When privacy became an investment risk. Shall companies report its security incidents to the market?
The large data brokers, i.e., those companies that base their business model on the exploitation of third parties' personal data, begins to suffer from the increased protection of user privacy. This is so much the case that, in the IPO reports of some of them, such as Palantir or Snowflake, potential investors are already being warned of the negative impact that this could have on the expected profitability of the business.
This is mainly due to the fact that the changing regulatory framework in many countries around the world, especially in Europe with its GDPR, but also in the United States such as the case of California and its COPPA law, is increasingly tending towards a greater strengthening of consumer privacy rights.
It seems that such a change of scenery is leading some of these companies to see their business under threat, which for years has consisted of exploiting without control or limits, the personal information of millions of Internet users around the world.
Indeed, if we look at the documentation that these companies have filed with the Securities and Exchange Commission (SEC), which is the body that regulates the IPOs of companies in the North American market, the regulatory change in privacy is already included as one of the main risks of which potential investors interested in participating in their business are informed.
Uncertainty about the interpretation and practical application of data protection laws by regulators has led companies, such as Facebook for instance, to claim that legislative changes are forcing them to adapt their products and services to a new reality, in a way that they say does not allow them to guarantee absolute compliance with the law, which means they are more likely to be heavily penalised. This would be the case, for example, of the recent annulment of the privacy shield, which has led to the interruption of the lawfulness of international transfers of personal data between Europe and the United States.
Another of these companies, such as Sumo Logic, focused on data analysis in the cloud, also referred to this issue in the documentation it provided to the SEC, where it publicly acknowledged that "the perception that data privacy is not satisfactorily protected or that legal obligations are not being met may harm sales of our services and limit the adoption of our platform".
While the international regulatory landscape for privacy is becoming increasingly complex, there is a clear evolution towards further strengthening users' rights. In this sense, investors in this type of business should be aware, as is the case with cybersecurity, that privacy is a business risk about which companies should be concerned and about which their management bodies should adopt measures to prevent or avoid it, but, in any case, to manage it.
However, cybersecurity is not an aspect that should only be taken into account at the time of investment. Also security incidents may affect the business and, consequently, the value of the shares. That means that the impact of a cyberattack on a listed company's systems should be reported to the market as a warning to the investors.
The seriousness and scope of some cyberattacks and also of data breaches suffered by listed companies allows them to be classified as inside information and, as such, subject to the disclosure requirements of the EU Market Abuse Regulation, since they are events that directly concern the issuer and may have a substantial influence on the prices of shares or related financial instruments. For this reason, cyber risk has to be identified as one of the most relevant non-financial risks faced by listed companies today and an adequate policy to identify and reduce such risks should be part of the priorities of the companies' management bodies
Article provided by: Francisco Pérez Bes and Esmeralda Saracíbar (ECIX, Spain)
Dr. Tobias Höllwarth (Managing Director INPLP)