The US Dept of Commerce is at it again. Proposed changes to the Wassenaar Arrangement threaten to classify security technologies or information related to vulnerabilities a weapon requiring an export license. Google’s Security Blog brings up some good bullet points (see post for full write up) as to why this is a bad idea.
Rules are dangerously broad and vague.
You should never need a license when you report a bug to get it fixed
Global companies should be able to share information globally.
Clarity is crucial.
These controls should be changed ASAP.
Information Security professionals are surely upset at the idea. The investment community is also not going to be happy about this this either. Investments in security startups might be in jeopardy since that great new idea is going to become a lot more expensive to bring to market. There is also the added overhead of Compliance with regulations. Most startup founders aren’t counting on having to fill a Chief Compliance Officer role just to sell their product.
Established corporations hire advisory firms to determine the best tax structure for setting up offshore subsidiaries. If we continue on the current path many venture funds and entrepreneurs will need to shift their focus outside the US. That Swiss-Lux entity structure might be good for more than just taxes. It may keep the regulators out of your prized startup. If you’re an investor you might get an even bigger ROI by considering funding companies outside the US.
Entrepreneurs with that great security idea should have the headquarters discussion with their investors, tax advisors, and legal consul prior to incorporating. Depending on where we are next year, 5 years from now, or farther out, the decision to start up in Switzerland or any other country that is more friendly towards your work might be the thing that makes or breaks your Round A funding.
When searching for another country to base your operations out of you may wish to consider evalutating
If you want to live there? (Weather, traffic, crime, pollution)
Evaluating the political & regulatory environment for your product
Hiring a political consultant or lobbyist to find out what the politicians are saying about your product or service
Tax advice for local corporate and personal income tax rates and Expat tax treatments.
An Enrolled Agent can help you with personal taxes
A Certified Public Accountant who caters to expats can also be valuable
You’ll need a local resource for corporate taxes in your new country
Legal consul in your destination to help obtain an investor’s visa and the road to citizenship (if desired)
The education and talent pool in your chosen country and city
Sales strategy. Now that you’re in Europe or Latin America is it better to sell local than back to the US?
Starting a company or being an early stage investor is becoming more complicated. Big corporations face these issues and decisions often. Sometimes the path of least resistance is to shift your place of business outside a regulatory regime rather than deal with the high compliance costs and potential fines that can derail your investments.
ANTM has produced better than expected EPS of $3.14 actual vs. $2.686 estimated. Enrollments are up 38.5 million and specialty business is up by 555,000 members. Revenue is up 6.8% to 18.85B.
No analysts asked any questions concerning the data breach. Almost all the questions were on future business opportunity, which suggests that the street is more concerned with where things are going rather than where they’ve been.
The good news has produced a gap up in premarket which just crossed above the trendline.
If we have a strong open we could see the current upper trendline become a new lower line.
Relative to Health Care Select Sector SPDR (XLV) and iShares U.S. Healthcare Providers (IHF) ANTM continues to be a strong performer.
Security departments are besieged on all sides by any number of threats. There are many countermeasures that can be taken to reduce the impact of these threats. One we hear of quite often is security patching. Many people in Infosec say it is the most basic action that can definitely improve your security. When we look at the news, many problems could be prevented by good patching. Why does everyone have a hard time with it?
Patching in itself is relatively easy. The difficult part is that it has many dependencies that mislead us into thinking the cost is minimal and the ROI is extremely high. Large organizations may have a difficult time with asset inventory. Indeed, in very large organizations you find a team that handles nothing but the CMDB and asset inventory. You can’t patch what you don’t know about. Then there is the complexity of testing and obtaining change approval. Then you have to go back and audit or scan production, requiring another change approval, to verify everything was patched successfully.
Needless to say for a large company this can be a daunting task, which is why it is seldom done “right” according to many security professionals. For small companies it isn’t a matter of doing all of the above. It is about affording all of the above. Let’s run through a hypothetical scenario at a small company.
We have a small company that is in a mostly unregulated environment. They are a Business Process Outsourcer for some non-confidential data. As a result they have not had a business need to implement any security at all.
Controls should never cost more than the value of what they are protecting, and controls should absolutely never result in a profitable business becoming unprofitable just for the principle of “doing it right”.
The customer currently spends $5 million in Year 0 to perform leasehold improvements to build an outsourced data processing facility. Net Cash Flows (CFs) are $2 million per year on a 7 year contract. We will assume that all of their customers will have the same expense and revenue profile. We will leave out the rest of the Income Statement and Balance Sheet data and concentrate on knowing the outflows and inflows.
We will use Net Present Value (NPV) to determine if adding security is affordable or not. NPV is one of many simple methods of determining if a project is worth it from a financial perspective. Internal Rate of Return (IRR) is also another measure. Ideally a Financial Professional will use several different calculation methods, but a small business may choose only one to reduce time and complexity. Generally speaking if NPV is above 0 the activity is considered profitable and you move forward with the project. If you have two mutually exclusive projects then the one with the highest NPV should be chosen. If NPV is negative the project will not be profitable and it would be desirable to sit on cash rather than move forward with the project.
