For investors, every little thing is gonna be alright
From cybersecurity to climate, investors aren't fickle
I’ve been working in technology long enough to know that emails containing “I LOVE YOU” or Anna Kournikova beget trouble. I remember triaging the Conficker worm as it wrought havoc across our servers during the global Financial Crisis. More recently, I remember seeing a fake email address from our pastor urgently asking us to send them digital gift cards.
Even as I sit here writing this, I have yet another identity theft mailer on my desk from a healthcare intermediary I’ve never heard of. They are part of UnitedHealth Group and were hacked in February 2024. Since 100M people were affected, there’s a good chance you received the same notice, too.
As October is Cybersecurity Awareness Month, what better time to receive such a letter?
People accept the risk of technology to optimize their interactions with companies. Technology is the last pillar of ESG for those companies, but you can’t see it since there is no “T.” Trust me, it’s there. Just like ESG issues underpin a business’s operations, there can be no doubt that technology does the same, often at the intersection of critical stakeholder relationships and interactions. As a result of technology’s deep integration into modern business, cybersecurity is a material concern. Like climate risk and carbon, it may be more material for some companies than others.
There are cybersecurity regulations and disclosures, too
Most ESG regulations attempt to drive comparable data for investors, and sometimes, they are related to a company's claims or to inform about a crisis. For example, if you claim a product is low-carbon or climate-friendly, the disclosures can be used as supporting evidence or may show the opposite. A company may file an 8-K with the SEC about a particularly disruptive weather event if it materially impacts its revenues. From here, the event may affect the stock price.
This is how disclosure rules work, intersecting with the helpful definition of materiality as information that may have caused an investor to make a different decision.
With cybersecurity impacts and costs rising, the US SEC proposed a cybersecurity rule in early 2022, less than a year after the infamous cybersecurity attack on the Colonial Pipeline, which had to be temporarily shut down. This hack, enabled by a lack of multi-factor authentication (MFA) controls, showed the vulnerability of the US energy sector.
Launched in the summer of 2023, the official rule (fact sheet) covers that companies must disclose material cybersecurity issues and the board of directors’ oversight of such matters.
The proposal was intended to result in consistent, comparable, and decision-useful disclosures that would allow investors to evaluate registrants’ exposure to material cybersecurity risks and incidents as well as registrants’ ability to manage and mitigate those risks.
Since cybersecurity risks occur constantly across companies, we have some early examples of how these incidents can impact a stock. For instance, in the latest round, we have an 8-K filing from UnitedHealth Group for the hack I mentioned earlier. UnitedHealth Group owns Optum, which owns the company where the incident happened, Change Healthcare.
The stock dove around the cybersecurity incident, which lasted until mid-April, when it dropped 12% overall. From here, it recovered to its highest point over the past five years.
Still, if you were to read the WSJ or even check the title of an article about this effect, What is the Market Impact of the SEC’s Cyber Disclosure Rules? Not Much, you might not see this swing at all. The WSJ used a one-day and five-day moving average. During this time, the share price went up .1% the day after and dropped 6.2% over the following five days.
ESG issues aren’t near-term, so the data points support investors with shorter holding periods. Even the drop from February to April is under the average holding period of 5.5 months.
Yet, a long-term investor might remember that Optum Healthcare’s AI algorithm was reported to discriminate in 2019. That investor may also share that the board underperforms at dealing with controversy and has lower EBITDA numbers. However, it slightly outperforms its industry in Total Shareholder Returns and carbon intensity (per FreeFloat Analytics).
As the WSJ article calls out, investors use a mix of data, perhaps like these data points, to make decisions. This cybersecurity hack, one of the biggest ever, appears to be a transient crisis since the stock has already recovered. Although, three years after the Colonial Pipeline hack, the lessons learned from a lack of MFA, and the White House’s scrutiny on the issue, the UnitedHealth Group’s breach was caused by, you guessed it, a lack of MFA. So, is this a transient issue or one that someone at the company should have been on top of?
This connection raises questions about board oversight of technology and what other threats might be lingering. Again, the board’s expertise in this area is a material matter from the SEC’s position. For now, it seems investors are satiated with other business areas to keep the stock climbing.
Point-in-time ESG crises might be similar
For a company, climate risk may explain how a cybersecurity breach can affect it. Both require oversight by the company in its fiduciary duty, but they could also be well-known but ignored risks with similar recovery times and fines.
According to IBM’s 2024 Cost of a Breach report, the average time for a company to fully recover is over 100 days. Breaches involving stolen credentials, like those common to MFA vulnerabilities, take the longest to contain at 292 days.
