Cyber Security and Data Privacy: The Downsides of the Network Effect
by Moin Syed
As investors assess their portfolios and develop engagement approaches, considering data privacy and security risks alongside traditional fundamental factors may be necessary to develop a fuller understanding of the risks facing a company’s enterprise value. In many cases, these risks may fly under the radar until there is a systemic failure, at which point it may already be too late to effectively mitigate the fallout.
In the last two months, both Facebook and Alphabet’s main subsidiary Google, have reported information security vulnerabilities. Google stated it found a vulnerability in its Google+ network in March 2018. It decided not to disclose the breach to users since, based on an internal assessment, no accounts were compromised.
In Facebook’s case, the issue led to a data breach that compromised, to date, at least 30 million user accounts. For 14 million of those users, this breach included sensitive, personal data. The company also noted that alongside Facebook accounts, login details (called “access tokens”) to third-party apps which use Facebook credentials could also have been compromised, creating uncertainty regarding the full scope of the breach.
Facebook, given its massive network, has become a standard mechanism for other apps and websites to authenticate users and reduce the hassle of an extended sign up process. The company is still investigating the breach to determine the full impact, including determining who was responsible, the intentions behind the attack as well as whether the compromised data has been used for fraudulent or illegal activities.
Business Model as a Risk
Cyberattacks and breaches pose an increasingly challenging problem from an enterprise risk management perspective. It is especially challenging for companies that rely heavily on collecting data on user behaviors to improve advertising returns on investment. In this context, the Facebook breach is no surprise as the company remains an attractive target for malicious actors.
In Sustainalytics’ June 2018 ESG Spotlight Series report on data privacy, we noted that Facebook remains vulnerable given its ad-based revenue model underpinned by user data monetization as well as the sheer scope of its social network (2 billion+ users).
While the Cambridge Analytica incident exposed significant deficiencies in Facebook’s privacy management and severely eroded user trust, it was not an isolated incident. Sustainalytics’ controversies tracking clearly documents that despite its public commitments, Facebook has repeatedly experienced failures in privacy governance.
Sustainalytics Controversy Signals: Facebook Case Study
Facebook and Data Privacy: A Cautionary Tale
Privacy governance remains tricky, especially for companies that have complicated and expansive digital supply chains that give them unparalleled network effects. Nonetheless, the public and regulators increasingly expect companies to adopt proactive measures to mitigate privacy breaches and cybersecurity attacks. These measures come at a considerable cost and may involve establishing company-wide structures to embed a strong culture of privacy and data security.
These costs could increase exponentially in the event of a major breach with Facebook’s experience serving as a cautionary tale. In the aftermath of the Cambridge Analytica controversy (which occurred in March 2018), Facebook has lost billions in market value. Additionally, in its last two quarterly earnings calls of 2018, the company signaled that it will likely experience revenue deceleration in the next few quarters. Facebook specifically cited expenditures in the billions of dollars focused on data privacy and platform security as one of the factors that will put downward pressure on its revenue growth at least through the end of 2019.
Despite Facebook’s example, Google decided to delay disclosing a security vulnerability in Google+ that it detected earlier in 2018, and that had persisted since at least 2015. Google’s decision to not notify the public in a timely manner signals continued deficiency in corporate disclosure of privacy-related risks. While Google and its parent, Alphabet, have not faced the same level of controversy related to privacy so far, a proactive approach is viewed as a key differentiator as privacy breaches and cyber-attacks have become inevitable.
Google and Alphabet’s business model is more diversified with the company active in enterprise cloud services such as cybersecurity management, smart city development, and autonomous driving segments, to name a few. A major breach could jeopardize its ability to generate growth if consumer and investor confidence in its ability to keep sensitive and proprietary data secure diminishes.
Facebook lost a record USD 119 billion in market value after its 2nd Quarter earnings report – Largest single day drop in US market history
The GDPR Era
Facebook’s response to the latest breach does signal improved transparency with the company publicly disclosing the issue within days. This is in stark contrast to its handling of the Cambridge Analytica incident, when the company allegedly discovered the breach as far back as 2015. A November 2018 article from the New York Times alleges there were significant issues around communication and accountability when it came to platform security at Facebook. Under the European Union’s Global Data Protection Regulation (GDPR), which came into force in May 2018, Facebook could face major fines if regulators find the company’s systems and management protocols to be deficient.
The regulatory and market scrutiny Facebook is under is part of a larger trend that we expect to continue. Companies with user data monetization models have a long, and likely never ending, road ahead in winning back the trust of stakeholders.