Alongside the more traditional measures such as earnings per share, P/E ratio, dividends, and yield, cybersecurity has recently appeared on many investors’ radar as one of the newest criteria for company valuation. For some institutional fund managers and private investors, understanding a company’s security posture and risk management strategy is an essential element of thorough investment due diligence.
The Impact of a Breach on Company Performance and Valuation
Cybersecurity breaches have commanded headlines for years, but in recent months the breaches and their devastating impacts have become transparent to even the most casual of investors. Some high-visibility breaches of past years, such as Target, ultimately yielded little long-term impact on stock valuation (and arguably even brand), as a result of the negative consequences such as Personally Identifiable Information exposure and financial losses in breach mitigation, legal fees, and increased cybersecurity spend. However, 2017 saw cyber incidents that not only affected millions of Americans, but also caused signification disruption to business operations and a change to the organization’s fundamental business model.
Equifax is just such a case in point. Not only did the Equifax brand suffer irreparable damage and business operation disruption, but the costly incident incited considerable public and governmental scrutiny on how credit data is owned, managed, and protected. The hack inspired the introduction of the recent Data Breach Prevention and Compensation Act, a bill which would, if passed, give the Federal Trade Commission the right to police and fine credit reporting agencies, granting financial compensation to victims of hacks.
“As cybersecurity threats continue to escalate and consumers demand better cybersecurity protections, companies must outlay increasing capital to secure their businesses.”
A 2016 breach on Uber, which wasn’t disclosed until November of 2017 (and reportedly handled by paying off the hacker to delete data) resulted in both brand damage and a decline in consumer confidence. The disclosure was extremely ill-timed for Uber; the company was working to complete a deal with SoftBank Group Corp (SFTBY), wherein the Japanese company would invest capital in exchange stock position. The deal was closed at a significantly less favorable rate than initially proposed; the degree to which the breach played a role was not disclosed, but it can certainly be speculated upon. Similarly, the same can be said for the Yahoo hack that happened in the middle of an M&A transaction.
The Impact of Expanding Regulation
The winds of the regulatory environment are constantly shifting, and more stringent requirements are moving in. There is a price tag associated with coming into compliance, which varies by company and regulation; but that is only one potential consideration. A growing public concern for individual privacy and associated legislation to protect these privacies are sweeping across Europe, most recently in the form of The General Data Protection Regulation (GDPR), which comes into effect in the European Union in May. GDPR requires that companies that host and process individuals’ personal data release or delete that data upon the individual’s request. This privacy regulation will have significant operating model impacts on countless companies, which will have a window of time to implement processes, systems, and potentially add staff to comply, or meet stiff fines.
Consider the significant effect GDPR could have on the revenue streams of global large cap tech corporations, which mine, store, and utilize personal information in highly targeted marketing schemas. As most of us have experienced personally, marketing behemoths such as Facebook (NASDAQ: FB), Apple (NASDAQ: AAPL), Amazon (NASDAQ: AMZN), Netflix (NASDAQ: NFLX), and Google (NASDAQ: GOOG), nicknamed The FAANGs, serve users highly targeted ads based on information about that person and their preferences. Once GDPR goes into effect, global companies must comply with regulations pertaining to EU citizen data; should GDPR-like regulations gain traction in other countries such as the United States, privacy concerns will almost certainly have an even more pronounced effect on how these corporations market and fill their sales pipelines.
The Consumer Effect
As cybersecurity threats continue to escalate and consumers demand better cybersecurity protections, companies must outlay increasing capital to secure their businesses. Both consumers and investors are beginning to demand transparency around these protections, and incoming regulations are providing the means to deliver this visibility. In late December 2016, the U.S. Securities and Exchange Commission (SEC) announced that it would be refreshing its six-year-old guidance on how publicly traded companies report on breaches and disclose cybersecurity readiness. New York State has already implemented similar transparency regulations for financial institutions and insurers, which could provide impetus to other states to follow suit.
Embracing the Cybersecurity Challenge
In a dynamic market, every challenge offers opportunity, and there will be some companies that come out on top of the cybersecurity challenge. The most obvious winners will be those companies that help public and private sector organizations protect themselves against threats: These include cybersecurity strategy advisory firms, cyber defensive technology companies (software and platform), compliance advisory and assessment firms, and cybersecurity response and recovery organizations.
In corporate investing more generally, the companies that are most engaged with their own cyber risk mitigation strategies, Incident Response Planning (IRP), and are looking ahead and planning for upcoming changes in the regulatory environment will have a clear advantage, particularly once upcoming transparency and disclosure guidelines come into effect.
Taken together, the high cost of breaches and their potential fallout, cyber security readiness, and compliance can no longer be ignored in the portfolio valuation; many discerning investors are already looking ahead. For companies looking to solidify their own company valuations, investing time and resources into a strong, foundational cybersecurity strategy—as well as communicating those strategies for market advantage—are investments well made.