We assume our Weighted Cost of Capital (WACC) is 10% for all calculations for simplicity.
In scenario 1 the customer processing network has no firewall or IDS/IPS and no patches are being installed at all during the life of the project. We have our outflow of $5M with inflows of $2M/yr for 7 years. The business has a positive NPV of $4,736.837.64. This is our base for determining what we give up by adding more security.
In Scenario 2 the self-regulating association of vendors decides to require internal firewalls to separate the BPO network from the corporate network and the operator’s choice of IDS or IPS. To accommodate the new regulations we add a pair of firewalls, IPS, and Host IPS for a final cost of $500,000 for equipment and installation. Since this is part of the build out phase it is added to the cost of the startup of the business in Year 0. We can see that there is a reduction in NPV, but since this is a regulatory requirement the organization has to live with reduced profits.
In Scenario 3 the company has a new customer that asks in a RFP how the company handles vulnerability management. Even after the enhancements in Scenario 2 there is no vulnerability scanning or security patching taking place. We will add security patching. Quality of customer contractual deliverables and time to deliver are the key drivers therefore cost must increase to not offset these drivers. That’s realism. Quality, Time To Market, or Cost. Choose Two.
We assume that additional personnel such as developers and quality testers will be required to make and test changes if patches break key functionality. We will also have to hire system engineers, deployment engineers, up train additional in data center personnel such as customer support, and formalize a Change Advisory Board.
We assume that total additional personnel will offset profitability by $1M in salaries and other expenses. Since this will be an ongoing cost we will need to reduce CFs in each year after the project goes live.
By adding security patching to the project we have brought a negative NPV which means the project is not profitable and should be avoided. As mentioned earlier the business is relatively repeatable with similar profitability from customer to customer. This means that without cost cutting in other areas or increasing the profitability of existing customers (e.g. charging them more for what they’re already paying for), the addition of security patching will cause loss of profitability and eventually lead to bankruptcy. That’s right, a small business may not be hacked out of business but they will be patched out of business.
In the scheme of things this was a highly low risk scenario to not patch. Activities were taking place on an internal network so there were other controls in place before you had to begin jumping through hoops to get to the systems that had no PII on them.
If we look at probability we first need to consider what the odds are of a bad actor reaching the perimeter. Then we have to look at the probability of them defeating each control. If we look at the NSS Labs IPS ratings we see that the better products are 90%+ effective. So let’s assume that we enable the IPS software blade on the firewall, along with Network IPS, and the Host IPS all in block everything mode. We’ll pretend that all of them are 90% effective average. The odds of someone getting something past all 3 IPS is (10/100)^3. If we assume that they need to install some kind of C&C software we can throw in our anti-virus blades on all 3 controls, and assuming 90% effectiveness there our odds become (10/100)^6 of anything bad happening or 0.00010% per roll of the dice. This is a very simplified probability model, but if you are a small business you will have to go with the ratings by independent labs or with what the vendors tell you.
In our recommendation to the C-Suite and The Board’ Compliance Committee we chose scenario 2 because it is compliant, bad actors have a higher bar to cross than in Scenario 1, and it does not destroy shareholder value. Compliance does not equal good security, but in this case compliance keeps the money flowing and doesn’t hand the shareholders a big zero.
If you are a big company, you are most likely aware that your vendors may be the ones to introduce an intrusion into your network as we saw with Target. What large companies that have a lot of money may not realize is that their supply chain may go broke if they put in what most CISOs would consider reasonable. This is what happens when you force a bidding war and a race to the bottom. The cheapest solution is not a Cadillac. If you are getting a Cadillac for below par, expect your vendor to go out of business eventually or be snapped up by an Activist Investment Firm or a company controlled by activists and give you the Chevy you deserve.
Dark Reading has coverage of the potential for security concerns to really mess up your M&A world. In short, based on the damage we have seen to publicly traded companies it is likely any damage might be amplified if the acquisition target is very small, but it will not be fatal.
it may be hard to ever know if the breach has or will materially impact the closing of Slack’s latest funding round. But one thing you can bet on is that as large-scale breaches continue to gain awareness in the board room, M&A and other investment deals may include security contingencies to cover investors’ backsides.
While it is true that we may never know what happened, you can be sure that investors will be including many contingencies to cover their backsides regardless of information security. There may be a lot more due diligence on the front end.
Increasingly, financial experts believe that the examination of a company’s IT security posture should be as much a part of the due diligence process prior to investment or mergers and acquisition activity as an ROI analysis should be.
There’s certainly nothing wrong with that advice, but if we use a real estate analogy it may be difficult to do a complete due diligence. If you are in a hot housing market you have a limited amount of time to get the house inspected before someone places it under contract. After being outbid on three houses, are you going to do a full inspection to find everything wrong, or will you settle on the fact it doesn’t have termites and it was at building code when the original construction was completed? If you don’t get the fourth house you might be in an apartment a little longer. For a company that could be a big missed opportunity.
