Should a public company’s cyber and breach disclosure practices matter to Wall Street and socially-responsible investment funds?
Socially-responsible investment funds – called ESG funds that focus on environmental, social and governance practices – rely on sustainable, socially conscious investing principles. ESG portfolio managers consider issues beyond a company’s financial standing before jumping into an investment position such as environmental compliance, working conditions, executive pay and diversity efforts. Audit Analytics asks whether cybersecurity should be added to this list of investment criteria.
It’s an interesting question.
With the rapid growth of ESG funds – which typically are over-weighted toward the technology sector – the question is taking on heightened importance. Morningstar, the mutual fund research firm, reports that ESG investing “has gained considerable traction and continues to be an important focus not just for institutional investors, but individual investors as well." During the first five months of this year, ESG fund investments were, on average, $924 million per month, almost double the average monthly flows from 2015 until November 2016.
“As the technology sector matures and concerns around data breaches, privacy and other issues become a more important part of a company’s business and internal controls, ESG investors will need to take how these failings affect companies more seriously and consider whether violators belong in ESG portfolios,” said the post.
Academic researchers from Tel Aviv University and the University of North Carolina claim there is an “indifferent attitude” by the investment community about data breach disclosures but that is changing. In a June study, the researchers found that “investors are more likely to punish firms that withheld data breach information that was later discovered, versus those that report that information right away.”
“We find withheld cyber-attacks are associated with a decline of approximately 3.6% in equity values in the month the attack is discovered, and disclosed attacks with a substantially lower decline of 0.7%. The evidence is consistent with managers not disclosing negative information below a certain threshold and withholding information on the more severe attacks. Using the market reactions to withheld and disclosed attacks, we estimate that managers disclose information on cyber-attacks when investors already suspect a high likelihood (40%) of an attack,” wrote the researchers.
To be sure, data breaches have had a mixed reaction on the financial markets. When Equifax Inc. suffered its headline-grabbing breach in 2017, the market punished the company’s stock. It dropped nearly 40% on news of the breach. Since then, the stock has slowly recovered and is trading today at $133 per share, just $10 below its pre-breach announcement level.
In other cases, the market’s reaction has been muted. T-Mobile US, Inc. and Metro PCS’s disclosure of a security incident that potentially affected 3% of its customers was met with a yawn. The stock took a small dip but quickly rebounded.
The broader issue of whether investors will punish companies for sub-par cybersecurity practices or delayed breach disclosures remains unclear.