When stock picking, investors look at a combination of factors: technical and fundamental analysis, expected dividends, corporate governance, rumours, to name but a few.
But in the digital economy, data has very quickly become an asset class investors must consider.
Or take Tesla for example. It briefly overtook Ford and General Motors to become the most valuable automobile manufacturer in the world, despite only delivering 76,000 electric cars last year. The data it collects to train autonomous vehicles – some 1.3bn miles at last count – is not just an asset, but its greatest competitive leverage.
In many circumstances, the data businesses hold, regardless of scale, is more important a factor to investors than tangible assets on the balance sheet.
Subsequently, firms have been forced to take protecting their data more seriously, gradually waking up to the creeping importance of data governance at a board level.
Worryingly though, many are not. The results of the Department for Media, Culture and Sport’s Cyber Security Breaches Survey made for harrowing reading.
Virtually all UK businesses are exposed to cyber security risks, which, today, are a given. Some 68 per cent of large firms identified at least one cyber security breach or attack in the last 12 months.
But despite 91 per cent of large firms investing in cyber security, only a third have made specific board members responsible for it.
I’ve identified several reasons that a board without sufficient data governance should send alarm bells ringing for potential investors.
The first, is one of equivalence with the protection of other assets. Every public business has a chief financial officer to look after its money – an asset – so why not a data protection officer, or similar? As Phil Beckett, managing director at Alvarez & Marsal says: “if they are not looking after data properly; what else aren’t they looking after properly? If you must consider that data is key to an organisation – and you believe that as a premise, which I do – if someone’s not looking after that, then they’re fundamentally failing to look after a key asset of the business. What else are they missing?”
Are EU serious?
The second pertains to the approaching General Data Protection Regulation (GDPR), to be enacted in May 2018. It legislates obligations for all organisations to protect any personal data of EU citizens they hold or process, underpinned by a tough compliance regime and hefty fines. Failure to comply can land a business with a penalty of €20m or four per cent of global group revenue, whichever figure is higher. By comparison, the previous limit under the Data Protection Act (DPA) is £500,000. Had GDPR been in place when Yahoo was breached, it seems likely it would have received a fine in the hundreds of millions. Regardless of the obvious reputational damage, missing millions certainly doesn’t look good on the balance sheet. Having someone on the board whose sole responsibility is to ensure systems are compliant, is a good sign the firms affairs are in order.
The third is something many suspected for years, but never had the evidence to support. A company’s share price tells you a lot about its ambitions; the sum of the market’s expectations, if you will.
A report from CGI and Capital Economics, The Cyber-Value Connection, earlier this year found a clear correlation between severe data breaches and plummeting share prices.
It found FTSE shareholders have lost at least £42bn in the last three years due to the fallout of data breaches.
The companies involved faced a permanent 1.8 per cent drop in share price – an average £120m loss of market cap .
Such heavy losses should send a shiver down the spine of any investor.
It’s easy to blame “cyber crime” for a breach, but that is to pass the buck. A breach – whether a hack, a leak, or an employee leaving a laptop in the back of a cab – is nearly always a product of failed data governance.
The fourth and final concern is a culmination of the previous two.
Presently, under the DPA, most firms have no obligation to report a breach. This will change under the GDPR next year. All firms will have just 72 hourbreach notification period, and face a penalty for non-compliance.
This presents a quandary of sorts: report a breach and face reputational damage and crashing share prices. Fail to do so, and face egregious fines.
That’s not half of the issue though. Andrew Rogoyski, vice president of cyber security at CGI UK, estimates that “only around 10-20 per cent of the major breaches companies suffer in Europe are currently made public, so lost shareholder value across European markets could rise by as much as a factor of 10 when the new regulations take effect in May 2018.”
Today, firms not harnessing data in some way or another are an abberation, regardless of whether their primary function relies on it.
Data is an asset like any other, worthy of firms including – and some do – on financial reports.
What data the company owns, how it is looked after, and by who, should more than pique the interest of investors.
Elliott Haworth is business features writer at City A.M.