In company terms, the scenario is very similar. Your institutional investors on Wall St. will come to you with a list of companies that they believe are ripe for consolidation. More than likely a similar list has made its way to your competition by a different group of analysts at the same firm. Even if that is not the case, all of the information that institutions use is easily accessible so you can be sure your competitors are receiving the same information from someone else.
Now the race is on to buy the best company in the list. With a limited amount of time available you probably won’t make it past the financials and answering the question, will owning all or part of this bring the wrath of the Department of Justice for violating the Sherman Antitrust Act or even the USA PATRIOT ACT. If you’re buying a foreign entity you will need to also check Office of Foreign Assets Control (OFAC) and verify that you don’t have any bribery going on that violates the Foreign Corrupt Practices Act (FCPA).
Business acquisitions are for just that, business. Does the target company put us in a new geographic region? Do they have some patented device we need to own? How secure their systems are or even what kind of technology they have is unlikely to come up until after the deal closes. Every minute you spend turning over stones looking for scorpions is time for a competing firm to drop a bid on their Boardroom. Eventually you have to press the Buy button. Always remember the value of a business is based on future performance, not past.
One technique is to acquire the assets of the business, rather than the entire business. This could be a factory, a software development studio, a patent or other part of the business. A buyer avoids other liability such as existing debt or pending litigation. This also works out for the seller if they are changing direction such as selling a plant that makes vehicle transmissions and buying a distributorship for said transmissions.
Seller financing is also relatively common, especially with small businesses. It can also be combined with a down payment, then interest + principal payments. It would be slightly different than buying shares in that the seller would be collecting interest rather than participating in several selling rounds. The buyer would benefit from the interest payments since it’s better to use debt rather than equity from a Weighted Average Cost of Capital perspective.
Another approach is a staggered buy out of shares or ownership interest. For example, an acquirer may offer to buy 100% of a target company over a period of 5 years (20%/yr) with financial performance benchmarks aka an “earn out”. This provides a safety net if the market for the target’s goods or services declines or if there is a foreign currency decline if it is an offshore business. It is possible to have a 40% investment in something that has gone stagnant, but that is better than a 100% investment. It is also possible to have the seller make a personal guaranty to buy the company or shares back at a certain price at any time prior to 100% of the company being acquired.
Sometimes a buyer may enter into a transaction and begin divesting assets to raise cash and reduce risk. A good study is the case of investor Ronald O Perelman. One of his first deals involved buying a jewelry chain for $1.9M of debt and then selling off the retail segment. Why buy a business to sell off the retail? In this case the wholesale business was the valuable part. You sometimes have to buy the whole pie take the slice you want, and sell the rest. It worked out well for Mr. Perelman since the whole transaction was worth $15M in gains. Sometimes the parts sold individually are worth more than the whole. Keep an eye on this guy. He definitely knows how to work good deals for good.
Using legal engineering to reduce risk is another technique buyers can use. A buyer would establish multiple subsidiaries to carry out the transaction of a higher risk business. For example if you are buying a company, your holdings company can establish two subsidiaries. Subsidiary A can acquire relatively safe assets such as parts manufacturing, while Subsidiary B can buy the more risky assets such as an oil drilling operation. If it blows up, only Subsidiary B will be affected. Subsidiary B can be sold off at a later time if the company wishes to reduce risk or raise more cash.
Think of these scenarios in the context of buying a software company that did have a data breach. You buy the entire company to get the patent portfolio, then sell the building and source code to someone else. You can charge the buyer patent royalties and obtain an income stream from them. They now own a building, employ some developers, and have some source code they can license to their customers. If a foreign entity acquired that source code and will be going to market in 2-5 years with a home grown solution using the stolen know how, what is your risk? You own some patents and can litigate anywhere that the law is on your side. The party you sold the building and source code to might be in bad shape in a few years due to competition, but as an investor that’s not your problem.
Anytime you buy a new car, remember that it will one day be a clunker that breaks the moment it is driven off the used car lot. Professional investors know when to flip a business for break even or a profit after riding it for cash flows for a few years. Professional investors are well aware of what they’re buying and will begin carving off anything that can be sold for a good price or that will reduce their risk. Will cyber problems scuttle M&A? Not very likely in the short term.
@Lerg did an excellent job at #BSidesATL discussing the digital afterlife. Anytime we lose a friend or loved one it takes an emotional toll on everyone. Helping friends and family through tough time is also something we do every day, but helping out during a tragedy is something that takes a special kind of person to wrestle with personal grief while helping others. He definitely deserves server rounds of applause for his hard work.
Our finite existence can be an uncomfortable topic, but it’s important that you speak to family members in advance and discuss the topic fairly often as financial or family circumstances change. Eventually you will be handling final affairs for a grandparent, parent, sibling, or child. Also keep in mind that someone will eventually be handling your affairs too. It’s important that your immediate and/or extended family understand what your plans are and that those plans are written.
I have had to deal with similar issues when my father passed away. We spent some time going over his final wishes, advance planning, and revising those plans approximately every 5 years. If you have small children this exercise should be done every 1-3 years. @Lerg did a great job describing some of the issues he ran into and I wanted to share my experiences with this unpleasant topic so you can quickly deal with the situation and try to get back to what you were doing before.
