Cybersecurity Sector prospects in the wake of the huge £183m BA fine

Monday, Jul 08 2019 by
14

With the announcement by International Consolidated Airlines SA (LON:IAG) that The Information Commissioner's Office (ICO) intends to fine it £183,390,000 we have the first indication of the huge escalation in the value of fines to be levied under the UK Data Protection Act 2018. This fine is equivalent to 1.5 per cent of British Airways' worldwide turnover for the financial year ended 31 December 2017; the maximum allowable is 2% of global turnover. This fine is a result of the theft of customer data from the BA website disclosed on the 6 September 2018 and 25 October 2018 (post GDPR and DPA 2018 coming into effect). By comparison Facebook was only fine £500,000 in the wake of the Cambridge Analytica scandal, which under the new act could potentially have been £1.2bn; maximum allowable 4% of global turnover a higher tier of fine for misuse of data.

The cybersecurity industry has been expecting this escalation in fines - Ian Mann, CEO of ECSC (LON:ECSC) predicted this at the ShareSoc presentation in March 2019 and again only last week at a seminar. It is highly likely that any firm handling personal data will be re-examining their cybersecurity controls and considering what further investment they need to make.

In the light of Brexit the ICO has stated that UK data protection regime will have to be "equivalent" to the European Union under GPDR if we want to trade with the single market on equal terms. However, there is a view that it is likely that the ICO will wish to levy higher fines than those imposed in the EU to demonstrate that it has teeth and avoid potential issues in the event of a hard-Brexit.

The potential issues that might arise where the UK adopt a different set of less strict regulatory control is illustrated by the schism that emerged between the EU and the US in 2013. Austrian citizen Max Schrems, a user of Facebook since 2008, had complained to the Irish data protection authorities that recent revelations regarding the US National Security Agency demonstrated that US law and practice does not sufficiently protect personal data from state surveillance. In a landmark ruling, the European Court of Justice rejected the 'safe harbor' data sharing agreement with…

Unlock this article instantly by logging into your account

Don’t have an account? Register for free and we’ll get out your way

Disclaimer:  

As per our Terms of Use, Stockopedia is a financial news & data site, discussion forum and content aggregator. Our site should be used for educational & informational purposes only. We do not provide investment advice, recommendations or views as to whether an investment or strategy is suited to the investment needs of a specific individual. You should make your own decisions and seek independent professional advice before doing so. The author may own shares in any companies discussed, all opinions are his/her own & are general/impersonal. Remember: Shares can go down as well as up. Past performance is not a guide to future performance & investors may not get back the amount invested.


Do you like this Post?
Yes
No
14 thumbs up
0 thumbs down
Share this post with friends



ECSC Group plc is a United Kingdom-based information and cyber security service provider. The Company offers a range of cyber security solutions and services to the sectors, including education, retail, legal, financial and local authorities. It offers services to e-commerce start-ups and global organizations. Its PROTECT division delivers the ECSC PCI DSS certified Security Operations Centre, which supports around the clock services for clients wishing to outsource their cyber security device management. The ECSC SOC supports a range of ECSC LABS security appliances, along with its ECSC SELECT vendor products. Its consultancy services, part of the ECSC ASSURE division, offer advice on compliance to industry standards. It offers a range of testing services, both technical and non-technical, to uncover its clients' vulnerabilities and suggest an appropriate plan to resolve them. As part of its testing service line from ECSC ASSURE, it also certifies to Cyber Essentials requirements. more »

LSE Price
77.5p
Change
 
Mkt Cap (£m)
7.1
P/E (fwd)
21.9
Yield (fwd)
n/a

NCC Group plc is a United Kingdom-based holding company. The principal activity of the Company is the provision of independent advice and services to customers by way of the provision of escrow and assurance services. It operates in two divisions: Assurance and Escrow. Its Assurance division includes security and risk consulting service. It offers a range of complementary services, including expert security assurance and penetration testing, cyber defense operations, incident response and forensics, managed security services and security operations centers, as well as risk mitigation and governance. Its escrow and verification services assure the long-term availability of third-party supplied applications and software packages, protecting both end users and software suppliers. more »

