It was at the World Economic Forum meeting in Davos six years ago that I first became seriously worried about the credit bubble. It was clear back then, in January 2007, that problems were developing in complex credit. But it was also clear that the public and private sector were in widespread denial.
That partly stemmed from an “agency dilemma”, as economists say: though there was plenty of unease about complex credit, no single company or government official wanted to blow the whistle, in case they suffered stigma or created panic. Thus it was frustratingly hard to pin down tangible names or numbers to articulate my fears; all I heard were whispers in Davos corridors.
This week I have experienced an echo of this pattern at the 2013 WEF meeting. But this time my unease does not revolve around any financial threats, but another issue - cyber security. Most notably, after chatting to corporate executives at Davos this year, it is clear many are suffering a deluge of cyber attacks. Some of these emanate from teenage hackers, or opportunists trying to steal money or secrets; but many seem more malign, security experts say, with the potential to disable corporate systems or critical infrastructure.
However, as in 2007, an “agency dilemma” is at work. In recent months, some companies (such as HSBC, Wells Fargo and Lockheed) have been forced to admit to suffering cyber attacks, after the penetration has become visible. But this is just the tip of a vast iceberg, and the overwhelming majority of companies today are terrified of talking too publicly about the issue, for fear of suffering stigma or sparking panic. That means it is tough for any outsider to get precise information about the overall scale of attacks.
It is even tougher for shareholders to work out the degree to which individual companies are being targeted. Indeed, such is the reluctance to speak in public that while this year’s Davos meeting has conducted panel debates on the issue, there were almost no CEO participants; and it is hard to find an annual corporate report that delves into this issue in detail.
Nevertheless, the whispers in Davos are sobering. The head of one giant consultancy group, for example, says some global clients are experiencing about “15,000 attacks a day”. The chief executive of a large global bank says his institution is experiencing “10 times that” level of attack. Utilities are suffering on a similar scale. Even hospitals are being attacked. “We found out a couple of weeks ago that we have been penetrated 180 times recently - it was a complete surprise,” the head of one big American hospital group told me. Or as a top executive of a US tech group observes: “The attacks are increasing exponentially. The question is not if, but when, something really bad occurs.”
Is there any solution? In some countries, such as Australia, the government has become so worried about this “agency dilemma” that it has stepped in to force collective corporate action: Australian companies are being required to invest resources in cyber defences and share data about such attacks. Britain is moving in the same direction.
However, replicating that in the US is harder because there is more controversy about the state taking a leadership role. In recent months, Leon Panetta, the former defence secretary, has tried to force action: a couple of months ago he declared that a cyber attack could be worse than 9/11 and warned that “although awareness is growing, the reality is that too few companies have invested in even basic cybersecurity”. However, many American CEOs dislike the idea of taking orders from the defence departments. Some insist they have already invested heavily in their cyber defences, and do not need government hectoring. “Yes, we are experiencing huge volumes of attacks, but the point is we have fended them off,” says one American bank CEO.
Perhaps so. But the crucial point is this: even if some companies are on top of the issue, others are not, and without more public debate, it will be tough to get boards to act. Without more disclosure it will also be difficult for investors to start pricing in these risks. So it is high time shareholders began demanding more information from companies about the issue - not just about the scale of the cyber attacks, but also the moves being taken to fend them off.
And if companies refuse to answer, then shareholders - or the government - should ask them why. After all, if there is one thing we learnt from 2007, it is that maintaining an embarrassed silence about risks does not usually make them go away; least of all when there is potential damage to consumers (and investors) as well as the companies under attack.
This article is intended to be for information purposes only and is not intended as promotional material in any respect. Fidelity has not been involved in the preparation, adoption or editing of this Third Party Content and do not explicitly or implicitly endorse or approve such content. Content is not intended to provide tax, legal, insurance or investment advice and should not be construed as an offer to sell, a solicitation of an offer to buy, or a recommendation for any security or investment by any Fidelity entity or any third-party.