Determine where to store important documents
If you need the documents you need to know where to find them. Keeping original documents in a residence is not necessarily the best plan. In the event of fire or flood they could be lost. A bank safe deposit box is an economical solution. You can have multiple authorized individuals on the account which will allow your estate manager or POA to get access to the documents. If you live in a flood or wildfire area you may want to have a second copy of the documents sent to a relative or attorney out of the disaster area. You can also store passwords on paper or on a USB drive either in a text file or using a password safe like Keepass. Be sure to write down any password needed to access the password safe. The safe deposit box solution worked for us and it was assumed the most recent copy of the documents would be in the box should they be needed.
Make a list of utilities and other payees
Having a list of bills that need to be paid will save your survivors a lot of time and effort. If another family member is living in the house or apartment you don’t want the power or water to be turned off. It will also help them decide which things can be cancelled or switched over to their name. If you are switching the name on an account be sure it is done in a timely manner. My father left both of his parents on several bills which required another trip to the Probate Court to obtain another set of death certificates.
Make a list of contractors and service providers
This was something we did not have because we didn’t think of it at the time. If you have a regular service company for HVAC, lawn care, etc. this can be very useful. If there are annual bills for a maintenance agreement or pest control that will help out a lot. But if you need the heater fixed in the middle of winter it might be preferable to go to the company it was purchased from because they’re going to potentially be an exclusive Lenox, Carrier, or other dealer and may have past repair records. I haven’t been able to find any original purchase documents for big ticket items like A/C, heat, or what looks like a fairly recent roof replacement. Something like a roof should have a warranty and typically has a lifespan of up to 20 years before needing to be replaced. Your survivors won’t need this immediately, but it’s going to be a big help when the house starts to fall apart at a later date.
Make a list of tenants
If you have renters make sure your family knows who they are and if the routine is for them to mail a rent check or if the landlord collects it in person. A classmate offers to collect rent from his tenants in person by travelling out of state on business (he’s a salesman). He gives them a discount for cash payment only on the 1st of the month. Interestingly enough he has 100% compliance from his tenants. If you inherit some rental property out of state you’ll need to know about it and possibly outsource to a property management company. Also keep in mind your tenants may be farmers who are renting land for to store their livestock. The horses weren’t much help in identifying who was paying the rent. They were cool to hang out with when things were frustrating.
Prepay funeral expenses
This is also something that will help your family when the day comes. It’s one less thing to worry about. Keep the documents in your safe deposit box. My father never discussed this with me but it was a relief to find a binder with all of the paperwork showing the funeral was paid in full 20 years before it was needed. Like taxes, funeral expenses always go up because there’s less dirt for cemeteries as time goes on. Paying today can save a lot in the future. Life insurance is useful in covering these expenses, but you’ll need to wait for the check to arrive. Putting the funeral on a credit card or having to settle for a cheaper cremation because your survivors don’t have the cash on hand is something you don’t want to put them through.
Dispose of junk regularly
If you live in one place for 20 years or more you’ll have a lot of stuff that builds up over time. Family photos and scrapbooks take up space, along with that lawnmower that halfway works but is the standby in case the lawn tractor breaks. Much like cleaning out the closet of clothes you don’t wear anymore, clean up the house on a regular basis. Having a “retention policy” is something that will save your survivors time. If you haven’t looked at your children’s report cards from 1st grade and they’re now over 40, you more than likely don’t need to hold on to that stuff. One relative has said her parents have so much junk that the opportunity cost of sorting through it is not going to outweigh the convenience of throwing everything, including furniture, into a dumpster and putting the house up for sale in less than a week. If you’ve got something truly important you want to pass along be sure it will be found, otherwise it’s going to be in the junk heap. Old family photos of the great great grandparents can be scanned and originals can be gifted to other family members. Think of creative ways of reducing clutter. Those childhood photos of siblings should be retained for blackmail and embarrassing them in front of their spouses and children.
Cash and life insurance
Death certificates cost more than a photocopy since they are on watermarked fancy paper. Your survivors will need one per payee and life insurance provider. If you have 10 credit cards you’ll need a death certificate for each one. Putting some cash in the safe deposit box can go a long way towards covering this cost. Filing property deeds or vehicle titles to change ownership to survivors should also be factored into how much cash you leave behind. Life insurance amounts should be thought out in advance. Do you want to support a spouse for 2 years, until the kids turn 18 and go to college, do you want part of the insurance to go to their college fund separately from family support? Talk to your family and if necessary a broker or financial planner.
Term Life vs. Whole/Universal Life
Generally speaking if you are making plans in advance term life is adequate. The major difference is the term life is in effect for the term period which can be 10, 20, 30, or more years. When the policy expires you get nothing back. Universal or Whole Life acts like an investment vehicle where you can cash out the policy at a later date. Term is very inexpensive as there are many insurance companies competing for money. A recent quote I received for $1M in coverage for 10-year Term from age 40-50 for a non-smoker with a cholesterol of less than 200 was about $50/mo. If your cholesterol over 200 isn’t that much more expensive, ~$10/mo extra, and I found a few insurance companies that would give the discounted rate if you were on medication regardless of where the number was. Shop around to get the best deals.
