Blog

Unlock the Editor’s Digest for free

Roula Khalaf, Editor of the FT, selects her favourite stories in this weekly newsletter.

Questions over the colossal investment by US tech companies in artificial intelligence, now running at $400bn a year, continue to come thick and fast.

Will it, sceptics ask, ever be recouped, let alone generate the magical returns AI zealots expect? Leaders of the financial world from Kristalina Georgieva, IMF managing director, to Jamie Dimon of JPMorgan Chase have warned of an abrupt market correction. Could this be one of history’s more extreme cases of irrational exuberance?

That phrase, you may recall, was coined by Fed chair Alan Greenspan at the start of the dotcom bubble. He later backtracked, declaring that bubbles could only be detected after the event. The revisionist Greenspan view overlooked that in any bubble there are always shrewd people who see what is coming. For example, on the eve of the 1929 Wall Street crash statistician Roger Babson warned that a “terrific” crash was imminent. More recently Jeremy Grantham, co-founder of US fund manager GMO, famously predicted the bursting of the great Japanese bubble, the dotcom bust and the 2007-08 financial crisis. In the UK fund manager and philanthropist Jonathan Ruffer earned strong returns for his clients around the dotcom blow-up, the great financial crisis and the Covid market plunge. Yet such contrarian voices are always drowned out by those who claim that “this time is different”.

Whether today’s stock market valuations are irrational is a matter of judgment. But whether investors are behaving irrationally is a different issue. Clearly in all market manias going back to the South Sea Bubble, punters have been intoxicated by stories of untold riches and driven by the fear of missing out (Fomo). Fomo falls short of exuberance but is not exactly irrational. More importantly, in the 21st century when professional investors dominate markets, a paradoxical and perverse rationality is at work among them.

This arises because large amounts of money are delegated by asset owners such as pension funds to asset managers. The job of active managers has traditionally been to maximise returns by assessing fundamental values arising from long-term corporate cash flows. Yet there is a principal-agent problem here. To monitor the managers, asset owners usually benchmark them against an index.

So where managers have a below-index weight in stocks that are rising strongly this puts pressure on them to adopt momentum, or trend following, strategies to improve short-term performance. They thus become late-stage buyers of rising stocks and sellers of falling stocks at the cost of longer-term underperformance. This helps reduce the risk of their being fired, or at least of being fired sooner rather than later.

Research by Paul Woolley and Dimitri Vayanos of the London School of Economics suggests that such momentum trading helps explain the poor performance of active managers and is conducive to a persistent bias to overvaluation. Passive investing, now all-pervasive, is momentum writ large. As well as amplifying mispricing it reduces the liquidity of individual stocks and increases their volatility. Misallocation of capital results, especially where companies use overpriced equity to make acquisitions that encourage industrial and portfolio concentration.

AI brings a further twist to these market dynamics. The Bank of England worries that the use of advanced AI-based trading strategies could lead to firms taking increasingly correlated positions, thereby amplifying shocks. Yet the technology could also hold a key to addressing the resulting instabilities.

Woolley and Vayanos have teamed up with AI experts at Oxford university under Sir Nigel Shadbolt to develop new forms of portfolio analysis designed to disaggregate momentum from fundamental values. This has involved running synthetic portfolios using real price data for periods of up to 30 years.

Initial results reveal managers’ skill (or lack of skill) in establishing fundamental value as opposed to their luck in using momentum. In effect, the methodology unpicks the principal-agent conflict. And because this AI diagnostic process provides aggregate data showing how far the market is dominated by momentum, it should help identify bubbles.

The potential here for a big leap in the quality of performance attribution could clearly be valuable for asset owners. But it can never eliminate bubbles. The innate tendency of investors towards exuberance and the corporate compulsion towards leverage will together periodically defy the wisdom of the ages. The snag for shrewd naysayers in any bubble is that the timing of the burst is next to unforecastable.

john.plender@ft.com

BBC

Cyberattacks feel pretty inescapable at the moment. They’ve always been there but in recent months there have been countless high profile attacks which have potentially huge consequences, including: 