On the other hand, a climate event, like half a country being underwater, only slowed down Western Digital’s manufacturing in Thailand by 46 days in 2011. Within two months of a tornado disaster at its Rocky Mount facility, Pfizer was mostly up and running again. Pfizer’s stock was already on a downward slope then, so it is hard to tell its impact, but the company did note the incident in its 10-K this year.
Cybersecurity incidents may be more messy and complex than climate disasters.
A recent example of how a climate event impacted a stock is HCA Healthcare, which dropped 9% this past Friday after the company reported losses and lost revenue from Hurricane Helene. However, the stock is up 141% from this time last year.
Could HCA Healthcare be the next stock to bounce back up after its recovery efforts take hold, similar to UnitedHealth Group’s recovery from its attack? Investors might be asking this question.
Possibly, but it is worth noting two bullet items from HCA Healthcare’s 10-K this year.
• Our facilities are heavily concentrated in Florida and Texas, which makes us sensitive to regulatory, economic, public health, environmental and competitive conditions and changes in those states.
• Our business and operations are subject to risks related to climate change.
HCA Healthcare realizes the importance of its locations for several reasons and makes a broad comment about “risks related to climate change.” This is the only place in the 10-K where the word ‘climate’ appears. On the other hand, their climate risk report calls this out:
HCA Healthcare tracks and compiles data from weather-related incidents as part of our emergency preparedness efforts. We collect weather-related metrics in real-time to assess implications for business interruption and clinical continuity. For example, wind speed and other meteorological information is monitored in geographies vulnerable to hurricanes (like Florida, Texas, etc.)
However, looking at real-time weather data while keeping stakeholders safe does little against long-term risks, which can be addressed by proactive climate risk scenario analysis.
If you are a TCFD nerd, you will find hurricanes under acute climate risk in the report. Acute risks are transient events, which is an accurate category for hurricanes here, instead of longer-term chronic risks where the environment changes. Cybersecurity events can be acute transient risks or, if cybersecurity isn’t invested in properly, can turn into long-lasting chronic risks.
There is another parallel between cybersecurity and the climate that should have companies thinking of both as ESG issues: fines for regulatory non-compliance.
The SEC just announced that four companies would be fined for downplaying and minimizing the damage during the 2019 SolarWinds hack. The fines aren’t high (the numbers are $4M, $1M, $955k, and $990k), yet they show how seriously the SEC is taking cybersecurity. We’ve seen sustainability-related fines around claims, but I’m not sure I’ve seen penalties for a company underplaying its climate risk.
It is worth noting that this is for an event that took place before the SEC’s cybersecurity rule. This shows just how material an issue like this can be and how your company must effectively communicate it to investors.
Is it the crisis, the management, or the odds it will repeat?
So, what causes investors to pay enough attention to influence the stock price when a crisis hits? Well, again, the WSJ calls out that:
Privately, traders say that cyber incidents only make up a part of their investment strategies, and in many cases play a minor role, depending on the scale of the incident.
It might be the pattern of issues, and I think it is fair to write that many investors feel similarly about ESG issues, depending on their materiality. Compounded into an analysis, other factors could win out. For example, UnitedHealth Group updated its Earnings per Share (EPS) in Q2 (July), which aligns with when the stock lifted out of its slump. This performance lines up with another quote from the WSJ article:
The heaviest negative swings in the sample tended to be those of companies that were already under pressure for other reasons.
In other words, broader ESG and financial issues could depress the stock over extended periods. If UnitedHealth Group had a cybersecurity incident but could still manage different areas of the business to profit, the stock would recover (and did).
So, what do cybersecurity disclosures show investors?
Just as ESG disclosures are backward-looking, so are disclosures around cybersecurity breaches, leaving investors continually looking to the past for what might come tomorrow.
This is one reason I like TCFD over other disclosures. It forces companies to think through the future and describe their efforts. However, it has its flaws. First, it only forces the long-term perspective on one area: the climate, but it could be more broadly applied if companies spent the time expanding their intentions across the business. Second, TCFD reports can quickly become a practice in ‘what are others doing,’ resulting in useless information.
To the first point, though, TCFD can provide context for thinking about long-term issues, like adapting cybersecurity efforts over time.
So, what are we left with? How can an investor or stakeholder ensure the company is well-managed and their data is protected?
Investors can take comfort in noting that transient crises appear to be just that, but again, in many cases, these crises are no little thing. Still, I would suggest weighing materiality accordingly to determine how best to gauge a crisis’s impact. If the company integrates technology with its key stakeholders and can’t succeed without it, cybersecurity is critical and can point to a lack of understanding from the board.
For the rest of us, ensure you keep an eye on your mailbox for the next cybersecurity incident. I’m sure it’s coming.