Comment by Riazul Islam and Ingo Walter
In the governments’ harried efforts to deal with the social and economic consequences of Covid-19 close to $5 trillion is likely to be paid-out in history’s largest unemployment compensation program combined with “stimulus” payments to provide income relief and create a fiscal boost to accelerate a recovery. The payouts have put a premium on speed to accelerate pandemic relief and create a meaningful fiscal boost. But crisis, confusion and haste are the mortal enemies of accuracy, transparency and accountability, and open the door to stealing other people’s money.
Even before the Covid-19 crisis, identity fraud drained an estimated $16.9 billion from victims’ accounts last year. Now the financial locusts have found a new opportunity to feast -150 million recipients of stimulus funds and over 30 million laid-off or furloughed workers filing state unemployment claims. Why the predatory bonanza? Better hacking, plus cursory payment-security protocols in the crisis deluge.
The air supply for systemic financial fraud is identity data stolen in dozens of cyber-attacks on financial and nonfinancial firms, and traded on the “dark web.” In all, billions of accounts have been compromised worldwide. They can be overlapped to reveal just about all the access information needed to steal identities and intercept payments - especially in a crisis setting like this one. The dark pool of data is buffered by thousands of fraudulent website domains, robo-calls and emails to fill in the blanks, extracted especially from the elderly, the poor and the unemployed who can be bamboozled into disclosing personal information in order to access promised benefits. The phishing is good, and the catch far exceeds random spam.
What can be done about this plague? The kind of severe punishment expected in cases of massive systemic crime has been disappointing. Locusts are legion, they are resistant, and they move around. Once stolen, following the money is usually a fool’s errand.
But how about cutting off the air supply – getting much more serious about combatting cyber-attacks whose data yield populates the dark web. There have been plenty of cases in recent years, sometimes stealing data on corporate and banking clients in the hundreds of millions. Law enforcement, regulatory bodies and the hacked firms themselves have ramped-up their cyber-security, but at a pace and intensity that seems to lag the frequency and severity of the attacks. Some prominent targets seem to consider successful cyber-attacks a cost of doing business, and pass the damage on to customers or shareholders in higher prices and lower returns. Anyway, cyber risks can be insured, and the premiums built into operating expenses.
Even taking into account the need for business confidentiality, corporate attention to cyber-security events often seems weak. Maybe that’s because boards and managements pay attention only to the firm-level costs of the damage and ignore the social costs, as the stolen information hits the dark web to victimize countless others – call it “pollution not worth the cost of cleanup.”
Logically, shareholders should care about the impact of data breaches. Investors should expect to see a reduction in the valuation of company suffering an announced data breach as consumer and business customers jump to competitors, ramp-up operating costs, suffer potential fines and penalties levied by government agencies, and possibly endure class action lawsuits down the road.
Surprisingly, this doesn’t seem to be the case the case. A new study analyzing the shareholder impact of data breaches across 92 large data breaches at publicly-traded companies from 2015 to 2020 finds that these generally result in little or no impact on stock prices. Only companies whose core businesses have both financial and personally identifiable information compromised - such as Equifax, Capital One, ADP, and First American Financial - suffer substantial stock-price reductions. Most other companies escape a strong, negative impact of announced data breaches on their stock prices.
The study suggests that shareholders do not believe there’s is a material impact on the valuation of a company that suffers a publicly disclosed data breach. This absence of discernible market impact suggests investors do not believe there’s a material change in the company’s future cash flows. Perhaps this is due to cybersecurity insurance cover, but companies are certain to incur adverse revenue and cost impacts. The data show that they are not reflected in stock valuations possibly because they are thought to be immaterial or that investors have “learned” to ignore them from past incidents.
These results are profoundly discouraging to those who believe in market discipline and rely on it for economic efficiency. It seems to fail here, and sets the stage for substantial damage to society going forward. But control rights in the vast majority of traded shares are vested in institutional fund managers. Maybe they don’t much care either, and prefer to wait and see the direct and indirect fallout before doing any portfolio rebalancing. And maybe there’s little room even for that, given the shift to index funds and ETFs, where portfolio weights are on autopilot. It looks like progress on data breaches and invasions of privacy will have to look beyond the invisible hand of market discipline.