However, every owner of stocks, bonds and ETFs has the right to lend these - meaning that in this unrealised market there are around $40tn of assets collecting dust. Below, Boaz Yaari, CEO and Founder of Sharegain, explains everything you need to know about securities lending.

In short, securities lending is due a revamp so that it can be fit for purpose in a post economic crash, 21st-century financial world. This would result in a more efficient and regulation compliant process for large banks and assets managers; huge cash potential for private investors and wealth managers; and greater liquidity and long-term trust in capital markets.

Securities lending is a long-established practice in capital markets that has until now been largely confined to big financial institutions, even though every owner of stocks, bonds and ETFs has the right to lend them. As a consequence, most asset owners know little about this lucrative practice, which has become a global industry with a massive $2tn of assets on loan on a daily basis. Here are some of the intricacies that make this such an exciting space:

Securities lending is a long-established practice in capital markets that has until now been largely confined to big financial institutions, even though every owner of stocks, bonds and ETFs has the right to lend them.

1. Securities lending has been going on for over 40 years. The first formal equity lending transactions took place in the City of London in the early 1960s but it really took off as an industry in the early 1980s. The practice has evolved from a back office operation to a common investment practice that enhances returns for big financial institutions.
2. Securities lending plays an important economic function in capital markets. It brings greater liquidity and efficiency to the market, ensures the settlement of certain trades, promotes price discovery and facilitates market making. It also plays a critical role in derivatives trading, certain hedging activities and other trading strategies that involve short selling.
3. Securities lending is a great source of alpha, and a way to earn from the hidden value of your portfolio. Earnings from lending are dependent on the level of availability of your stocks. The more widely available stocks, known as ‘general collateral’, generally produce lower returns, of up to 0.5% (50 bps). Hot stocks, known as ‘specials’, can command much higher returns varying from 1.0% (100 bps) to over 100% (10,000 bps) annually in more extreme cases.
4. Sometimes short-sellers are right! For example, they spotted that there was trouble with construction company Carillion long before anyone else. A year prior to its collapse, Carillion was the FTSE 250 most shorted stock, which should have sounded alarm bells. However, at other times they are wrong. They can misunderstand the present or future business of a company, as we saw with online supermarket Ocado and a share surge in early 2018 which wiped out $382m for short sellers. At the end of the day it’s not the short sellers who dictate the long-term direction of the stock but the performance of the business itself.
5. Did you know that fund managers, active or passive, engage in securities lending to help boost a fund's performance or offset its costs? This has helped keep index fund charges down, which is hugely important in an age where the hunt for alpha has taken more importance - and where fees are under the microscope.
6. In general, securities lending has negative beta to market conditions, with all things being equal. When stocks rise in a bull market, demand to borrow securities wains and lending rates are lower, but you do enjoy the appreciation of your assets. On the other hand, in a bear market (when stocks depreciate), demand to borrow stocks increases and so do lending rates. This way you benefit from a new stream of income to mitigate the volatile times.
7. Demand for borrowing ETFs is growing exponentially, with the huge swing towards passive investing over the past decade or so, and currently there are over a 100 ETFs returning more than 2.0% (200 bps) to lenders.

Where do cyber threats begin? What is the root of the issue and how can we eradicate the source of any risk? What does this look like when you’re a maturing startup compared to a global corporation? Thomas Parsons, Sr. Director of product management at Tenable Network Security here takes to Finance Monthly back to the basics and gives his thoughts on the current global cyber situation.

Ransomware had previously been considered just another piece of nuisance malware that largely targeted unsuspecting consumers. However, the recent uptick of new variations, and their drastic impact in restricting access to enterprise systems and data, has catapulted this threat firmly into the spotlight. Events in the last few months have established ransomware as one of the most impactful and persistent global cyber threats.

Ransomware on the global stage

Increasingly in recent years, we’ve seen a shift from hackers using ransomware to target individual users to much larger attacks on enterprises. Top of mind is WannaCry, which wormed its way into networks around the world and encrypted data, closely followed by ‘Petya’ and also ‘NotPetya.’

Ransomware operates by compromising a system, infecting it with malware and encrypting data using a private key, preventing users from accessing the system. Hackers then send a message demanding payment to provide the key and restore the user’s data. Weaponising ransomware with worm capabilities, i.e. EternalBlue, has given hackers the opportunity to maximize the damage as the malware spreads from system to system. When ransomware latches onto systems that contain valuable company data, the systems become inaccessible, effectively bringing business to a halt.

For any organisation, the breach of personal data can not only impact the bottom line, but it can also cause irreversible reputational damage.

To pay or not to pay

WannaCry and Petya/NotPetya represent the new normal of today’s sophisticated threat environment. And with ransomware now impacting the global community, organisations must grapple with whether to pay the ransom.

Unfortunately, there is no guarantee that an organisation, which has its data held hostage by cyber criminals, will get a decryption key by paying the ransom – after all you’re dealing with criminals.

Paying the ransom also further funds the criminals’ antics, validating the business model and encouraging repeat infections – a practice that doesn’t benefit anyone in the long run, except perhaps the criminals.

However, the debate as to whether to pay cyber ransom shouldn’t be the focus, given that these attacks can be preventable.

Rather than a sophisticated attack or zero-day exploit, ransomware often takes advantage of well-known software vulnerabilities that organisations have failed to patch or update. The truth is attackers would much rather gain entry to the network by exploiting a known, but unpatched vulnerability, or a phishing email, because these techniques have a much higher return on investment.

But patching isn’t always that simple. Security teams can't control everything, and while it has become increasingly easy to deploy changes into environments, there are some mission-critical systems that can’t be updated with a click of a mouse or a simple script. For those systems that can’t be taken offline without disrupting business operations, security teams must implement compensating controls and make proper, risk-based decisions to mitigate the threat.

Cyber 101: Back to the basics

If we’re to leave ransomware in the past, organisations must get back to the basics, focusing on the foundations of strong cybersecurity.

To start, organisations need to implement security controls that prevent untrusted or unknown applications from being installed, while not impeding end-user productivity. This means security teams should use application whitelisting, blacklisting, dynamic listing, real-time privilege elevation and application reputation.

Organisations should also consider adopting the principle of least privilege, which gives privilege to users according to job necessities. In the event of an accidental link click or attachment opening that attempts to execute an application requiring elevated privileges (such as encrypting a hard drive, network share or folder), the user privileges would not allow those actions to be performed, stopping the attack immediately.

Even more important is end-user security training and awareness, backed by a solid understanding of attack methods used to gain information from users. Educating users on how to spot a phishing email and the dangers of sharing personal information and installing software from unknown sources can benefit them both at work and home.

In the modern computing environment, which now spans cloud, on-premises, IoT and operational technology, continuous visibility into the vulnerability status of every asset is critical to understanding the business impact of ransomware attacks and to fundamentally improve how organisations think about cybersecurity.

Here is a simple mantra to help focus the mind - If you can’t patch it, then you must protect it. And if you can’t do either, then you should prepare for the consequences.