Remember 10 years ago, when a bunch of conspiracy theorists claimed that Lady Diana died in a car crash because her speeding Mercedes had been remotely accelerated by fiddling with the car’s electronics? It sounded as outlandish saying that extra-terrestrials had landed on the Place de la Concorde.

Only three years later we learned that the US and Israel had dispatched the Stuxnet malware into Iran, enabling them to take over the control systems of 1,000 uranium-enrichment centrifuges in the Natanz plant and to destroy them all from afar. The centrifuges were accelerated to such speed that they started to disintegrate.

I do not wish to back conspiracy weirdoes. I wanted to point out that our long-held assumption that cyberspace and the ‘real’ world are separate cannot be maintained any longer. Virtual reality can do real damage – to stuff, to people, to companies and to whole countries. And increasingly so, when our cars, our fridges, our bank accounts, our phones and our health services are all connected in cyberspace. It can be terribly damaging to our investment portfolio too.

We still think in physical dimensions, even when it comes to cybercrime. We think of credit card fraud, data theft, privacy intrusion, financial theft, copyright infringement, extortion, or of the vast possibilities of a black market protected by the anonymity of crypto currencies.

Admittedly, we and our police forces have a real problem: in many countries, cybercrime now exceeds all other offences combined. It is estimated that in advanced economies – those which are best connected – one in 10 will fall victim to criminals with the mouse in hand instead of a gun. Juniper Research estimates that by 2019 the damage of internet criminality will exceed two trillion US dollars.

This is terrible, but obvious. What we do not consider thoroughly enough are the tail risks cyber attacks present to corporations. We do not think enough about the possible damage to our shares and bonds.

Yet, we ignore cyber damage to our investments at our own peril. In May this year strange things happened. German Railways, a paragon of efficiency and punctuality and the envy of tortured commuters all over the world, all of a sudden stopped functioning. Trains didn’t leave, or they never arrived, and nobody could tell when they would ever move again. In the UK, hospitals refused to treat patients, re-routed ambulances to nowhere and were struck by complete amnesia about who their patients were and what ailments they wished to be treated for. Banks and telecommunication companies in many European countries discontinued their services.

WannaCry, a malign ransomware, had frozen 200,000 computers in 150 countries, causing damage exceeding €4 billion. For a couple of days chaos reigned supreme until a 22-year-old hacker found the hidden switch to turn the nightmare off.

A criminal, and an ultimately failed attempt to extort money, had spun out of control. The gangsters, by many assumed to be North Koreans, had failed to establish workable cyber accounts and to assign eventual payments to their respective ‘customers’.

We ignore cyber damage to our investments at our own peril

Only six weeks later, June 27, a Ukrainian accounting firm transmitted the Russian-born ‘notPetya’ virus to the Kiev offices of a US law firm, which subsequently infected countless industries all over the world, from chocolate factories to condom producers. In contrast to WannaCry, this cyber weapon had no criminal purpose. It was a military attack with unexpectedly wide-ranging collateral damage. What was planned by Russian actors to wield destructive force in the Ukraine alone had infected corporations all over the world, including Russian banks and oil companies.

Ironically, both viruses were based on malware from the American NSA: their cyber weapons Eternal Blue and Double Pulsar had been nicked only two months earlier from their armoury by the Shadow Brokers, hackers who resold them in cyberspace. It was as if evildoers had auctioned off a dozen Apache attack helicopters.

When some of the industries affected by notPetya issued their earnings reports this fall, many had not fully recovered yet. Courier FedEx admitted a loss of $300 million, the same loss as the world’s biggest freight forwarder Moeller Maersk had accounted for: everything from navigation to port operations had to be done manually and many customer files were lost completely. The reputational damage for the lawyers DLA Piper cannot even be fathomed.

If we think about the dense connectedness of our lives, ranging from utilities to banks, from cars to planes to hospitals, from air traffic control to atom power plants, such attacks will become increasingly more destructive. With geopolitical tensions rising they will also become more numerous. It is, therefore, immensely important for retail investors like us as well as for professional fund managers and investment analysts to know how well prepared the companies in which we invest our money really are when the next attack happens.

Have they segmented their internal networks, or are all on one string? How often and how securely do they store their data on insulated systems? How well do they cooperate with national cyber crime institutions? Do they have a 24-hour cyber security team in permanent alert, like fire fighters in a refinery, for instance? (WannaCry could have been stopped with an immediate computer shutdown. But who knew?) Do they have a regular IT security audit by a reputable company like Kaspersky Labs? Do they have sufficient insurance cover for cyber damage? Is spare capacity in place to guarantee continuity? Can things switch to manual in an instant? Are old fax machines and telexes still operable, as they have proven to be attack proof at Maersk? Do people still know how to use pen and paper?

The answers to such questions should be given to all investors by including them in annual financial statements. For instance, in the form of a clean bill of health by a leading cyber security company or by respective national cyber security agencies. Only then will we know if our money invested is reasonably safe. WannaCry we don’t.

Andreas Weitzer is an independent journalist based in Malta. He reports on the economy, politics and finance. The purpose of his column is to broaden readers’ general financial knowledge. It should not be interpreted as presenting investment advice or advice on the buying and selling of financial products.

Please send in any suggestions for discussion in this column to: editor@timesofmalta.com – Subject: Sunday Times Personal Finance.

Sign up to our free newsletters

Get the best updates straight to your inbox:
Please select at least one mailing list.

You can unsubscribe at any time by clicking the link in the footer of our emails. We use Mailchimp as our marketing platform. By subscribing, you acknowledge that your information will be transferred to Mailchimp for processing.