Another hack leads to market losses. Time for more ‘activist’ behavior from asset managers. Demanding improved cyber governance is one example how asset managers can fulfil the FCA’s value for money rules. The customer data breach reported by Marriott International on 30thNovember stands out as one of the most noteworthy security incidents of 2018, even in a year that saw serious incidents suffered by British Airways, Facebook, Uber, and many other household names.
The chain reported that a database of over 350 million hotel guests belonging to its subsidiary Starwood Hotels had been stolen, with information including names, emails, addresses, phone numbers, passport numbers, and more. Encrypted credit card information was also stolen in some cases, with the firm being unable to confirm that the intruders did not also acquire the means to decrypt the data.
Alongside the headline grabbing figures of customers impacted, media coverage has focused on the potential financial impact from legal and regulatory action, as well as the hit to share price. In Marriott’s case, shares took an immediate 5.6 percent tumble on the day the breach was announced. This equates to an approximate immediate $2bn loss in shareholder value. However, as of writing, six weeks post announcement, the company has now lost over 8% vs. broad US market, a $3.2bn loss in value and counting.
A pattern has emerged in the last two years where data breaches have acted as a canary in the coal mine for overall corporate governance, from Facebook, Equifax or Dixon’s Carphone. In many cases, the initial disclosure is followed up with subsequent revisions of “unexpected increase in costs related to resolving security issues” and announcements of management turnover. This trend is putting cyber breaches on established corporate governance yellow flags as overspending on M&A, the opening of a lavish new corporate HQ, and a lack of independent directors. In most cases, the yellow flags are predictors or long-term decline in shareholder value relative to peers.
In Marriott’s case, the first of the ‘lingering effects’ have started. Just two months after the incident was made public, the corporation is now being sued in the US in federal class action lawsuit. It has also announced it will start the process of ‘rebranding’ its loyalty program to begin the long process of fixing the reputational damage.
Data is valuable but managing its risk impacts different industries in unexpected ways
Marriott International’s business model is often defined by the number of hotels it operates through its vast network of subsidiaries. However, as with most other industries in our digital age, the true value of the hospitality sector today is not defined by its physical assets. Despite the huge number of hotel buildings in its portfolio, the primary source of Marriott’s value gains are derived from digital assets such as its loyalty cards, booking systems , proprietary software underpinning its franchise operations, and other technology designed to drive efficiency and monetise data.
Perhaps a perfect example of the new order of things in the digital world is Airbnb. The firm was founded just ten years ago and owns no real estate but has swiftly overtaken established giants to become the second most valuable hospitality chain in the world.
With data now established as the primary source of revenue and value for an increasing number of industries, the ability to effectively manage digital assets has become the leading priority for most businesses. How well the senior management of a company understand this new status quo will increasingly define its ability to protect and increase shareholder value. As a result, “governance” is the lens through which investors should view cybersecurity and its risk for potential losses to reputation, operations and enterprise value.
Cyber is a governance issue more than a technology issue
The competence of senior management, or “management quality factor” in the language of an economist’s model, is one of the primary factors in predicting a company’s future share value. Shareholders who entrust money to a company where the primary asset is data will quickly lose faith if that company is revealed to be mismanaging it. The market is now becoming much wiser to the risks posed by bad data and technology management. As a result, share prices will quickly fall as a result of poor governance around security risks, just as they do for management around operational and financial risks. The share price fallout stemming from the numerous Facebook controversies serves as a powerful example of this dynamic.
As we have seen over the last few years, companies such as Marriott, TalkTalk and Equifax suffer tens, or even hundreds of millions, in financial losses when they are forced to publicly disclose security failings. This is only the initial impact, however. Shareholder value losses over time far outpace financial losses resulting from cyber breaches.
Danish shipping company Maersk, for example, disclosed a financial loss of around $300m after being impacted by the NotPetya ransomware event in 2017. In the six monthly following the announcement, shareholder value loss relative to its peers however was close to $7bn. The share price has yet to approach pre-breach levels as of today.
Shareholders should have one eye on third-party risks
In today’s complex cyber environment, C-suites must be able to demonstrate to shareholders that they have done their best to understand the threats facing their digital assets and have undertaken appropriate action to limit exposure. The growth of outsourcing has only compounded the complexities.
Effectively managing security risks means that a company must not only have its own internal security in good order but must be aware of and prepared to manage potential threats introduced through third parties that are directly integrated into their information networks.
As well as hackers taking advantage of existing third-party connections, security vulnerabilities and even active breaches are often inherited through acquisitions. Indeed, the Marriott breach was reportedly suffered by Starwood Hotels, a subsidiary that was acquired in a $13.6bn takeover in 2016. Early reports indicated that Starwood’s systems appear to have been compromised as early as 2014, which means the company represented an active security threat before it was acquired. Marriott could have discovered this issue by including cyber due diligence as part of the M&A process, even going as far as putting a cyber value at risk number on Starwood.
Just as independent financial and health and safety audits have long been a legal requirement, it is increasingly a concern that a similar cyber requirement has not yet been made law, especially when considering that a bulk of a company’s value is derived from data, e. g. databases, proprietary software and ‘smart’ automation. Absent a regulatory requirement, in the short term it is up to shareholders taking an activist initiative to engage with boards to demand these protections of company value.
Taking cyber value seriously
Organisations are well-versed in assessing more traditionally understood risks such as financial and operational issues in prospective partners, suppliers and acquisitions. It would be a rare failure, if not unthinkable, that a company would complete any kind of deal without investigating the potential for unsafe premises or bad debts. Conversely, security issues are still not understood as the macro risks they truly are, and cyber threats are drastically overlooked as a result.
With attackers actively seeking out not only entry points on company services, but also vulnerable third-party connections to exploit, organisations cannot afford to treat cyber threats as a minor IT issue. They must give security the same level of importance and scrutiny that has long been paid to financial risk and other areas.
Just as they would for more traditional risks, companies must ensure they have independent assessments of the IT controls of all existing third parties and should include a mandatory cyber risk audit for all partners and prospective acquisitions. They also need to translate the cyber risks into monetary terms to allow for more accurate financial planning. Not doing so will reflect poorly on company management when a breach does occur and the market will respond accordingly, resulting in investor losses.
C-suites have a clear choice — invest a small amount in a proactive risk mitigation approach that greatly reduces the likelihood of a breach or deal with post-breach fall-out that can cost in the hundreds of millions or billions of dollars. Further, audits need to present any potential risks in easily understood financial terms that relate the cost of a breach to the company’s long-term value and costs, rather than the short-term impact of immediate costs.
The job of investors in this instance is to take an activist posture, engage with boards and demand accountability from company leadership whose ultimate responsibility is to protect and grow shareholder value that is now increasingly digital.
Marriott may be one of the biggest breaches of 2018, but it will be swiftly followed by more equally major incidents in 2019 and beyond as long as corporate mismanagement of cyber (and digital assets) remains the norm, and shareholders remain passive.
NOTE: Marriott Price Reference vs. Broad US market (Russell 3000), loss of 8.1% vs. Market