Check credit cards for life insurance
They’re generally a waste of money, but many credit cards have as an option unemployment and life insurance that makes the minimum payments or pays the balance in full. Before writing a check to pay off any credit card bills check to see if one of these policies is in force. If you’re worried about leaving credit card debt to your survivors, go get a term life policy rather than one of these.
Have a fax service or throw away email for correspondence as executor
This will keep everything organized. My father gave a lot to charity and he was constantly getting junk mail (the paper kind). You’ll have to contact each one of these organizations and tell them to stop sending mail. In most cases this takes 3-4 weeks for the mail to stop since it is an outsourced service for most charities. Some charities will simply stop sending mail, others will write back with condolences, and others will add YOU to their mailing list because you initiated contact with their organization which means you want to receive SPAM or paper mail.
Setup “Pay on Death” with your financial accounts
Many banks and other institutions allow you to have a “pay on death” setup for your account. This can be an estate or Trust or it can be a named individual. In the latter case you can have a savings account go directly to your niece rather than be passed along through the will. This can also be very useful to have a beneficiary named on your bank account so they can continue paying the bills and attend to the property. In this case the beneficiary would simply show up at the bank with a death certificate and would not need to wait for Will to be processed.
Beware of the dreaded Medicaid clawback rule
If you have to take Medicaid the government can seize your estate after you pass away to make back the money it spent on you. This reaches back 5 years before your first claim so even if you did conduct some fancy legal engineering they would still be able to take your property. If you or a relative might go on Medicaid in the future it’s something to have a family discussion over today, especially since the new Medicaid has fine print. This is why you should consider giving away your estate in small percentages earlier in life. Nolo has more details on the tax advantages and the mechanics.
Determine the need for estate documents and the level of expertise needed.
Depending on how complex your estate is you may want to consult an attorney to design a Last Will And Testament (LWT), a Trust, or a corporate entity for you. You may also opt for a DIY solution such as LegalZoom or WillMaker from NOLO.com. In all cases you will want to read the final copy and be sure it makes sense. I have seen some LWT documents prepared by an attorney that have had the order of executor/executrix wrong and have left siblings out of the will. You’re less likely to run into this issue if you use a website or a software package to generate your documents. The downside is that there is a potential the tool you are using will give incorrect results. You’ll have to weigh human (lawyer) error vs. machine error in your decision.
While you’re at it you should have a durable power of attorney (POA) so a family member or trusted advisor can manage your bills if you are hospitalized and can’t take care of this yourself. After my father had a stroke I was able to go to the bank and take over has accounts and continue paying the utility bills while he was in the hospital with a doctor’s letter and the POA. If you have a joint signer on the checking account, this is one less step to go through since one or more names are authorized.
A Health Care Directive (HCD) is also important in the event you’re in a coma and can’t make medical decisions on your own. The state government in Georgia has a form that you can easily download and fill out. Most other states have these available as well. You’re more likely to suffer disability than death in the course of your normal day. Have a serious talk with your family if you want life support discontinued. The complication you may run into is someone may not want to give the order to discontinue life support. If your family disagrees with your choice have an attorney or a friend designated as your advocate in the HCD. Make sure the family physician also has a copy of the document. If you’re going in for voluntary surgery the hospital may ask if you have a HCD. It’s a good document to have and in some ways can be more important than a LWT.
Two areas that receive relatively little discussion are Trusts and corporate entities. Trusts are slightly more expensive than a LWT but offer additional benefits. You should speak to an estate planner or do some independent research if you want to walk down this path. A Trust is a legal entity similar to a corporation but not as complex. Trusts can be revocable or irrevocable. Use cases can vary so explore all the possibilities. Revocable trusts are great if you don’t want to put up with the hassle of probate, and they do afford some additional privacy. Some estate planners state that a trust is overkill for the average middle class family. If you’re reading this, you’re probably not average. Trusts will cost a lot more with a lawyer, but if you use WillMaker or Nolo.com it can be done for a lower price as many times as you need.
Another interesting area that I learned about in an undergraduate intro to the business environment is creating a corporate entity and transferring all your assets over to it. The most common way of accomplishing this is through a Family Limited Partnership or FLIP (Kelly/McGowen BUSN 2009 Edition). There are some advantages even though there are some complexities. According to the lecture material many Midwestern farmers use this structure to pass along a large farm and avoid the death tax. This is done by having the parents as the general partners while the children are designated as limited partners. The parents will transfer ownership up to the maximum allowed without gift taxes over a period of years. When they pass on the children are inheriting only 1% of the estate since they already owned 99% of it. Limited partners have no voting rights, which makes this a better alternative than filing property deeds because once the kids own it they can evict you and sell it. If you have a semi-bad relationship with your children this is a better alternative. This normally the realm of the wealthy due to the perceived complexity, but there are many companies that help set these structures up. Here’s an illustrative example, not an endorsement. Be sure that you’re working with a company that caters to your size wealth when doing the research and don’t over buy a corporate structure for what you have today. Do make sure it’s flexible enough to add to later on. A family corporation is my preferred method because once setup it doesn’t require any documents to be notarized, thus board meeting minutes become the heart of your plan. A family corporation is also much like a clan that has been codified in western law, which means you can have fun and make all your relatives cosplay at the meetings. That’s optional of course.