LSE Price
168.8p
Change
-1.6%
Mkt Cap (£m)
476.8
P/E (fwd)
16.5
Yield (fwd)
3.1

Sophos Group plc operates as an investment company for the Sophos Group. It is a provider of cloud-enabled end-user and network security solutions. Its geographic segments include Europe, Middle East and Africa (EMEA), the Americas, and Asia Pacific and Japan (APJ). Its products under enduser security include Sophos Mobile Control 6, which is developed to include Sophos Secure Email, a personal information management container solution for e-mail, calendar and contacts, and Sophos Server Protection Advanced, which integrates server application to deliver single-click server lockdown, using Sophos Central management. Its products under network security include Sophos XG Firewall, which introduced a number of advances, including Sophos Security Heartbeat that links Sophos Endpoint Protection with the XG Firewall to share context and status information, and Sophos Web Gateway, which provides cloud-delivered protection for users, devices and data across multiple operating systems. more »

LSE Price
444.4p
Change
-2.3%
Mkt Cap (£m)
2,204
P/E (fwd)
36.2
Yield (fwd)
1.0



  Is LON:ECSC fundamentally strong or weak? Find out More »


25 Posts on this Thread show/hide all

simoan 10th Jul 6 of 25

In reply to post #491236

Companies that don't sell direct to consumers would be fine - so companies like AVEVA (LON:AVV) or Burford Capital (LON:BUR) or Croda International (LON:CRDA) for instance. GDPR is about private citizens, not commercial entities.

But all companies, even the companies you have listed, hold employee data: NI numbers, bank account details for PAYE, health and disciplinary records etc. on servers connected to the internet. And I thought employee data, or for that matter any information which made someone identifiable from the data held was potentially covered by GDPR? Even if it were not, and it seems something of a grey area as to how consent works between an employer and employee, you still have cases like the Morrisons data breach for which we still await the outcome.

All the best, Si


| Link | Share | 2 replies
simoan 10th Jul 7 of 25
2

In reply to post #491271

As I've declared I've chosen two firms that have slipped up recently but now appear to be getting their act together namely ECSC and NCC. This on the basis of getting them relatively cheap and growing market demand will allow them to their act together without having to face ferocious competition.

Well, I wish you good luck, but I think the threats of liabilities to these companies are at least as great as the new business opportunities. Imagine one of them had been paid by BA to look after the security of their IT systems? What action would BA be taking now? These companies are the ultimate holders of the can, and in fact, they will end up holding multiple cans as each contract would be a potential liability. Given their software would be common across multiple customers there is also a concentration of risk.  

There is no such thing as perfect security so the idea that the software of these companies is any more secure, or designed in a more stringent way than most bespoke IT systems which are nearly all based on weak operating systems that need regular security patches, makes them vulnerable.

Add to this the general lumpy, contract based nature of their revenues and I don't find them particularly attractive prospects. If you want to invest in this area, you should stick to the "picks and shovels" type companies. I used to hold NCC (LON:NCC) when it was a nice steady non-acquistiive escrow provider. What a lovely little business that was.

All the best, Si

| Link | Share
Maddox 10th Jul 8 of 25

In reply to post #491306

Hi Si,

You are correct personal contact details of business contacts and personnel records are all personal data under GDPR. Whether, a breach of this category of data will attract the same level of fines remains to be seen. GDPR also identities a category of even more 'sensitive data' that would include for example patient records that requires a higher level of security - so presumably will attract the maximum level of fines if disclosed through negligence or poor security controls.

So essentially you are right in identifying the market as being broad.

Regards Maddox

| Link | Share
timarr 10th Jul 9 of 25

In reply to post #491306

Hi Si

And I thought employee data, or for that matter any information which made someone identifiable from the data held was potentially covered by GDPR?

Yep, you're right. Although protecting employee data ought to be a basic security requirement on any company, you'd have thought. The Morrisons case is really about whether the company can be held vicariously liable even though they didn't do anything wrong - although I still don't understand how the employee, when given an "encrypted list of employees on a USB stick" was able to decrypt it. 

