Cyber Security and Data Privacy: The Downsides of the Network Effect

Posted on November 20, 2018

Moin Syed
Moin Syed
Manager Technology, Media and Telecommunications Research

As investors assess their portfolios and develop engagement approaches, considering data privacy and security risks alongside traditional fundamental factors may be necessary to develop a fuller understanding of the risks facing a company’s enterprise value. In many cases, these risks may fly under the radar until there is a systemic failure, at which point it may already be too late to effectively mitigate the fallout.

In the last two months, both Facebook and Alphabet’s main subsidiary Google, have reported information security vulnerabilities. Google stated it found a vulnerability in its Google+ network in March 2018. It decided not to disclose the breach to users since, based on an internal assessment, no accounts were compromised.

In Facebook’s case, the issue led to a data breach that compromised, to date, at least 30 million user accounts. For 14 million of those users, this breach included sensitive, personal data. The company also noted that alongside Facebook accounts, login details (called “access tokens”) to third-party apps which use Facebook credentials could also have been compromised, creating uncertainty regarding the full scope of the breach.

Facebook, given its massive network, has become a standard mechanism for other apps and websites to authenticate users and reduce the hassle of an extended sign up process. The company is still investigating the breach to determine the full impact, including determining who was responsible, the intentions behind the attack as well as whether the compromised data has been used for fraudulent or illegal activities.

Business Model as a Risk

Cyberattacks and breaches pose an increasingly challenging problem from an enterprise risk management perspective. It is especially challenging for companies that rely heavily on collecting data on user behaviors to improve advertising returns on investment. In this context, the Facebook breach is no surprise as the company remains an attractive target for malicious actors.

In Sustainalytics’ June 2018 ESG Spotlight Series report on data privacy, we noted that Facebook remains vulnerable given its ad-based revenue model underpinned by user data monetization as well as the sheer scope of its social network (2 billion+ users).

While the Cambridge Analytica incident exposed significant deficiencies in Facebook’s privacy management and severely eroded user trust, it was not an isolated incident. Sustainalytics’ controversies tracking clearly documents that despite its public commitments, Facebook has repeatedly experienced failures in privacy governance.

Sustainalytics Controversy Signals: Facebook Case Study

Facebook controversies tracked by Sustainalytics

Facebook and Data Privacy: A Cautionary Tale

Privacy governance remains tricky, especially for companies that have complicated and expansive digital supply chains that give them unparalleled network effects. Nonetheless, the public and regulators increasingly expect companies to adopt proactive measures to mitigate privacy breaches and cybersecurity attacks. These measures come at a considerable cost and may involve establishing company-wide structures to embed a strong culture of privacy and data security.

These costs could increase exponentially in the event of a major breach with Facebook’s experience serving as a cautionary tale. In the aftermath of the Cambridge Analytica controversy (which occurred in March 2018), Facebook has lost billions in market value. Additionally, in its last two quarterly earnings calls of 2018, the company signaled that it will likely experience revenue deceleration in the next few quarters. Facebook specifically cited expenditures in the billions of dollars focused on data privacy and platform security as one of the factors that will put downward pressure on its revenue growth at least through the end of 2019.

Despite Facebook’s example, Google decided to delay disclosing a security vulnerability in Google+ that it detected earlier in 2018, and that had persisted since at least 2015. Google’s decision to not notify the public in a timely manner signals continued deficiency in corporate disclosure of privacy-related risks. While Google and its parent, Alphabet, have not faced the same level of controversy related to privacy so far, a proactive approach is viewed as a key differentiator as privacy breaches and cyber-attacks have become inevitable.

Google and Alphabet’s business model is more diversified with the company active in enterprise cloud services such as cybersecurity management, smart city development, and autonomous driving segments, to name a few. A major breach could jeopardize its ability to generate growth if consumer and investor confidence in its ability to keep sensitive and proprietary data secure diminishes.

Facebook Share Price

Facebook lost a record USD 119 billion in market value after its 2nd Quarter earnings report – Largest single day drop in US market history

https://www.bloomberg.com/view/articles/2018-10-04/facebook-scores-a-very-unwelcome-first-on-data

The GDPR Era

Facebook’s response to the latest breach does signal improved transparency with the company publicly disclosing the issue within days. This is in stark contrast to its handling of the Cambridge Analytica incident, when the company allegedly discovered the breach as far back as 2015. A November 2018article from the New York Times alleges there were significant issues around communication and accountability when it came to platform security at Facebook. Under the European Union’s Global Data Protection Regulation (GDPR), which came into force in May 2018, Facebook could face major fines if regulators find the company’s systems and management protocols to be deficient.

The regulatory and market scrutiny Facebook is under is part of a larger trend that we expect to continue. Companies with user data monetization models have a long, and likely never ending, road ahead in winning back the trust of stakeholders.

Recent Content

automotive production in Ukraine

ESG Implications of Russia’s Invasion of Ukraine on the Automotive Industry

The Russia-Ukraine conflict has put more pressure on a sector that was already constrained by the disrupted supply chains, brought about by pandemic-induced congestions and shortages. Additionally, the surge in fuel price is already affecting customers, although it may accelerate the adoption of electric vehicles (EVs) as a side effect. However, the scarcity of minerals, which are necessary for semiconductor manufacturing, may further exacerbate the chip shortage that has afflicted the automotive industry since 2020.

diverse patients waiting

Addressing ESG Risk in a Shifting Landscape for Clinical Trial Diversity

Low diversity in clinical trials increases the risk of unforeseen side effects, only discovered after the drug hits the market, exposing patients to harm and companies to litigation.

Russia-Ukraine Crisis Could Spell Unforeseen ESG Risks for Insurers

Russia-Ukraine Crisis Could Spell Unforeseen ESG Risks for Insurers

The Russia-Ukraine conflict and the subsequent sanctions on Russian entities have led to material and wide-ranging impacts on diversified sectors and international firms. However, company disclosures and other sources suggest that the conflict’s primary impact on the global insurance industry is limited for two main reasons

aviation in Ukraine ESG

ESG Implications of Russia’s Invasion of Ukraine on the Aviation and Defense Sectors

The aviation industry is feeling the impact of rising fuel costs as an immediate repercussion of the conflict in Ukraine. In particular, the airline sector is still facing significant challenges in mounting a steady recovery from the COVID-19 crisis. On the other hand, the defense industry may be presented with opportunities in light of increased government spending in the aftermath of the invasion.