This would be a side letter attached to a POA or other document. We all have things we don’t want our relatives to get their hands on. Be sure you have someone who can “dispose” of your confidential materials on your behalf.
“The End” is an unpleasant topic, but any work you can do while you’re alive to make it easier on your survivors will be worth it.
Many organizations are discovering the benefit of Property/Casualty (P/C) Insurance. Premium growth has been growing for the past three years, but is expected to be flat in 2015. Underwriting has peaked and with any abundance of supply the prices demanded in the market will stabilize and potentially fall. Fewer disasters have also lead to a decrease in market volatility. This could be the beginning of a market downcycle which would great for purchasers of insurance.
It isn’t completely bad for insurers as there is greater demand to go along with greater supply. According to Robert Hartwig at the Insurance Information Institute, new carriers will be entering the cyber market. He is estimating there are 50 companies offering some kind of cyber coverage and expects another 25 by the end of 2015. Overall this is great for buyers of insurance. SMBs will be a large growth component in the insurance market due to ease of adding coverage relative to capital purchases and staff increases. More affordable cyber insurance and general environmental disaster coverage will play a large role in balance sheet defense as cold weather and internet storms become more common.
This week in M&A, Heinz & Kraft are joining forces to create a powerhouse of food, brought to you by Warren Buffett and 3G Capital. You could say they’ll be big enough to stock a huge buffet! With any full merger you’re going to try obtain “synergy”. With something this big it’s going to feel like the activists are in control. From the news release:
The significant synergy potential includes an estimated $1.5 billion in annual cost savings implemented by the end of 2017. Synergies will come from the increased scale of the new organization, the sharing of best practices and cost reductions.
Synergies can come from a variety of places such as selling real estate and closing facilities. Employees can also be synergized as well.
They will have to be aggressive in synergizing. Citi says they have an uphill road to walk.
Market share is falling in categories that represent over 65% of sales.
Volumes are declining.
There’s no apparent strategy to enter the growing organic/natural foods category.
The stock is expensive.
Kraft’s earnings per share could fall by as much as 70c in 2015, and the analysts expect flat year-over-year EPS in 2015.
It gets even better. Notice what must go along with the deal (emphasis ours).
In our opinion, if there is a deal, it must be centered on a dramatic cost cutting opportunity as the potential valuation looks extremely lofty. To a degree, Kraft’s vast center of the store portfolio could help 3G’s Heinz better leverage costs and generate synergies. Moreover, within the current Kraft business there still is an opportunity improve productivity and streamline costs to transform it into a low cost producer.
Kraft should be familiar with the importance of keeping shareholders happy. Bill Ackman’s Pershing Square has held shares of Kraft in the past and pushed for the breakup of the company. Trian Fund Management has also been involved in activism at Kraft. They will need some guidance from the pros in cost cutting if they want to pull off a successful merger. We’ll have to keep an ear out as to how well their IT department will be doing over the next two years while they are being synergized.
$TGT has successfully entered into a settlement arrangement for $10M for the Polar Vortex Data Breach. USA Today has provided a copy of the 97 page court document. This is a huge win for $TGT and for their law patners Morrison & Foerster LLP (MOFO) and Faegre Baker Daniels LLP. It’s also a win for the shareholders. According to current data there are 641,739,000 shares outstanding. If we look at the value of the $10M settlement across shares outstanding we get .0155 as the effect on EPS. This is very minor since last quarter EPS was 1.50 vs. expectations of 1.46. Giving up .01 to put this to rest is a major win for shareholders. $TGT is also at a 5 year high. There appears to be little stopping them now that the adventure into Canada is over.
Don’t take my word for it. Everybody else on StockTwits says this is Bullish. Everybody.
We have a question from #DTsR listener @fsmontenegero regarding security and efficient market hypothesis. That is a very broad topic that could go in many different directions, and the ambiguous answer is one that people are sure to dislike.
Efficient Markets Hypothesis (EMH) via Investopedia:
…defined as a theory that it is impossible to beat the market because stock market efficiency causes existing share prices to always incorporate and reflect all relevant information. According to the EMH, stocks always trade at their fair value on stock exchanges, making it impossible for investors to either purchase undervalued stocks or sell stocks for inflated prices. As such, it should be impossible to outperform the overall market through expert stock selection or market timing, and that the only way an investor can possibly obtain higher returns is by purchasing riskier investments.
I’m not a fan of EMH for the same reasons I’m not a fan of the economic theory of perfect competition. Generally speaking many of these theories and hypothesis were invented as an unrealistic baseline. Why would anyone want to do that? My Finance II professor had a nice simple explanation. There are so many variables in the world it’s difficult to compare one company to another. We use many different theories and hypotheses to create an apples-to-apples or even playing field to compare Company A to Company B. We then add real world variables to help determine which one is the better company. We also have to realize that Investor A may be more concerned with double bottom line efficiency, while Investor B may care about triple bottom line corporate social responsibility. Once you get past a few variables you can come to different conclusions.
