On 7/9/2019 the UK Information Commissioners Office (ICO) has fined Marriott International ($MAR) 99,200,396 GBP in relation to the Starwood database incident that Marriott announced on Nov 30, 2018. Like most information security incidents, this falls into the category of not harming investors.
The stock closed on 7/8/2019 at 141.30 and opened on 7/9/2019 at 138.63. Before you listen to the infosec pundits about data breaches and stock prices going to zero (we’re still waiting on TGT and HD) it’s best to do some research.
First, we take note of news events the same day. From the beginning of the day we have other events that would affect the stock price. In order on 7/9/2019 we have:
Downgrade by JPMorgan from Overweight to Neutral
UK ICO Announcement at 8:30am ET
DC Attorney General files suit for deceptive
pricing practices 2:04pm ET
When we examine a 15 minute chart we notice a lower opening on 7/9/2019 which is to be expected with the downgrade announced prior to pre-market trading. $MAR reaches a low of 137.85 at the 10am candle and gives us a Bullish Hammer pattern followed by bullish green candles. All of the negative news from the downgrade and the fine by the ICO took 30 minutes to shake out before buyers stepped in to create a reversal pattern. The announcement of the DC AG office filing suit resulted in a $0.09 drop to 139.16 over the 15 minutes candle after the announcement. This was the low of the day to close. The stock closed higher to end the day at 139.52. On 7/10 the stock finishes digesting the morning news then takes off at 11:15 and doesn’t look back to close the day at 141.57. This is .27 higher than it was the day before the JPMorgan downgrade, the UK ICO fine, and the DC AG suit. Three negative news items in one day and the next day the stock is in better shape than it was the day before the news hit.
Multiple news events in one day, two being government actions, and one an analyst downgrade did not negatively affect $MAR beyond the day of the event. Buyers do not appear to think much of the UK ICO ability to make the full amount stick after appeal, JPMorgan’s ability to tell the future, and the ability of the DC AG to successfully make a case. Price action matters and the action has been to the upside.
$FB has supposedly exposed some records. If history repeats itself we can bet on panic buying to set in and history does repeat itself. $FB opened flat and then took off premarket and didn’t look back.
To take advantage of the situation we’re going to sell a put vertical. We were only able to get filled near the close of market due to the up move but we’re in.
SELL -1 VERTICAL FB 100 17 MAY 19 165/160 PUT @1.14 LMT
We have a GTC in for 25% and plan to be out before expiration.
Marriott suffered a huge data breach according to some reports. As we can see it scared the bulls to death. The stock reverted 2 standard deviations back to the mean and then dropped another 2 standard deviations. Like most events of this type we can expect this to blow over. We can see that it bounced hard off the lower Bollinger Band. This also gives us a sign that the long term damage is not being seen by the markets. January 18 options are about 50 days away which gives the stock more than enough time to bounce back. After entering this trade we set a GTC order to close at 25% of max profit. Overall we managed to pull out a 12.6% return on invested capital (margin of $332) the next trading day after entering. The size of this bounce was surprising as Marriott bounced back above the mean in almost no time. The stock was on an upward trajectory prior to the news and the overall market has turned bullish. Most likely it will continue upward to the upper Bollinger Band.
Sold 1 MAR 01/18/19 Put 115.00 @ 4.20 Filled at: Nov 30, 2018 10:13:06 AM EST
Bought 1 MAR 01/18/19 Put 110.00 @ 2.50 Filled at: Nov 30, 2018 10:13:06 AM EST
Bought 1 MAR 01/18/19 Put 115.00 @ 2.77 Filled at: Dec 3, 2018 10:10:17 AM EST
Sold 1 MAR 01/18/19 Put 110.00 @ 1.49 Filled at:
Dec 3, 2018 10:10:17 AM EST
$NYT announced that Quest Diagnostics ($DGX) had a breach of 34,000 customer’s data. No financial data was taken. Some public information such as name and telephone were taken along with some lab results according to reports.
$DGX broke above resistance yesterday and is riding the former resistance line as support. Intraday close was up and barring any surprises we expect the bullish trend to continue.
The day before Thanksgiving the Navy announced a breach of a sailor’s PII on a laptop operated by HP Enterprise. The announcement came after hours which means our first trading day was the day after Thanksgiving. HPE closed at 23.22 on Friday and our bullish after hack thesis is still working the next trading day with a close of 23.34.