• Kering (parent company of Gucci, Balenciaga, and Alexander McQueen): ‘Data linked to 7.4 million unique email addresses’ was reportedly stolen. The company confirmed the stolen data did not include any financial information (e.g. card details). However, the data did include ‘total sales’ showing how much people had spent with each brand or in stores, significantly increasing the risk of more sophisticated social engineering attacks.
• The Co-op: The malicious attack back in April (although the actors responsible suggest they were in the systems ‘long before’ being discovered), where 6.5 million customers’ data was stolen, led to empty shelves and problems with digital payments, ultimately costing the business £206 million in lost sales.  
• Jaguar Land Rover: After a cyberattack forced them to suspend production for over a month, at a reported cost of at least £50 million a week, the UK Government has underwritten a £1.5 billion loan guarantee intending to protect not only JLR employees but also their supply chain (some of which supply parts exclusively to JLR).
• Discord: Discord’s third party supplier, which helps verify users’ age, was subject to a cyberattack with bad actors obtaining approximately 70,000 users’ official ID photos (among other information). This is a timely reminder that your security is only one part of the puzzle and attention must also be given to the security of your supply chain. This attack may raise particular concerns given the number of platforms which are now processing this type of data (to bad actors an incredibly valuable commodity) for the first time to comply with requirements of the Online Safety Act. 

However, smaller businesses or even those not ‘in the spotlight’ can’t rest easy in the hope hackers won’t care about them. In fact, they may even be low hanging fruit. For example: 

• A ransomware group gained entry to KNP’s (a 158 year old transport company) systems by simply guessing a single employee’s password. Once in the system they encrypted the company’s data and locked its systems. The company couldn’t afford the ransom (estimated to be as much as £5 million) to get the data back and ultimately entered administration.  
• Threat actors also recently obtained the data of approximately 8,000 nursery children as well as their families and employees of the Kido nursery chain by ‘buying access’ to a staff computer. The hackers initially started posting profiles of children (including pictures, dates of birth, birth place, safeguarding notes, who they live with, and contact details), with threats to release more data. Unsurprisingly, this attack received a lot of negative publicity. The actors subsequently blurred images of each child, as “leadership isn’t happy with the attention that posting full images does” (as confirmed by the hackers to a BBC correspondent) but the threats to continue releasing data remained. Those behind the attack were contacting parents via email and even making ‘threatening’ phone calls saying to one parent “they would post her child’s information online unless she put pressure on Kido to pay a ransom“. The actors have since removed the posts and claim to have deleted the information. There is, however, no way to know for sure this has occurred. Previous instances have seen similar claims where ‘deleted data’ is found to have been retained or even sold. This is another reason why paying a ransom is no guarantee – for example, when the National Crime Agency ‘took down’ a gang of cyber criminals they found lots of data ransomware victims had paid to be deleted. In any event, like any information online, the data posted is now ‘out there’ and anyone may have taken copies. Nevertheless, two 17-year-old boys have now been arrested in connection with the ongoing investigation. 

It’s clear that ‘no one is safe’ and those behind these attacks show no signs of slowing down. A representative from the National Crime Agency suggests she has seen incidents double in the last two years to around 35 – 40 per week. Recent research based on a survey of over 200 cybersecurity professionals in the UK whose companies were subject to a ransomware attack between January – March 2025 also shows that the median demand is over £4 million, which could be devastating for small businesses. 

ICO’s Top Tips 

It’s, therefore, unsurprising that the ICO have issued a list of practical steps small businesses should take: 

1. Back up your data 

Data should be regularly backed up, but you also need to check it has worked/is working as intended. Equally, you’ll need to make sure the back up isn’t connected to the live data source to ensure that, if there is malicious activity, it won’t reach the back up.  

If you use an external storage device, don’t forget to (a) keep it somewhere other than your main workplace; (b) encrypt it; and (c) lock it away, if possible. 

2. Use strong passwords and MFA 

If your password is ‘password’, ‘Password1’, ‘Password123’, etc. (you get the jist), it’s probably time to update it!  Always consider strong and unique passwords which would be difficult to guess (e.g. the National Cyber Security Centre recommend picking three random words for passwords). 

Where you have the option, always consider enabling multifactor authentication (MFA). Although it may be inconvenient waiting for your code to be text/emailed, this second layer of security is always a useful measure to implement. 

