Cyber Security and Data Privacy: The Downsides of the Network Effect

Posted on November 20, 2018

Moin Syed
Moin Syed
Manager Technology, Media and Telecommunications Research

As investors assess their portfolios and develop engagement approaches, considering data privacy and security risks alongside traditional fundamental factors may be necessary to develop a fuller understanding of the risks facing a company’s enterprise value. In many cases, these risks may fly under the radar until there is a systemic failure, at which point it may already be too late to effectively mitigate the fallout.

In the last two months, both Facebook and Alphabet’s main subsidiary Google, have reported information security vulnerabilities. Google stated it found a vulnerability in its Google+ network in March 2018. It decided not to disclose the breach to users since, based on an internal assessment, no accounts were compromised.

In Facebook’s case, the issue led to a data breach that compromised, to date, at least 30 million user accounts. For 14 million of those users, this breach included sensitive, personal data. The company also noted that alongside Facebook accounts, login details (called “access tokens”) to third-party apps which use Facebook credentials could also have been compromised, creating uncertainty regarding the full scope of the breach.

Facebook, given its massive network, has become a standard mechanism for other apps and websites to authenticate users and reduce the hassle of an extended sign up process. The company is still investigating the breach to determine the full impact, including determining who was responsible, the intentions behind the attack as well as whether the compromised data has been used for fraudulent or illegal activities.

Business Model as a Risk

Cyberattacks and breaches pose an increasingly challenging problem from an enterprise risk management perspective. It is especially challenging for companies that rely heavily on collecting data on user behaviors to improve advertising returns on investment. In this context, the Facebook breach is no surprise as the company remains an attractive target for malicious actors.

In Sustainalytics’ June 2018 ESG Spotlight Series report on data privacy, we noted that Facebook remains vulnerable given its ad-based revenue model underpinned by user data monetization as well as the sheer scope of its social network (2 billion+ users).

While the Cambridge Analytica incident exposed significant deficiencies in Facebook’s privacy management and severely eroded user trust, it was not an isolated incident. Sustainalytics’ controversies tracking clearly documents that despite its public commitments, Facebook has repeatedly experienced failures in privacy governance.

Facebook and Data Privacy: A Cautionary Tale

Privacy governance remains tricky, especially for companies that have complicated and expansive digital supply chains that give them unparalleled network effects. Nonetheless, the public and regulators increasingly expect companies to adopt proactive measures to mitigate privacy breaches and cybersecurity attacks. These measures come at a considerable cost and may involve establishing company-wide structures to embed a strong culture of privacy and data security.

These costs could increase exponentially in the event of a major breach with Facebook’s experience serving as a cautionary tale. In the aftermath of the Cambridge Analytica controversy (which occurred in March 2018), Facebook has lost billions in market value. Additionally, in its last two quarterly earnings calls of 2018, the company signaled that it will likely experience revenue deceleration in the next few quarters. Facebook specifically cited expenditures in the billions of dollars focused on data privacy and platform security as one of the factors that will put downward pressure on its revenue growth at least through the end of 2019.

Despite Facebook’s example, Google decided to delay disclosing a security vulnerability in Google+ that it detected earlier in 2018, and that had persisted since at least 2015. Google’s decision to not notify the public in a timely manner signals continued deficiency in corporate disclosure of privacy-related risks. While Google and its parent, Alphabet, have not faced the same level of controversy related to privacy so far, a proactive approach is viewed as a key differentiator as privacy breaches and cyber-attacks have become inevitable.

Google and Alphabet’s business model is more diversified with the company active in enterprise cloud services such as cybersecurity management, smart city development, and autonomous driving segments, to name a few. A major breach could jeopardize its ability to generate growth if consumer and investor confidence in its ability to keep sensitive and proprietary data secure diminishes.

Facebook lost a record USD 119 billion in market value after its 2nd Quarter earnings report – Largest single day drop in US market history

The GDPR Era

Facebook’s response to the latest breach does signal improved transparency with the company publicly disclosing the issue within days. This is in stark contrast to its handling of the Cambridge Analytica incident, when the company allegedly discovered the breach as far back as 2015. A November 2018article from the New York Times alleges there were significant issues around communication and accountability when it came to platform security at Facebook. Under the European Union’s Global Data Protection Regulation (GDPR), which came into force in May 2018, Facebook could face major fines if regulators find the company’s systems and management protocols to be deficient.

The regulatory and market scrutiny Facebook is under is part of a larger trend that we expect to continue. Companies with user data monetization models have a long, and likely never ending, road ahead in winning back the trust of stakeholders.

Recent Content

Physical Climate Risks: 6 Things Portfolio Managers Need to Know

The negative physical impacts of climate change are being felt by communities and corporations globally and are likely to get worse in the coming years. The knock-on costs of more frequent “once-in-a-century” climate events on economies are likely to rise. To prepare for this looming threat, investors must forecast the asset-level effects of climate change on companies in a granular and sophisticated way. Here are six things portfolio managers should know to manage and mitigate the physical risks of climate change to their portfolios and meet growing list of climate-focused reporting requirements.

human rights

Applying Business and Human Rights International Standards to Investor Due Diligence

Socially conscious ESG investors are interested in how to implement international business and human rights norms in their portfolios and understand the potential impacts of applying additional screening criteria within their strategy.

wireless users network outage

Telecom Network Outages, the ESG Risks of a Connected World

The telecom industry is exposed to several Material ESG Issues, including Data Privacy and Security, Business Ethics, Human Capital and Product Governance. Product Governance issues in the telecom industry include service quality, maintaining reliable, high-speed networks, and responding to customer billing concerns.

ESG Risk Data Center

ESG Risks Affecting Data Centers: Why Water Resource Use Matters to Investors

Data centers play a critical role for many technology and telecom companies and for their supporting servers, digital storage equipment and network infrastructure for data processing and storage. Data centers require high volumes of water directly for cooling purposes and indirectly, through electricity generation. Morningstar Sustainalytics’ recent activation of the Resource Use Material ESG Issue (MEI) within its ESG Risk Ratings recognizes water risks of data centers.