As if we don’t have enough to worry about, every week—sometimes every day—brings a new revelation of some computer security breach. Millions of consumers affected. Millions of records stolen. Millions of dollars in ransom demands. Millions of dollars in regulator fines. Add it all up and you end up with a Whole Lot of Cyber Anxiety. Earlier this month, it was Capital One (NYSE: COF) telling the world that a hacker had stolen personal account information on over 106 million credit card customers. Market reaction was swift, dealing the company’s shares a -5.9% hit the day of the announcement and finished the week down 7.3%. Is this justified? Should the market have been harsher? Less harsh? We’ll touch on this question as we take a look at the broader question: As investors, what do we look for in regards to cybersecurity when analyzing a potential portfolio holding? How do we ensure our investments are prepared and protected against cyberattacks?
Not all cyberattacks are equal. Capital One appears to have gotten off relatively easy, since the hacker limited her breach to the theft of data. There was no effort on her part to sell the data, nor have there been any demands on Capital One for any type of payment or ransom. The financial damage should, therefore, be limited to the inevitable shareholder lawsuits and potential fines from regulators. Reputational damage may take a bit of time to repair, but no long-lasting or catastrophic damage appears to have been dealt the company. While distracting and annoying, it is unlikely that the ultimate cost to COF will amount to anything material. Yet the company lost $3.3B in market value that week. The market’s initial reaction now appears to have been overdone, given the limited nature of the financial impact.
A much more damaging and long-lasting data breach has haunted Equifax (NYSE: EFX) for two years, finally coming to resolution this week. In September 2017, Equifax announced the theft of the most valuable type of personal information available—names, social security numbers, birthdates, address histories—for 147 million consumers. Identity theft for each of those 147 million people instantly became a real and present threat. In contrast to COF’s data loss where the hacker did not attempt to sell the data, EFX’s breach was perpetrated by fraudsters themselves, making the likelihood of further criminal activity using the data much higher. Additionally, EFX stumbled in handling the breach, only slowly making support services available to those affected. After two years of litigation and negotiation with regulators, EFX has agreed to pay $425 million to consumers to compensate for credit monitoring and “identity restoration services.” An additional $275 million will be paid to the federal government. The $700 million total does not include legal expenses, reputational damage or management’s two-year distraction. Six days after the initial breach was announced in September 2017, EFX’s share price had dropped by 34%. It has taken 22 months for EFX’s shares to recover their pre-breach level, but those who bought EFX in the aftermath of that news have been well rewarded.
Outright data theft is hugely problematic for companies and individuals, but ransomware attacks present even stickier situations. In a ransomware attack, a hacker has gained access to an organization’s computer servers and has implanted computer viruses that allow the hacker to encrypt and lock out its legitimate owners. A ransom demand is then made to the organization for the keys to unlock the firm’s servers and data. While most companies state they have a “no ransom” policy, in practice the question becomes a financial one: which is the lowest cost to regain operational control? Companies can be in a very tricky Catch-22 situation: paying ransom to overseas hackers can actually be illegal, while the cost of recovery of their own data (without the “keys”) can be many-fold more expensive than the ransom demanded, and can result in periods of lost data. Compromised organizations have extraordinarily difficult choices.
How can investors mitigate the various cyber risks? A competent Information Technology department with a well-thought out plan of best practices and an ongoing employee training effort is the most effective means of combating cyber threats. Preventative measures are the best insurance and these encompass awareness, training, vigilance, proactive updates and a solid business continuity and disaster recovery plan. Ensuring portfolio holdings adhere to these policies does not make an investor immune to cybersecurity risks. It does, however, give investors comfort in knowing the company has a plan and does not take the risks lightly. Vetting potential investments from the cyber-risk point of view has become much more important. Cyberattacks are likely to remain a common feature of the business environment, but like other risks, the market can overreact. It is important for investors to take the longer view. Additionally, owning companies directly involved in providing cyber protection provides investors a source of upside when something else in the portfolio declines in the wake of a cyberattack. And as cyberattacks increase in frequency, cyber security firms will see demand for their products grow.