3. Be aware of your surroundings

One to remember next time you want to do some work on your morning commute. It’s important to exercise caution when working out and about. Whether you’re on the phone or using a screen when people are around, sending a few extra emails is probably not worth the headache of potentially needing to deal with a security incident. 

4. Be wary of suspicious emails

It’s always important to ensure you are cautious of suspicious emails. Sometimes it may just be an odd new request, but things like bad grammar, a need to act urgently, and requests for payment are typical signs something may not be real. It’s also worth checking email addresses carefully, e.g. a capital ‘i’ (I) looks near identical to a lower case L (l).  

However, things like generative AI and spoofing technologies are enabling threat actors to become more sophisticated. A phishing email may not be as implausible as it once was or written with poor English. Equally, it could appear to come from the sender you know (see, for example, where deepfakes were used to convince someone to transfer $25 million on what they believed were the instructions of the CFO).   

5. Install anti-virus and malware protection (and keep it up to date)

Whether in an office or working from home/away, you need to ensure your devices are secure. Anti-virus software is a useful tool to protect against malware which may be sent via phishing attacks. 

6. Protect your device while it’s unattended

Whenever you are temporarily away from your desk, at least lock your screen. If you’re going to be away for longer, make sure your screens are in a secure place. An unlocked and unattended laptop in a cafe is a threat actor’s dream.  

7. Make sure your Wi-Fi is secure

Even if you’re conscious of your surroundings and locked your screen as recommended while in a cafe, if you’re using the public Wi-Fi or an insecure connection you could still be risking personal data. 

Always make sure you are using a secure connection when connecting to the internet, and if you use the cafe’s public network, it’s worth also using a secure virtual private network. 

8. Limit access to those who need it

Not everyone in the business will need access to everything, so there should be access controls to ensure people can only see the data they need to. This also needs to be kept in mind where people leave the business or if they’re absent for a long period, as you’ll need to suspend their ability to access the systems. 

9. Take care when sharing

Showing someone the wrong thing is hardly new, but it still happens. A lot. For example, you may be sharing your screen in a meeting and have tabs or documents which are confidential or include personal data open which can easily be accidentally shown. Equally, make sure notifications are turned off if you’re sharing a screen to avoid someone else sending something to you being seen by others. 

If you’re emailing lots of people which could reveal sensitive information about recipients, consider alternatives to BCC’ing them, such as bulk email or mail merge services. It’s not uncommon for people to CC rather than BCC people, but in certain contexts this could reveal sensitive, if not special category, personal data (see for example, the charity which was fined by the ICO in 2020 when they CC’d 105 members of an HIV advisory board on an email which meant people could be identified). The ICO do also have guidance on sending bulk communications via email. 

10. Don’t keep data for longer than you need it 

Not only does this limit the amount of personal information which is at risk if you are subject to an attack or there is a breach, but it will also free up storage space and is likely cheaper! 

11. Dispose of old IT equipment and records safely 

When someone leaves the business, or they get new equipment, make sure there is no personal data on the devices (whether they are laptops, smartphones, or any device) before they are thrown away. For peace of mind, you may want to consider using deletion software or engaging a specialist to wipe any data. 

Is cybersecurity a priority for your business? 

The ICO is clear that “[m]ost small businesses hold personal information and conduct business digitally, so cyber security must be a priority“. Ian Hulme (Executive Director for Regulatory Supervision at the ICO) also added that “[w]hile cyber attacks can be very sophisticated, we find that many organisations are still neglecting the very foundations of cyber security“. 

Of course, all types of organisations need to ensure their systems are resilient against complex attacks, and they are able to meet their security obligations under data protection law. However, it’s important to get the basics right too (we need to walk before we can run!). 

Equally, no system is infallible and it’s not uncommon, for example, for cyber criminals to simply buy their way in by ‘paying off’ an employee. Things do go wrong, even for small businesses, so it’s important to think about what you will do when things go wrong, before they do. It may also be worthwhile considering obtaining insurance to cover the costs of a cyberattack (although you’ll still need to have a good standard of security in place to ensure you don’t void any such insurance). 

If you’d like to discuss your security obligations or how best to mitigate the chance of and prepare for a cyberattack, or would like training for your organisation, please do reach out to your usual Lewis Silkin contact.