But Maddox is right, this really ought to be boom time for cybersecurity companies. Has anyone looked at what's on offer outside the UK?

timarr

| Link | Share
Maddox 10th Jul 10 of 25
1

....a further thought. We've only seen half the picture - where the fines have been exemplary to encourage better security of data. We are yet to see what level of fine the ICO will levy on a company that has done everything they can to secure their data - and yet still suffers a breach. Will they recognise the investment in technology, processes and expertise and discount the fine to reflect it?
Regards, Maddox

| Link | Share | 2 replies
timarr 10th Jul 11 of 25
1

In reply to post #491361

We are yet to see what level of fine the ICO will levy on a company that has done everything they can to secure their data - and yet still suffers a breach.

Mitigation should be given for proper preparation, prompt notification, good cooperation, rapid development and implementation of remedial measures and a managed support plan for impacted customers. 

Nothing in GDPR assumes that breaches can be 100% prevented but from what we've seen it's the open window syndrome - attackers will randomly try every company until they find one that's weak. Targeted breaches are rarer, although obviously the bigger you are the more tempting the target.

timarr

| Link | Share
JohnEustace 10th Jul 12 of 25
1

One business response is to move everything to the cloud and outsource the whole headache including cybersecurity services. That reduces the potential customer base for the likes of NCC.

| Link | Share | 1 reply
Maddox 10th Jul 13 of 25
1

Hi John,
If only it were so simple! Putting your data or IT operations in the Cloud does not absolve you of liability for your data - it offers some positive features but presents you with different set of challenges. If you are reliant on third party providers in securing your data you need to be assured that they are doing it well. Also, I wouldn't expect the Cloud option to be cheaper either. If anything it's another opportunity for cyber-security firms to offer advice and services.
Regards Maddox

| Link | Share
Firtashia 10th Jul 14 of 25
2

Appreciate the article Maddox, many thanks. Would welcome people's opinions on a company in this sector which I currently hold, GRC International (LON:GRC) . This is a company that has the highly successful Andrew Brode on it's board, and has entered into a partnership agreement with Nigel Wray's Saracens, granting it the option to buy shares at ca. 90p should the share price reach at least £5 in the next 4 years. Pie in the sky or an achievable stretch target? A paragraph from it's recent (April) trading statement appears to have proved prescient: "... we continue to expect to see some significant fines by the Information Commissioner's Office for breaches of the regulations and renewed efforts by companies to become compliant".  Stockopedia has it down as a sucker stock, but I think it unwise to write off messrs Brode and Wray just yet.

| Link | Share
Maddox 11th Jul 15 of 25
2

Hi Firtashia,

Thanks for your post. I've not looked closely at GRC I've focussed more on the 'picks and shovels' firms providing front-line cyber solutions and technical expertise. GRC as the name and ticker suggest is more oriented towards Governance, Risk & Compliance the oversight and assurance function. This is a second-line function typically reporting to senior management on whether the IT Dept is adequately dealing with the cyber threat. The effect of these huge fines Executive Directors and Boards are want to have independent assurance how well their firm is prepared. So GRC is also in an area that should find a receptive market for their services.

My own pick in the GRC space is Ideagen (LON:IDEA) however it has not focussed on the cyber space but on what they describe as area of high consequence risks - such as aircraft safety. I think that cyber security has arguably just become an area of high consequential risk!

Regards Maddox

| Link | Share
simoan 12th Jul 16 of 25
1

In reply to post #491421

One business response is to move everything to the cloud and outsource the whole headache including cybersecurity services. 

Here's a quote from someone that knows about this stuff:

“For those that thought the cloud was a panacea, I would say you haven’t been paying attention,” said Mike Rogers, former director of the U.S. National Security Agency.

This is taken from an interesting (but long) Reuters article called "Dark Clouds" for those who may be interested: https://www.reuters.com/investigates/special-report/china-cyber-cloudhopper/

I guess many people think this type of state-sponsored stuff is unimportant but attribution of how data was extracted, and who did it, is extremely difficult. Does that even matter as far as GDPR is concerned? And of course, this is all part of the root cause for the US-China trade war.

All the best, Si


| Link | Share
JohnEustace 12th Jul 17 of 25
1

From a techie point I do know it's not as simple as just moving to AWS and then forgetting about it.

But from a business liability and legal point of view for a non-techie CEO it helps to show best practice being adopted and a large proportion of the issues that have to be managed are now being done by AWS and no longer in house. Add on one of the certified AWS cybersecurity solutions, proper log-on verification, and you're clean from a legal liability point of view, no? Provided you follow the instructions. Does NCC still have a relevant offering for companies that do that? I can't really tell for sure from their website.

