Do Companies With Data Breaches Belong in ESG Portfolios?

Socially responsible investment funds have become popular with investors over the past several years as buyers seek to align their beliefs with their portfolios.

According to a report from Morningstar, sustainable funds averaged $924 million per month in net flows during the first five months of 2018, nearly twice 2017’s monthly average of $532 million, and well above the average monthly flows of $236 million from 2015 to November 2016.

Some of the biggest1 mutual funds that focus on environmental, social, and governance practices (known as ESG) tilt a bit more toward the technology sector than the broad S&P 500’s stock index. For example, two of the more sizable large blend equity ESG funds, the $4.9 billion Vanguard FTSE Social Index [VFTSX] and the $5.2 billion Parnassus Endeavor Investor [PARWX], have a 30% and 28% technology weighting, respectively. By comparison, the S&P 500 technology weighting is 23%.

Technology was often an easy choice for ESG funds, since technology is likely to score well on environmental matters. However, with increasing missteps, such as data breaches and privacy concerns, do these technology companies belong in ESG portfolios, and is a negative market reaction expected?

Breaches have accelerated in the past few years, as seen in the chart below:

However, not all data breaches are the same. Breaches resulting in stolen financial information tend to be more expensive to remediate. A recent severe example is the September 2017 Equifax breach, affecting 145 million individuals. This cybersecurity incident cost Equifax [EFX] $164 million in 2017. The company expects an additional $275 million of costs related to the cybersecurity incident in 2018, for a total of $439 million over 16 months. These costs, which include investigation, remediation, increased IT, security and insurances costs, are expected to be partially offset by $100 million insurance proceeds. Litigation costs, penalties and/or fines are not included in these totals.

In more recent data breach news, on August 24, 2018, T-Mobile US, Inc. [TMUS] and its Metro PCS alerted customers about a potential security breach that may have exposed certain personal information. T-Mobile said the breach was found and shut down, and no financial data, Social Security numbers or passwords were stolen. However, names, phone numbers and account numbers were potentially vulnerable.

In all about 3% of T-Mobile’s 77 million customers may have been affected. After the news, T-Mobile share prices dipped slightly from their 52-week high $66.24 but have since rebounded.

The T-Mobile breach isn’t considered as severe, nor is expected to be as costly, since credit card information was not stolen. Still, investors and analysts shouldn’t downplay this or any breach, as they are problematic and could be a sign of weaker internal controls. This could impact the G, or governance, part of a company’s ESG considerations.

In the past, data breaches have had little market reaction.

This indifferent attitude could be changing, though. A June academic paper titled “Do Firms Underreport Information on Cyber-Attacks? Evidence From Capital Markets” (accepted for publication by Review of Accounting Studies) says investors are more likely to punish firms that withheld data breach information that was later discovered, versus those that report that information right away.

The authors, using data collected by Audit Analytics, found that “damage in the withholding cases, which is 1.81% of the market value of equity, is larger than in the disclosing cases, 0.62% of market value of equity.”

Going back to the Equifax breach, there was a sharp drop off in value, falling as low as about $89 from $143 the day before the news. Share prices have rebounded since and now trade around $133 but are still off the 52-week high.

Generally, transparency is considered a strong attribute in the governance factor of ESG, so investors who follow ESG principles may be among those punishing firms who foot-drag on releasing negative information like data breaches.

Since managers have incentives to withhold negative information, the report’s authors say “evidence is consistent with managers not disclosing negative information below a certain threshold and withholding information on the more severe attacks. Using the market reactions to withheld and disclosed attacks, we estimate that managers disclose information on cyber-attacks when investors already suspect a high likelihood (40%) of an attack.”

Although we focus on cyber data breaches in this post, this rule also applies to privacy issues in general, which have become a large focus for ESG investors. Facebook [FB], which has encountered a string of data privacy-related embarrassments, recently made headlines for providing (without permission) the personal data of 87 million users to Cambridge Analytica, and sharing data with device manufacturers, including Huawei, an action considered as a national security threat by U.S. intelligence.

Facebook’s actions affected second quarter earnings as the firm’s reported sales and user growth numbers were short of analysts’ expectations, causing share prices to tumble. From its 52-week high of around $210, Facebook eventually fell to about $166 on July 24 and has only risen roughly $10 per share since.

In a U.S. News & Report story from August 9, 2018 , Trillium Asset Management, an ESG investment fund, said they filed a governance shareholder resolution that would require Mark Zuckerberg, Facebook’s founder, chief executive officer and board chairman to step down as chairman in an effort to limit his power.

Alternative data provider Eagle Alpha has also seen an increase in interest in ESG datasets in recent times. CEO Emmett Kilduff commented: “The ESG data category was the latest category to be added to our database and has been one of the fastest growing categories through 2017 and the first half of 2018. As well as ESG funds, demand is also coming from funds with a broader investment remit, both quantitative and fundamental funds.”

As the technology sector matures and concerns around data breaches, privacy and other issues become a more important part of a company’s business and internal controls, ESG investors will need to take how these failings affect companies more seriously and consider whether violators belong in ESG portfolios.

This article was first available on FactSet to subscribers of our Accounting Quality and Insights. For subscription information, please contact us at or (508) 476- 7007.

1. In terms of assets under management ↩