Data security: how to keep the investors happy
22 October 2018
Jake Moore, cyber security specialist at ESET, says that instead of leaving investors and the public in the dark, it's time that companies showed more transparency about how they secure our data.
Data, according to some industry commentators, is now being viewed as the world’s most valuable commodity, so much so that its being called the ‘new oil’. It’s an accurate description as data is powering the technology economy in the same way that petroleum fuelled the growth of industrialised economies in the 20th century. Stretching the analogy a degree further, the damage caused by a data leak to an organisation’s reputation now is probably as calamitous as an oil spill was to the global oil companies then.
So what’s this got to do with European Cyber Security month I hear you say? Well, everything, if you are enrolled into a pension scheme as the steps taken by companies to protect data is now driving institutional investor sentiment. In short, companies whose policies and procedures fail to protect their data adequately, or who suffer a successful cyber-attack, can now expect not only to be pilloried by the media but punished by the investment community too. And if the company’s management has their wealth tied up in stock options then that punishment can seem a lot more painful than a dented corporate reputation.
Consider the recent Facebook/Cambridge Analytica saga. Admittedly no cyber attack took place but there was a lapse in data handling procedures and the company then paid a very heavy price; its share price dropped 19 per cent and more than $120 billion was wiped off the company’s market value.
Only a tech-Goliath the size of Facebook could ride out that hit but what was interesting here is the attitude of some investors who sold out the stock out because of what they perceived to be a ‘flippant attitude’ towards data protection. For these ‘responsible investors’, data privacy has become a crucial metric when assessing the companies in which they invest. (Facebook’s attitude to data security probably looked downright complacent to them when it announced last month that hackers had gained access to up to 50 million user accounts).
That was enough for Nordea Asset Management, the Swedish bank-owned investment business that manages €216bn on behalf of 10 million customers. It removed Facebook’s shares from its sustainable portfolios and its head of sustainable finance, Sasja Beslik, went on record as saying that he would invest in Facebook again, but would not feel comfortable doing so until the company was more forthcoming about how it oversees data privacy. “We do not have enough information to do a thorough assessment in how they manage this risk,” he said at the time. “This is one of their biggest risks, and [for us] it’s pretty much a black box about their capacity to manage it.”
At one level this is a pretty startlingly statement. Data is seen by investors as being a huge asset but they have no way of knowing how well companies are doing in protecting it. Or what steps. A black box is the very opposite of a transparent system in my book.
Other responsible investors in Facebook didn’t sell at the time but chose to use the scandal as an opportunity to engage with the company and ‘press it to improve its approach to data handling’. If evidence was needed about how far data security has moved up the management agenda then this is it. Senior managers can now expect to be quizzed by asset managers on their data security policies and presumably, if they don’t like what they hear, will sell down the stock.
Evidence of this happening was further provided by Eoin Murray, who is head of investment at Hermes Investment Management. With £35 billion under management, when Mr Murray speaks other listen and he was quite forthright at the time of the Facebook scandal. Despite holding onto his stock position in the company, he was very clear, “We want these companies to self-regulate rather than wait for governments or individuals to take matters into their own hands,” he said. What he was really saying was, ‘show me that you are taking the utmost care of your customers’ – and our shareholders’ - data or we’ll get the government involved’.
He has obviously had some media training in the past as his other statement on the subject is an example of a really good ‘sound bite’, “[Data privacy] is tech companies’ dark underbelly — there is no way they can guarantee 100 per cent security,” he said.
As an employee of a leading data security vendor I’m bound to say maybe not 100% but you can reduce the odds dramatically and so save your CEO a roasting the next time the investors come calling.