This burglary is considered to be the first bank robbery in America. Immediately, there were a few obvious suspects, the case could be solved, and the bank received its money back.1
In modern times, the Internet and digitization bring great business opportunities, but also major risks. In 2016, cyber criminals attempted to steal $951 million from the Bangladesh Bank. Whereas the lion’s share of the presumably largest bank heist ever could be recovered, an amount of $81 million is still missing.2 And it is more than just banks and financial data that is at risk. Intellectual property, trade secrets, business information, and sensitive data are all at risk to hackers or cyber criminals, who can attack from across the globe. It is no wonder that governments are focusing significant effort and attention on cyber-attacks, and why CEOs have called cybersecurity the greatest threat to the world economy.3 Thus, cybersecurity and the protection against digital risks should be of strategic importance to every company – and at the forefront of the minds of the investor.
Cybersecurity as a Competitive Advantage
As many sectors of the economy have changed due to the rise of computers and technology, cybersecurity has become essential to all users of digital applications, devices, or services. At first sight, a company’s protection against the risk of cybercrime only costs money but does not bring revenues. However, this is a one-sided view that does not reflect all relevant aspects.
Sound risk management systems signal stakeholders – i.e., clients, business partners, shareholders, regulators, as well as employees – stability and competence, and boost their confidence in a company. This affects revenues, although the exact attribution is difficult to measure. Put in simple terms, companies with well-functioning cybersecurity systems are expected to have a competitive advantage over, and perform better than, companies focusing on cyber threats to a lesser extent. According to BitSight, a well-functioning cybersecurity program is a crucial market differentiator in a competitive landscape.4
The competitive advantage of well-functioning cybersecurity programs is an important issue for investors. It is difficult to differentiate on cybersecurity as there remain challenges in data collection. The BitSight Security Ratings tackle this by providing an objective and independent measure, which can be very helpful for investors to make better-informed investment decisions for the following reasons. First, gaining the stakeholders’ trust through sound risk management systems leads to the above-mentioned competitive advantage. Second, a good organization’s cybersecurity performance can indicate an effective company governance. Thus, the BitSight Security Ratings data can be interpreted as a proxy for governance.
BitSight transforms how organizations manage cyber risk. The BitSight Security Ratings Platform applies sophisticated algorithms, producing daily Security Ratings that range from 250 to 900, to help organizations manage their security performance; mitigate third party risk; underwrite cyber insurance policies; conduct financial diligence; and assess aggregate risk. With over 2,100 global customers and the largest ecosystem of users and information, BitSight is the Standard in Security Ratings.
BitSight Security Rating and its Explanatory Power
Though widely recognized as a key component of governance, there is a lack of disclosure as it relates to cybersecurity investment, policy, and readiness from companies in general. Cybersecurity insights that are disclosed are typically self-reported, and thus unvalidated, and qualitative in nature. Further, organizations themselves are often in the dark when it comes to assessing the impact of their own security programs and policies due to a lack of objective metrics and tools that help measure and mitigate cyber risk. Since pioneering the security ratings market in 2011, BitSight has transformed the way organizations evaluate risk and security performance by employing the outside-in model used by credit rating agencies.
BitSight Security Ratings are objective, quantitative measurements of an organization’s cybersecurity performance generated through the analysis of externally observable data. To assess the effectiveness of a company’s cybersecurity program, BitSight continuously collects evidence of compromised systems, diligence configurations, user behavior, and publicly disclosed security incidents. A proprietary algorithm is then applied to evaluate performance in 23 different risk categories and aggregate the results to produce an accurate rating. This data-driven, outside-in approach requires no permission or information from the rated entity.
The result is an easy to interpret, evidence-based security rating ranging from 250 to 900, that is updated daily. In addition to quantifying the effectiveness of an organization’s cybersecurity program, BitSight Security Ratings are also meaningful measurements of the probability that an organization will experience a breach. As validated by catastrophe modeling companies AIR Worldwide and IHS Markit, companies with a BitSight Security Rating of 500 or less are almost five times more likely to suffer a breach than those with a rating of 700 or more.5, 6
The idea behind the Solactive BitSight Cyber Risk Indices is to use the BitSight Security Rating to construct indices with the best-in-class companies regarding cybersecurity.
