The lyrics to Rockwell’s 1984 hit Somebody’s Watching Me are the musings of a paranoid individual worried that his neighbours, his mailman and the IRS are watching him. Notable for Michael Jackson’s unaccredited backing vocals — who had his own anxieties surrounding privacy — the song foreshadowed broader society’s privacy concerns which have accompanied technological advances. Coincidentally, 1984 was also the year the first U.K. Data Protection Act was passed. Since then, concerns about data privacy and cybersecurity have grown far beyond the snooping mailman, due to the internet, the volume of data gathered and developments from spyware to smart TVs that actually do watch back.
For investors who consider such factors, data privacy falls within the Social pillar of Environmental, Social and Governance (ESG) considerations and, in our opinion, are of material importance. It appears that investors have begun to recognise that these attributes can translate into tangible value.
Regulations and relationships are changing
For those who invest with an eye toward ESG factors, recent regulations on data protection could influence their investment decisions. In May 2018, the European Union (EU) General Data Protection Regulation (GDPR) will become effective. Its goal: To give EU citizens control over their personal data.
The relationship between companies and consumers is likely to change as a result, with implications for consumers, companies, sectors, investors and geopolitics. Because large companies are global—trading with Europe and using European data—the GDPR regulation will likely have far-reaching effects with respect to how these companies handle this personal data.
The GDPR provides a strict compliance regime with significant penalties for non-compliance of up to 4% of a company’s annual global turnover or €20 million, whichever is higher1. Along with responsibility, accountability (making automated decisions such as profiling contestable), explicit consent, and data portability, the regulations include a new right to erasure, a more limited version of the right to be forgotten.
In the past, data breaches in the EU often went unreported. Under new regulations, an organisation has 72 hours to notify the relevant local authority of a regulatory breach.
The GDPR provides a good case in point that investors who purchase shares of companies that are behind the curve in terms of data privacy protection capabilities and general cybersecurity – could be assuming real risks. Potential lawsuits, reputational damage, revenue loss, intellectual property theft and the cost of infrastructure repairs to prevent future breaches are significant risks on their own. The prospect of a fine bolsters the case for considering a company’s strict adherence to the regulations when considering potential investment.
Your data can be sold . . .
Data is obviously worth a lot more than people are being paid for it right now, since they generally give it away for free. But if you have privacy rights over your data, you could start to charge for it. For industries that have grown up around a model of data being free, this could lead to significant disruptions.
There is a massive amount of information now being put into a form that could be subject to ownership rights. That data was already owned by the companies who collected it, analysed it and sold it for big profits. The GDPR explicitly provides ownership rights for this sort of data – the kind that has commercial value – at the individual, data-subject level.
Ownership rights create a number of considerations—potential for theft, misuse, nation-state applications—but they also create enormous investment opportunities. In recent years, companies have been created specifically to allow businesses to understand what content they have on people, to give them the ability to report, to move the data from one place to another, to erase it and often to use to enhance their profits.
. . . so what is your price?
Looking at the sensitivity of data and people’s willingness to share it can lead to a tradeoff. Medical data, for example, is highly sensitive. But if people feel it will be used for either their personal health benefit or the broader good, they may be more willing for it to be widely used than would be the case for financial data, where sharing seems like more of a threat (Display 1).
This distinction could have a strong bearing on how much people would charge for the data when they have control over it. Because sharing health data brings additional benefits, data subjects might sell it for a cheaper price than they would with financial data. Similarly, social media offers a “value exchange” with the consumers getting a direct benefit from allowing their data to be collected. But where the value is more biased towards the company, will this reduce the willingness of consumers to give consent for data collection?
Cybersecurity: A new growth industry
One prominent consequence of the privatisation of data is that it is an asset requiring protecting against theft, which entails an enormous increase in security. The number of security incidents against companies has been rising at over 60% a year since 2008, and the attacks themselves are becoming increasingly sophisticated (Display 2). In 2014, it was reported that businesses suffered $400 billion p.a. worth of losses attributable to cybercrime.2
In a recent study that tracked people’s major global security threat concerns across 18 countries, for example, Japan identified cybersecurity as its top concern, beating out risks like ISIS (the top
concern in Europe) and climate change (Africa, Latin America). The U.S., Germany and the U.K. all considered cyberattacks their second biggest security threat3.