Another interesting fact from class is that with all the financial professionals and their predictive models the best you can hope for is to get it right 60% of the time. A coin toss has a 50% chance of winning so why spend all this time and money on financial engineering and forecasting? It turns out that 10% is huge so it’s definitely worth the effort. The lesson here is small percentages have big effects so don’t thumb your nose at 1%. 1% better than you were yesterday is better than 0%. You can take this to anything beyond finance as well. 1% improvement in this iteration of your anti-bribery, infosec, environmental, or other programs is a win. Iterate often and don’t give in to managers who say we need to show 5% improvement before beginning your next iteration because you’re likely to iterate only once or twice per year. If you get 1% 12x per year that’s a better payoff.
There is also another angle to everyone knowing the same thing. It does no good unless you act on it. This is a lesson learned from Tom Sosnoff, founder of ThinkOrSwim (now part of TDAmeritrade) and TastyTrade.com. Every stock market pundit can say what they want. For example, I think the US Dollar is going to continue to decline over the next 3 years due to Quantitative Easing and the debt the Government has taken out. Well, that’s great what kind of trade are you going to put on and why? Information needs to be insightful and actionable. Otherwise you’re just talking on CNBC or you’re the guest columnist of the week in SC Magazine or CISO Online. If you watch any of Tom’s shows they always have a trade to go with a hypothesis.
To illustrate the failure of EMH we can look at many of the recent hacks such as $TGT. The intruders something about $TGT that they didn’t know. We do not have an efficient market here because one side knows more than the other. Based on what was reported there has been speculation that $TGT had a team that notified another team who didn’t respond. If we follow this scenario we have two different levels of knowledge on one side with a different level on another side. Definitely not equal. Then when we look at actionable information, the hackers were taking action against $TGT while their response teams were still in the dark.
Let’s also take a look at EMH from the investor’s point of view. Until we tested our hypothesis of shorting the equities of hacked companies many people in the Infosec world made the mistake contributing to echo chamber that hacked companies were going to $0 just like the political doomsayers state that the USD is going to $0 because of Federal Reserve money printing and the debt load the US is carrying. If you were to take action on those (bad) assumptions would be down $45,000 in our simulated portfolio of hacked stocks. The same would have happened if you had bet long on EUR/USD. If you were to have placed a $100,000 bet on the dollar going down the day after President Obama was reelected, you would have had to put up $2,276.30 in collateral to borrow $100,000 from your broker and you would be down $17,000 on your $2,200 bet. As a matter of fact the whole notion that the USD was going to $0 was a fantasy, much like hacked companies going to $0. The reality hurts the wallet big time. There’s a saying, markets can remain irrational longer than you can remain solvent. If you had bet against the USD since the election you would have lost more money than you had put up on the wager.
When you panic sell on news of a hacking there will always be someone there to #BTFD. If investors did know everything the big funds know, then they wouldn’t be selling and the buying pressure would be lower because there would not be a discount from selling. EMH and other theories are excellent in a classroom setting, but quickly fall apart once you enter the real world. Not everyone can know everything, but do your research and put the research to the test and you will be victorious. All strategies need to be insightful and actionable. Some people have the insightful part down, we all need to work on the actionable.
In continuing our exploration of the world of Corporate risk and the markets we will take a look at the role of activist investors, who they are and what they want. Activists are becoming a prominent factor in how the Board and C-Suite address investor demands. Their activities affect all aspects of a company and when they arrive your department may be in for the shock of its existence.
Who are the activists and what do they want?
According to Investopedia an activist investor is:
An individual or group that purchases large numbers of a public company’s shares and/or tries to obtain seats on the company’s board with the goal of effecting a major change in the company. A company can become a target for activist investors if it is mismanaged, has excessive costs, could be run more profitably as a private company or has another problem that the activist investor believes it can fix to make the company more valuable.
The most common type of activist investor believes they can improve a company’s value for the shareholders by attempting to direct divestures, cost cutting measures, breaking up a big company, or a change in strategy. The more uncommon type of activist investor may buy shares and attempt to control a company for the purposes of making an ethical change such as environmentalism or removing child labor from the supply chain. Activist investors also fight among themselves, as Carl Ichan and Bill Ackman have been for years. Ichan likes Herbalife, while Ackman thinks it’s a scam (paraphrasing for him). Ackman even put up a site, Facts About Herbalife along with a 300+ slide presentation as to why they’re a ripoff. Ichan keeps buying the stock while Ackman was the biggest shortseller. When activists attack it will either make or break your company. These guys are serious about what they do. Starboard Value published a 294+ slide presentation on what needs to change at Darden Restaurants, especially at Olive Garden.