As for government quotes, if it's good enough for the CIA...

"The cybersecurity features built into cloud computing have allowed the CIA to quickly achieve its technological goals, a top U.S. intelligence official said Tuesday.
Sue Gordon, principal deputy director of national intelligence, said that of all the improvements that the cloud has brought to the intelligence community, the protections built into the technology provide the trust needed to handle some of the most sensitive work done by the U.S. government."
https://www.cyberscoop.com/sue-gordon-odni-cybersecurity-cloud-computing-amazon-web-services/

My only holding in the field is a small stake in Crossword Cybersecurity (LON:CCS). I expect their phones are a bit busier recently.

Edit: And OKTA in the US - they do workforce and supply chain identity. www.okta.com

| Link | Share | 1 reply
Steves cups 12th Jul 18 of 25
1

In reply to post #491361

Just a thought but

How does the ICO go about judging who is at fault when a breach occurs. Do they have their own in house crew or do they themselves outsource this kind of expertise to any one of the companies so far mentioned in this thread. If so do they work for other private companies as well? If so do they whistle now?
If so should we be investing in them?

So many questions

| Link | Share | 1 reply
timarr 12th Jul 19 of 25
1

In reply to post #492381

Add on one of the certified AWS cybersecurity solutions, proper log-on verification, and you're clean from a legal liability point of view, no? Provided you follow the instructions. Does NCC still have a relevant offering for companies that do that? I can't really tell for sure from their website.

The current interpretation appears to be that if you outsource you are responsible for the outsourcer meeting GDPR on your behalf. In the event that they don't then you are liable so you have a responsibility to regularly audit and monitor the outsourcer.

Basically if company X outsources its data to AWS and AWS is breached company X is probably still liable. Technically you can offset your financial liability contractually but it's hard to imagine that Amazon or any cloud based provider will agree to underwrite the potential liability of all of its clients, which would probably even bring Amazon down.

In the end cloud based providers will probably refuse to accept liability and insist on this being retained by their clients, so the legal interpretation is likely to be moot. The only possible way round this is if insurers figure out how to underwrite the potential costs, but I'd imagine it's pretty hard to model the risk at the moment.

In fact outsourcing could be quite tricky because not only do you have to worry about your supplier being breached but you also have to worry about them doing something silly with the data like transferring it out of the EU without consent. A data breach carries a maximum fine of 2% of global annual revenue, but breaking consent attracts a higher maximum of 4%.

Broadly, the EU would prefer that companies only store the absolute minimum personal data needed to do business. Given the potential costs you'd imagine a lot of them will be reviewing what they hold quite carefully.

timarr

| Link | Share
timarr 13th Jul 20 of 25
3

Interesting article in the FT today, apparently the ICO has another 12 major cases under investigation. Presumably  Dixons Carphone (LON:DC.) will be one of them, which could be up to £200 million. But there are plenty of others to choose from - Mumsnet, Ticketmaster, Facebook, Google, etc, etc.

From the article the ICO says that "the seriousness of the incidents, including the number of people affected, the degree to which there were failings by the company and the measures they took to co-operate with the ICO and mitigate the harm to impacted individuals" were all factors in determining the size of the fine. In particular they note that companies can have good defences in place and still get breached, and that will be taken into consideration during the investigations.

The rest of the article is about the surge in interest seem by cybersecurity firms. It's all a bit depressing really, you'd hope that it wouldn't take the realisation that the ICO carries a big stick and is prepared to use it to make companies start treating our data security seriously.

timarr

| Link | Share
jonesj 13th Jul 21 of 25
2

How does everyones deal with the "circle of competence" issue here ? For those who understand cyber security, great.

Right now, I can't tell the difference between a great cyber security product and a cyber security company selling hot air.
So the first question I'm pondering is how much effort is needed to extend that circle of competence & is this sector the next priority for that.

| Link | Share | 1 reply
timarr 14th Jul 22 of 25
4

In reply to post #492576

Right now, I can't tell the difference between a great cyber security product and a cyber security company selling hot air. 

I doubt most other investors can either but it won't stop them investing in the theme.  There's a very good chance this sector will get a lot of attention over the next few months, so the cynical approach is to adopt Keynes' beauty parade technique: invest in a spectrum of companies, let the euphoria take them up and sell while everyone else is getting really greedy.