Even companies that are doing a good job of protecting their data can be vulnerable to blackmail, disinformation and destruction for its own sake from the likes of highly motivated activists with their own agendas, terrorist groups and criminal organisations. One of the two biggest recent global attacks was the WannaCry ransomware attack, which illustrated the threat posed when entities do not update their software or continue to use outdated systems that cannot be patched. The chief risks posed by cyberattacks are business disruption, information loss and subsequent revenue loss (Display 3). The 2017 version of Petya was substantial enough to cause at least one firm to revise its estimated sales growth forecasts.
As a result of such cyber threats, spending on security software in the Americas, EMEA and Asia Pacific (including Japan) is on a consistent upward trend, with highest spending in the U.S. – also the most advanced country in terms of legislation (Display 4). We would not be surprised to see other regions catch up with the U.S. in time, creating opportunities in these areas. The enforcement of the GDPR for instance, should increase cyber security spending in Europe. This supports our more general view that the economy is undergoing not just a cyclical increase in investment, but also positive secular trends.
We have observed in previous commentaries that business fixed investment has been low for many years, with companies running on old equipment. Recent cyberattacks have shown that this includes old computer technology. Given the increasing cyber risks, and regulation, it seems plausible that the increase in U.S. business fixed investment seen in the last two quarters might also, include increased spending on computer software and hardware4. Furthermore, as cyberattacks become more sophisticated, companies will have to continue to invest if they are to evolve their defences and keep up with the attackers.
Display 4 (part 1, to be shown at top or left side)
New economy: Cyberdefence spending rising . . .
Spending on security software technology in EMEA lags spending in the Americas by ~50% despite
Display 4 (part 2, to be shown at bottom or right side)
. . . and there is room grow
Security spending also lags in EMEA as a % of GDP, highlighting a material opportunity to bolster cyberdefences in Europe
In terms of opportunities, the flip side of cyberdefence is cyberattack, and nations are increasingly investing in cyberwarfare technology. This could lead to the creation of an entire new cyber weapons industry, with both defensive and offensive capabilities requiring significant investment and spending. Cyberwarfare also presents not only an economic opportunity, but a potential geopolitical threat – something else for investors to consider.
Social factors impacting performance
Opportunities are not limited to the investment side. Stock prices also appear to react to how well companies handle privacy along with other ESG issues. Looking at a one-year period ending June 2017, we found that in the U.S., Europe and Japan social score was positively associated with stock market performance in the information technology sector. In that sector, companies with the highest social scores were also the best performers over the last year in all three regions (Display 5).
Of all the globally recorded data breaches in 2016, 80% occurred in the U.S.5 However, data issues are probably the most advanced in the U.S. because the firms that have been privatising the data are mostly located there, coupled with greater legislation and reporting requirements. In 2016, the technology sector had the greatest number of records experiencing security breaches, accounting for 28%6 of all breaches. The growth of the “Internet of Things”, with now billions of connected items, will likely open up new sectors to the risk of cyberattack, from household items to medical devices to autonomous vehicles.
Understanding cybersecurity and acting as responsible shepherds of their customers’ data contributes to reduced risk for companies, and could lead to more attractive cost of capital and lower operating costs.
Conclusion: Somebody is watching you
What was paranoia in 1984 is reality in 2017. Somebody is watching you and gathering your data in previously unimaginable quantities. But with regulations like the GDPR, in Europe you as the data-subject will own that data. This increase in regulation is one part of the broader disruptive change happening to industries across the global as a result of the fast evolving cyber environment. The risks and costs to companies of not keeping up with change is evidently great, be it in the form of fines, reputational damage or even lower productivity as a result of exposure to cyberattacks – each of which can have a genuine impact on companies’ profitability. Therefore, data privacy and security, within the Social pillar of ESG concerns, is evidently a factor worth considering when assessing investment opportunities. For investors, this trend will open up new markets, risks and potential opportunities along the way.