Solactive BitSight Cyber Risk Indices – Methodology
The newly launched cyber risk indices are based on our Solactive Global Benchmark Series (GBS) which provides a comprehensive benchmark of global stock market indices. We focus on the respective Large & Mid Cap Index versions of GBS. From this set of stocks, we select companies that demonstrate a comparably high level of cybersecurity effectiveness. We have launched five indices in total. Four of these are regional indices following the same selection criteria. To ensure sector neutrality, the companies are ranked by their BitSight Security Rating within their respective sectors – as defined by the FactSet Economy classification system. According to their rank, the top 25% of companies per sector are selected. The ratings are based on the four risk categories compromised systems, diligence, user behavior, and publicly disclosed data security incidents.
The fifth cyber risk index is a United States technology sub-index. It is based on all stocks classified as technology ones (according to their FactSet Economy) within our Solactive GBS United States Large & Mid Cap Index. This index’s methodology is different than that of the other versions, as the US tech version takes into account more details regarding the companies’ rating by incorporating some of the underlying risk vector data elements. Once more, the top 25% of the companies by rank are selected. All selected companies are equally weighted at rebalance, which is performed quarterly. Further details about the indices can be found in their respective guidelines on our Solactive website:
- Solactive BitSight Developed Markets Cyber Risk Index (Guideline)
- Solactive BitSight Europe Cyber Risk Index (Guideline)
- Solactive BitSight Pacific Cyber Risk Index (Guideline)
- Solactive BitSight United States Cyber Risk Index (Guideline)
- Solactive BitSight United States Technology Cyber Risk Index (Guideline)
Solactive BitSight Cyber Risk Indices – Performance
Our back-test data reveal that there seems to be value in belonging to the top 25% companies (per sector) with the highest BitSight Security Rating. The selection of companies with top-in-class cybersecurity management systems has led to an outperformance of 8.4 to 93.8 percentage points in a back-test over the previous around 5.5 years.
As table 1 shows, the outperformance is the largest for the US technology version, with 93.8 percentage points over the considered timeframe, or around 7 percentage points on an annualized basis. Notably, the regional index versions of broad Developed Markets, Europe, Pacific, and the United States all show a similar picture of a solid outperformance over their respective benchmarks (of around 1 to 2 percentage points per year). Please refer to table 1 and figure 1 for more details.
Cybersecurity is rapidly increasing in importance in our data-driven and fast-evolving world. Digitalization is playing a central role in most industries, and companies that are better prepared for further changes are well-positioned for challenges ahead. Not only are the setup of IT infrastructure and a digitization strategy essential for companies nowadays, but so too is their associated IT risk management. Organizations should protect themselves against cyber risks, and investors should be aware of the risks that exist within organizations.
Our data provider BitSight is continuously quantifying the effectiveness of organizations’ cybersecurity systems. We use the BitSight Security Rating to construct the Solactive BitSight Cyber Risk Indices. The idea behind these indices is to invest in the top 25% companies by sector with the highest BitSight Security Ratings. A back-test shows that this strategy would have paid off over the past five years. Companies that are well-prepared for all challenges of our digitalized world have a competitive advantage. It is right to assume that all stakeholders – inside and outside of an organization – would prefer to conduct business with a comparably better positioned entity regarding cyber and data security. This preference could most likely lead to a positive effect on a company’s bottom-line – which is exactly what we try to capture with the Solactive BitSight Cyber Risk Indices.
Dr. Axel Haus, Team Head Qualitative Research
Thanks to the BitSight team for contributing to this blogpost.
 Carpenters’ Hall of Philadelphia, “America’s First Bank Robbery” (Ron Avery), https://www.carpentershall.org/americas-first-bank-robbery.
 The New York Times Magazine, The Money Issue, “The Billion-Dollar Bank Job” (Joshua Hammer), https://www.nytimes.com/interactive/2018/05/03/magazine/money-issue-bangladesh-billion-dollar-bank-heist.html.
 EY, “How cybersecurity became the number one threat in the global economy for CEOs” (Kris Lovejoy), https://www.ey.com/en_gl/consulting/how-cybersecurity-became-the-number-one-threat-in-the-global-eco.
 BitSight, “The Competitive Advantage of a Strong Security Program” (Sibel Bagcilar), https://www.bitsight.com/blog/why-you-need-to-build-a-strong-security-program.
 AIR Worldwide, “Global Cyber Resilience, WHAT YOU NEED TO KNOW”, https://www.air-worldwide.com/Publications/Infographics/Global-Cyber-Resilience/.
 IHS Markit, “Cybersecurity factors powered by BitSight”, https://ihsmarkit.com/research-analysis/cybersecurity-factors-powered-by-bitsight.html.