Alternatively there's L&G ISE CYBER SECURITY GO UCITS ETF (LON:ISPY) which would give you exposure to the sector without doing a ton of probably wasted research. There are a few US based ETFs as well - $HACK or $CIBR seem to be the favoured ones.

timarr

| Link | Share
Graham Ford 14th Jul 23 of 25
2

Trouble is there has been no shortage of cyber security scares in the past and it hasn’t caused this sector to become an easy sector for companies to make money. The Wannacry ransomware debacle that crippled parts of the NHS for a while was also a big wake up call for those that didn’t take this seriously. And yet it would seem that Falanx (LON:FLX) are not making much headway and have been a poor investment. Sophos (LON:SOPH) has done better but is a rollercoaster. Darktrace on the other hand is hugely successful but privately owned. Then of course there’s the cyber division of BAE Systems (LON:BA.) , which may become more successful in the commercial sector but any outperformance of this division will get dwarfed by the other much bigger divisions. Perhaps Tern (LON:TERN) should get a mention as owning a large chunk of Device Authority. But however good Device Authority may be, the Tern share price has deflated after a period of exuberance last year.

So, it’s very hard in my view as a sector for the private investor. Do you try and pick one or two companies to invest in not really having anyway to evaluate their products? Or, do you try and sweep up a whole basket of shares in different cyber companies but still potentially missing out the top performers as they are privately held or perhaps just a division within a much larger company? Maybe the ETF can do the job, but I would think that this sector may be difficult to get balanced exposure to via an ETF owing to the characteristics mentioned.

| Link | Share
Maddox 14th Jul 24 of 25
1

In reply to post #492426

Hi Steve,

If you are breached, firstly you now have no choice but to report it. Under GDPR it's within 72 hours, but if you are a payments provider it's only 4 hours under Payment Services Directive 2. You'll then probably need to employee a cyber security firm to assist with a forensic investigation, recovering and securing your systems. The firm employed will prepare a report that the regulator that will be take into account in assessing a fine. This is also not going to be a cheap exercise.

| Link | Share
timarr 15th Jul 25 of 25
2

Digging around into outstanding investigations, a lot of them are coming out of Ireland which is the lead regulator for Facebook, Google, Twitter LinkedIn, etc (all of whom are under investigation). However, there's also a complaint into adtech companies:

Privacy International filed a breach of privacy complaint with the European data protection authorities, calling to their attention the practices of 7 major companies (Quantcast, Acxiom, Oracle, Citreo, Tapad, Equifax, Experian) that work together in the online advertising sector in order to build intricate profiles of users.

https://www.cpomagazine.com/data-privacy/adtech-giant-quantcast-facing-gdpr-investigation-into-breach-of-privacy/

The UK has a separate investigation into adtech companies underway. Poland has already levied a €220,000 fine on Bisnode for unauthorised screenscraping. I'd say that's an entire industry to be wary of. The Bisnode breach is interesting - it's not so much the fine as the fact they were required to contact the impacted individuals. Rather than spending €6 million they opted to delete the data. They're appealing the decision, though, but if upheld it'll have radical implications for e-marketing services:

https://techcrunch.com/2019/03/30/covert-data-scraping-on-watch-as-eu-dpa-lays-down-radical-gdpr-red-line/

We also know that Sweden is investigating Klarna and Spotify, Romania has just levied a €130 million fine on Unicredit Bank and the UK is looking at TikTok.

Oh, and individual breaches of data are also punishable by fines - the German regulator fined a policeman for performing an unauthorised number plate search. Fun times, indeed.

timarr

| Link | Share

Please subscribe to submit a comment



 Are LON:ECSC's fundamentals sound as an investment? Find out More »





Stock Picking Tutorial Centre



Let’s get you setup so you get the most out of our service
Done, Let's add some stocks
Brilliant - You've created a folio! Now let's add some stocks to it.

  • Apple (AAPL)

  • Shell (RDSA)

  • Twitter (TWTR)

  • Volkswagon AG (VOK)

  • McDonalds (MCD)

  • Vodafone (VOD)

  • Barratt Homes (BDEV)

  • Microsoft (MSFT)

  • Tesco (TSCO)
Save and show me my analysis