Full article published in CFO Magazine
Investment bankers and their clients have a blind spot when it comes to information technology (IT) issues. Deal teams can be intimidated by technical concepts, leaving them to IT specialists who get involved late in the process, often after a deal closes. They also can understate the significance of IT as a valuation driver, despite news headlines about company-crippling hacks.
Data security and privacy issues are becoming more severe and frequent, so deal teams must focus on them earlier in the deal process than is current practice. Fortunately, a treasure trove of easy to understand, publicly available information is at hand that can even predict a data breach. You just have to know where to look.
A January 2018 report by Citi quantified the effects of data breaches on company stock prices. Shareholder responses to reported breaches are increasingly severe, with average stock price declines of 4.3% in 2015, 4.4% in 2016, and 6.8% in 2017.
Equifax’s breach was followed by a 36% stock price decline. Investors recognize that data breaches can reduce future earnings and increase financing costs, so companies should further invest in better security.
Data privacy also has value implications. Furor over Facebook’s release of the personal data of users and their friends’ to Cambridge Analytica strike at the heart of the powerful internet advertising business model. Europe has taken the lead in defining data privacy regulations, forcing companies around the world to rethink how they gather, protect, and monetize personal data. As of May 25, 2018, violations of the EU General Data Protection Regulation can cost a company as much as 4% of its annual revenue, so companies and investors are beginning to take privacy seriously.
Necessity is the mother of invention, and Wall Street now has access to tools that quantify a company’s security posture. Just as Moody’s and S&P rate a company’s credit risk, cyber risk ratings firms distill a company’s vulnerability to a data breach into a simple, FICO-like number or letter grade that can change from one day to the next.
Cyber ratings firms only assess factors that can be measured from the outside. They track billions of IP addresses and can tell if one is compromised with malware or botnets. They also monitor IT housekeeping issues that can be overlooked and cause vulnerability. They don’t purport to offer a comprehensive assessment — you would need a company’s permission to look inside to do that. Still, there is a lot you can tell from the outside, and cyber ratings are far more than smoke detectors. They can actually predict a data breach.
The cyber risk ratings phenomenon accelerated in 2013 when Target was hacked via an insecure HVAC vendor. Not surprisingly, the dominant use case for ratings today is to continuously monitor a company’s vendors, especially those with network connections or that possess sensitive information, like a law firm.
A large and growing number of boards include ratings reports as part of their periodic security posture reviews, partly because they communicate powerful conclusions in a language that lay people can comprehend.
The resulting transparency created by cyber ratings has profound implications.
Companies want to deal with secure partners, so those with higher ratings might enjoy greater market share. Regulators can target poorly rated companies for possible enforcement action. Cyber insurance underwriters can make better-informed decisions instead of only relying on responses to questionnaires. Investment and commercial banks, private equity investors, corporate development officers, and activist investors, among others, can correct what has been a dangerous cyber blind spot.
M&A advisers can better serve their clients by identifying data security and privacy risks early, even when surfacing acquisition candidates. Leaving one’s comfort zone to learn the language of cybersecurity has its rewards. A low rating presents negotiating leverage over the target, while a high rating can justify richer valuations.
Investment and commercial bank commitments committees can check a potential issuer’s rating before deciding to underwrite initial public offerings and syndicated loans. Imagine selling an issuer’s securities one month before a massive data breach without first checking their cyber risk ratings. A plaintiff could argue the underwriter was negligent in their cyber due diligence.
Some activist investors attempt to effect change by pointing out a management team’s weaknesses. Companies that tolerate a low cyber risk rating open themselves to criticism. Activist investors that act as management coaches can use ratings to identify opportunities for improvement.
Cyber risk ratings services are just one source of insight. Context is everything, and other sources add perspective on company- and industry-specific risks. The SEC updated its cybersecurity disclosure guidance to promote more fulsome descriptions of a registrant’s posture. Other sources include regulatory actions by the FTC, EU, and other authorities; alerts from the Department of Homeland Security and the FBI that describe specific threats; and cyber insurance claims activity. Privacy policies and practices can vary widely among companies, too.
Wall Street has benefited from spurts of innovation over the decades. Demystifying security and privacy issues so that they can be factored into the process earlier than usual is proving to be a valuable new chapter.