Friday, February 19, 2021

Are Shareholders Indifferent to Data Breaches?


Comment by Riazul Islam and Ingo Walter

In the governments’ harried efforts to deal with the social and economic consequences of Covid-19 close to $5 trillion is likely to be paid-out in history’s largest unemployment compensation program combined with “stimulus” payments to provide income relief and create a fiscal boost to accelerate a recovery. The payouts have put a premium on speed to accelerate pandemic relief and create a meaningful fiscal boost. But crisis, confusion and haste are the mortal enemies of accuracy, transparency and accountability, and open the door to stealing other people’s money.

Even before the Covid-19 crisis, identity fraud drained an estimated $16.9 billion from victims’ accounts last year. Now the financial locusts have found a new opportunity to feast -150 million recipients of stimulus funds and over 30 million laid-off or furloughed workers filing state unemployment claims. Why the predatory bonanza? Better hacking, plus cursory payment-security protocols in the crisis deluge. 

The air supply for systemic financial fraud is identity data stolen in dozens of cyber-attacks on financial and nonfinancial firms, and traded on the “dark web.” In all, billions of accounts have been compromised worldwide. They can be overlapped to reveal just about all the access information needed to steal identities and intercept payments - especially in a crisis setting like this one. The dark pool of data is buffered by thousands of fraudulent website domains, robo-calls and emails to fill in the blanks, extracted especially from the elderly, the poor and the unemployed who can be bamboozled into disclosing personal information in order to access promised benefits. The phishing is good, and the catch far exceeds random spam. 

What can be done about this plague? The kind of severe punishment expected in cases of massive systemic crime has been disappointing. Locusts are legion, they are resistant, and they move around. Once stolen, following the money is usually a fool’s errand. 

But how about cutting off the air supply – getting much more serious about combatting cyber-attacks whose data yield populates the dark web. There have been plenty of cases in recent years, sometimes stealing data on corporate and banking clients in the hundreds of millions. Law enforcement, regulatory bodies and the hacked firms themselves have ramped-up their cyber-security, but at a pace and intensity that seems to lag the frequency and severity of the attacks. Some prominent targets seem to consider successful cyber-attacks a cost of doing business, and pass the damage on to customers or shareholders in higher prices and lower returns. Anyway, cyber risks can be insured, and the premiums built into operating expenses.
 
Even taking into account the need for business confidentiality, corporate attention to cyber-security events often seems weak. Maybe that’s because boards and managements pay attention only to the firm-level costs of the damage and ignore the social costs, as the stolen information hits the dark web to victimize countless others – call it “pollution not worth the cost of cleanup.”

Logically, shareholders should care about the impact of data breaches. Investors should expect to see a reduction in the valuation of company suffering an announced  data breach as consumer and business customers jump to competitors, ramp-up operating costs, suffer potential fines and penalties levied by government agencies, and possibly endure class action lawsuits down the road.

Surprisingly, this doesn’t seem to be the case the case. A new study analyzing the shareholder impact of data breaches across 92 large data breaches at publicly-traded companies from 2015 to 2020 finds that these generally result in little or no impact on stock prices. Only companies whose core businesses have both financial and personally identifiable information compromised - such as Equifax, Capital One, ADP, and First American Financial - suffer substantial stock-price reductions. Most other companies escape a strong, negative impact of announced data breaches on their stock prices.

The study suggests that shareholders do not believe there’s is a material impact on the valuation of a company that suffers a publicly disclosed data breach. This absence of discernible market impact suggests investors do not believe there’s a material change in the company’s future cash flows. Perhaps this is due to cybersecurity insurance cover, but companies are certain to incur adverse revenue and cost impacts. The data show that they are not reflected in stock valuations possibly because they are thought to be immaterial or that investors have “learned” to ignore them from past incidents.

These results are profoundly discouraging to those who believe in market discipline and rely on it for economic efficiency. It seems to fail here, and sets the stage for substantial damage to society going forward. But control rights in the vast majority of traded shares are vested in institutional fund managers. Maybe they don’t much care either, and prefer to wait and see the direct and indirect fallout before doing any portfolio rebalancing. And maybe there’s little room even for that, given the shift to index funds and ETFs, where portfolio weights are on autopilot. It looks like progress on data breaches and invasions of privacy will have to look beyond the invisible hand of market discipline.


Thursday, February 18, 2021

Obituary - Roy C. Smith



Roy C. Smith

My friend, colleague, and co-author of this blog passed away on November 15, 2019 in Naples, FL. Roy was born in Norfolk, VA in 1938. He lived most of his professional life in Montclair, NJ and spent summers in Chatham, MA and winters in Naples, FL.

Roy was a bigger-than-life individual in virtually every way, his career bridging multiple professions. After graduating from the U.S. Naval Academy, he served as an officer in the Atlantic Fleet on the USS Decatur, taking part in the Cuban Quarantine Operation in 1962. He was a graduate of the Harvard Business School (M.B.A. 1966). He served as a long-time investment banker and General Partner at Goldman, Sachs & Co., specializing in international investment banking and corporate finance. At Goldman, Roy established and directed the firm’s business in Japan and the Far East, headed business development activities in Europe and the Middle East, and served as President of Goldman Sachs International Corp. while running the firm’s London office in the early 1980s.

In 1988 he retired from Goldman as a Limited Partner joined what was then known as the Graduate School of Business of New York University. Before long he became the Kenneth Langone Professor of Finance and Entrepreneurship and Professor of International Business. He taught at NYU Stern for 30 years. 

Roy was a dedicated practitioner-scholar – an internationally published author of six books and co-author (with me) of another eight, plus nearly 100 articles on global banking and financial markets, entrepreneurship, corporate governance and business ethics. He became one of the media’s favorite “go-to” people for incisive commentary on financial events of the day.

Roy was a founding member of NYU’s Center for U.S. - Japan Business and Economic Studies, now the Center for Global Economy and Business. Outside NYU Stern, he was a popular lecturer and visiting professor of finance at several universities and institutes in Europe, including INSEAD in Fontainebleau, IESE in Barcelona, Luigi Bocconi University in Milan, NYU Abu Dhabi and, for shorter stints, at Kiel University, Swiss Banking School in Zurich and IMD in Lausanne.

Roy will be missed. His contributions to this blog covered a wide range of subjects, and he was happy to call a spade a spade. He greatly enjoyed some of the controversy he inevitably generated. His productivity in terms of blog contributions spiked during his winter months in Naples where he had a ready audience of accomplished senior residents who, he said, harbored much wisdom - to test his ideas. 

Roy cannot be duplicated as a contributor to this blog. But his spirit will live on as we continue with new contributors, to be announced. Stay tuned….

Ingo Walter