As you can guess, a lot of their activities are focused on cutting costs and increasing revenue. The latter is always great, but what happens to your Infosec or sustainability program when the Wall Street pole axe meets your budget? You should read what happened to Timkin. No, seriously you need to read it to understand what an activist takeover and breakup looks like. Bill George of Harvard Business School gives a hint,
“Activists think long term is 12 months and the first thing that goes is the stuff that pays off in five or 10 years,”
Let’s pretend you had an infosec program at Timkin. This is what you would be dealing with (****emphasis mine****)
Buried in a November Timken investor presentation is a chart bound to please Wall Street. Titled “Yesterday and Tomorrow,” it sketches how capital was allocated before the split, and how it will be used now. Pension fund contributions drop from nearly a third of cash flow to near zero, ****while capital spending is roughly halved.And instead of using 12 percent of cash flow to buy back stock, share repurchases will consume nearly half of cash flow over the next 18 months. In other words, less cash is being invested in the business or earmarked for benefits to employees, and more money is going to investors.**** While TimkenSteel’s board has authorized a three million share buyback by the end of 2016, Timken has plans to repurchase 10 million shares by the end of next year.
For academic purposes let’s assume all budgets will be cut by 50%. Don’t think it won’t happen. I’ve been on the buying end where the acquirer says cut everything by half in 1 year and tell management they’ll need to figure out how to make things work with half. In terms of Infosec and Environmental programs you look at what was required by law or regulation and then make a list of what wasn’t a requirement and begin pricing out the synergies obtained by downsizing personnel and equipment. But on the bright side there will be a complete Compliance checkup as part of the Freddy Kruegar cutting. Don’t think Symantec will protect you from Dokken.
But enough of the scary Halloween stories. Did activist investors have something to do with the Sony hack? When we look at the Q3 2014 Third Point Investor Letter on page 9 we find this bit of information (****emphasis mine****)
In May of 2013, Third Point announced a significant stake in Sony and suggested to the company’s CEO, Kazuo Hirai, that he should seriously consider spinning out 15‐20% of the company’s undervalued, American‐based Entertainment business. At the time, we explained that partially listing the Entertainment segment would have three positive effects: 1) highlighting its profitability; 2) increasing investor transparency, thereby allowing the market to properly benchmark the company against its global media peers; and ****3) incentivizing Entertainment’s management to run the company more efficiently by engaging in cost cutting and laying out clear earnings targets****
While, regrettably, the Company rejected our partial spin‐out suggestion, they made some changes that were consistent with our goals. ****In the Entertainment business in particular, Sony has cut costs, improved its dialogue with investors, and undertaken key management changes. **** In Electronics, Mr. Hirai’s team deserves credit for transitioning away from personal computers this year and improving television profitability in 2015. They have also improved investor transparency. Still, they have a long way to go and we continue to believe that more urgency will be necessary to definitively turn around the company’s fortunes.
A key tenet for us in making constructivist investments is our margin of safety. While we are most focused on the potential upside available to shareholders if management undertakes changes, we are unlikely to make a significant investment in a situation where constructivist‐driven change is the chief catalyst unless we see minimal downside. Sony was exactly the type of investment where the risk/reward ratio was skewed in our favor. Thanks to this investment principle, despite enduring profit warnings nearly every quarter we were invested, incurring worse news about Electronics than we expected, and suffering from market disappointment at the pace of Japanese macroeconomic reforms, we still managed to generate nearly a 20% return on this investment before exiting.
If we read into the report we can see that Third Point wanted Spin off its entertainment division. Sony didn’t go along with the plan. They did engage in cost cutting, but not to the level that Third Point wanted. Still, they exited with a 20% gain. Now let’s step back and drink a dose of reality. We have heard terms such as clueless or incompetent used to describe the security program at Sony. There may have been some of that, but in reality they had an activist investor who was pressuring them into some serious cost cutting. We also have to stop and consider that management isn’t clueless either. They know exactly what they are being told to accomplish. Are the activists clueless MBA’s who just “don’t get it” when it comes to Infosec? That’s an irrelevant question because they make a ton of money doing what they do. They don’t need to get Infosec at all. We won’t know how much Sony Entertainment’s Infosec program was cut, but don’t expect a well funded Infosec program or any program if you have an activist in house. Based on Third Point’s opinion they didn’t cut their overall budget enough. I would have to agree with Third Point that management has a long way to go to make Sony an efficiently run shop.
Where are all the Infosec Activists?
If there are activist investors who attempt to stamp out child labor in shoe factories, or prevent the dumping of waste into rivers then where are the activist investors who buy companies and make them spend more money on Infosec? Children working in sweatshops and oil covered birds are things that matter to the public. Data breaches, not so much. As an industry Infosec is still struggling to quantify what the ROI is on all those headcounts and equipment. In order for an Infosec activist fund manager to make change they would need to increase spending before a breach and demonstrate to the rest of the shareholders that was a good idea with real numbers.
One thing Wall Street has figured out is that nothing bad will happen if you don’t spend money on a JPMorgan sized Infosec program. While it’s likely every Infosec Professional’s fantasy to force management to spend money on a better security program it’s nothing but a fantasy out of touch with the financial reality of our world. There’s no money in spending on security, the preventative benefits are dubious at best, and consumers just don’t care. There’s a lot of money in cutting expenses and carving companies up like a roast. The hackers may not get you, but the activists will. Better call Dokken.