When will hedge funds become interested in the security posture of a company?

When will hedge funds become interested in the security posture of a company?

At some point the security posture of a company will be of great interest to hedge funds and investment managers. That is to say that they will be interested in how secure other companies will be and whether that can affect their investments.

The companies of interest are more likely to be a publicly listed company, although it could be of concern for investment managers looking to acquire a share of a private company. For hedge funds and other managers with an appetite for more exotic investment vehicles the security posture of a company could indicate a potential shorting opportunity (making profit from the decline in a company’s share price).

 

GDPR

The EU GDPR regulation is coming in May 2018 and is set to have a huge impact on how companies are punished for data breaches. The fines can be up to 10% of global revenue if a company suffers a breach of data that contains personally identifiable information. This will affect all companies that have a presence within an EU country (including the UK even post-brexit).

“personal data is any information relating to an individual, whether it relates to his or her private, professional or public life. It can be anything from a name, a photo, an email address, bank details, posts on social networking websites, medical information, or a computer’s IP address.”

Previous fines were of little consequence to companies. They may have suffered some reputational damage but certainly they would not have stopped trading. The biggest impact that I can recall is that of the Yahoo acquisition. The recent breaches has certainly affected it’s valuation.

On February 21, 2017, Verizon agreed to lower its purchase price for Yahoo! by $350 million, and share liabilities regarding the investigation into the data breaches.

Source: Wikipedia

This devaluation is close to 10% of revenue but not quite. The Yahoo breach is obviously pre-GDPR but it does make me wonder how far valuations will drop after being fined 10% of revenue. Further deductions may be made if reputational damage can be deemed of significance.

Hacking Tea Leaves

The question to consider here is at what point will hedge funds become interested in GDPR? I suspect some already are, but I’m not sure that many of them interested yet. On the one hand these investment companies will need to be aware of GDPR as they will need to protect client data, or risk being fined themselves, but also as means of finding short sales and for divestment events.

In order to find shorting opportunities the hedge funds will need to enlist the help of hackers and other information security experts. There will be a need for investment managers to understand the attack surface of a company and whether they can likely be hacked and hence suffer a breach of personal data.

The tricky part for the hackers will be to find the cracks via legal means. It is possible to gain a rough picture of a company’s security posture via open source intelligence gathering and looking at their website (not test, just look). However, I suspect this will be the technique which will yield the fewest results unless there is exceptionally low hanging fruit. The process would be to cast a net broad and wide to find potential targets that suggest lax security (if you get an indication that a web server is an ancient version of apache or IIS there is a good chance they have been breach already).

The Computer Misuse Act (and equivalent) will make it hard to find the difficult cracks legally while residing in the UK or any other country with similar regulation. It is worth remembering that similar legislation does not apply in all countries. While there is tax arbitrage being used by some companies who create shell companies in the (e.g.) the Caribbean I suspect the same could happen here where hackers are located ‘offshore’ in order to carry out testing.

That is not to say that finding the difficult cracks is the only way to tell which companies will suffer a data breach. It will also be possible to trawl the dark web, and potentially even barter, for information which has already been discovered or leaked.

This has been reported to already happen, but I suspect this will happen more in the future.

Leave a Reply