News & Analysis

In an increasingly interconnected and digitized world fueled by mega trends such as the "Internet of Things," cloud computing, and accelerated digitization during the COVID-19 pandemic, companies across a broad range of subindustries are grappling with heightened exposure to data privacy and security, or DP&S, risk. Digitization has become a double-edged sword for business—it is a key driver of operational efficiencies and growth opportunities, while simultaneously creating more points of entry for bad actors to steal customer data or cause operational disruption through malicious activities.

While the ability to collect and aggregate customer data aids personalized services, customer engagement, marketing, and research and development activities, companies are increasingly exposed to a myriad of risks and greater responsibility to safeguard digital assets. These risks extend beyond data breaches and cybersecurity threats and the associated ramifications, including reputational damage or lost business. They also include regulatory penalties and societal scrutiny of controversial or unlawful use, or disclosure of customers' personal information through practices such as data monetization.

So how can investors understand the extent of a company's exposure to DP&S risk? We see three key drivers of risk exposure at the subindustry level: the processing of customers' personal information, the surface area of attack, and whether the subindustry consists of critical infrastructure. Taken together, these risk drivers demonstrate the varied avenues by which bad actors can exploit companies, threaten data privacy protection, cause operational disruption, and inflict reputational damage. In addition to the subindustry-level risk drivers, we recommend investors consider two key drivers at a company level— involvement in data monetization and the supply chain of service providers.

While a systematic increase in DP&S risk can create upside opportunities for certain companies such as those providing cybersecurity software, we focus primarily on downside risk at a subindustry level. However, we highlight the importance of company-level risk mitigation measures and competitive positioning when assessing valuation impact.