Once again news of organized crime hackers is all over the news. This time $WEN keeps slowly upping the severity of the breach over time. This seems to be getting worse day by day, but it is still nothing compared to $BP failing to plug the leak for weeks.
This news cycle has been all over the map so there isn’t a breach trade here. What do you mean DearestLeader? Look at that Dip! It must be because of the news cycle!
Yes, there is a dip and it was bought, and yes it is in a bullish channel. #BTFD
But this is not due to the news cycle. When we take a look at $SPY the whole S&P 500 fell off a cliff.
This was mainly due to Brexit. As you can see $GBPUSD was completely destroyed the night of Brexit. It’s only natural to expect the whole market to crash into a buying frenzy the next day. Skeptics of course may claim that Kim Jong Un single handedly flew to the moon on a Unicorn to meet with the ghost of Kim Il Sung who instructed him to stuff the ballots in the UK in favor of Brexit while installing malware in the deep fryer at $WEN.
We don’t have a trade on since the news cycle is never ending and everyone is tired of hearing how consumers were inconvenienced and have to get a new card with no money out of pocket thanks to the Fair Credit Billing Act. $WEN is not that exciting with perfect timing you’re only making .20 per day. We would rather be long $ES_F and ride the wave.
Affairs marketplace Ashley Madison has added 4 million new users in a move that will surely puzzle most information security professionals. Even security firm AVG says usage is up. How could this be possible after the data breach and such a, um, sensitive topic? Consumers have a short memory as we can see from the fact that people still shop at Target and Home Depot and people still go to see movies produced by Sony.
“with cheating in particular, it can be somebody who isn’t satisfied with their ordinary life and having trouble in their marriage, but sometimes not. Sometimes their just seeking the thrill of the game.”
Some people love to take risks, but in reality risk is reduced after an event due to extra scrutiny on the causes such as safety, but also due to the fact that the odds of two like events happening in the same place are relatively low.
For example, Police allege they discovered skinned cat behind Ming’s BBQ in Doraville, GA. Health inspectors visited the restaurant and rated Ming’s a failing score of 59. Would you eat at Ming’s? Images of food poisoning, death, and being served cat when you ordered dog come to mind. Surprise! Their health score jumped from 59 to 96 in less than two weeks. Under Rational Choice Theory (RCT) you would have greater economic utility dining at Ming’s after they were cited for and cleaned up their health issues. The same goes for airline service or some type of technology service. Fear of previous low health scores, plane crashes, or data insecurity do not fit into RCT since value is maximized by the event.
Many in the information security profession have said that the Ashley Madison IPO is off, their CEO is gone, and they will be sued out of business. This prediction has not happened and we are still waiting for Target and Home Depot to stop posting gains year-over-year after their data breach. Ashley Madison is in good shape from a legal stand point since the class action was filed in the Eighth Circuit. Why is this important? The Seventh Circuit ruled that plaintiffs who experienced no injuries from a data breach could pursue damages. Since the case is in the Eighth Circuit the Remijas v. Neiman Marcus precedent does not apply. Also consider that a judge has ruled that “John Doe” victims must identify themselves. Two strikes against legal action which is Bullish for investors.
Consumers are always seeking to consume and maximize their economic utility. Ashley Madison has continued to deliver on a value proposition and appears to be on track to bring gains to investors in this new class of marketplace.
The Federal Reserve performs many services to the consumers and businesses of the country. One of these services is to establish monetary policy. In recent years the Federal Reserve has established multiple layers of Quantitative Easing (QE) and Zero Interest Rate Policy (ZIRP). The Federal Reserve has many reasons for maintaining ZIRP.
The effect of current monetary policy is the incentives and benefits it creates. One of the goals of monetary policy is to stimulate the economy. With interest rates at near zero percent the incentive is not to save, but to spend. Some believe that the Federal Reserve is penalizing retirees or those saving for retirement by incentivizing young people to buy houses, cars, and other discretionary goods. In order to get a decent return on investment those close to retirement are forced out of relatively safe treasuries. Many are invested in high yield dividend stocks or are maintaining a capital allocation in growth stocks that is higher than recommended for the age group. The long term effect on the economy is a topic of debate as is the effect on senior citizens and the behavior of young consumers.rnrn rnrnThe debt vs. savings aspect is interesting in that high leverage is being encouraged because interest rates are so low. Consumers can now afford a bigger car and a bigger house because of interest rates. Why not get a little more house than you need because you can flip it in 10 or 20 years for a lot more? Need new furniture and appliances to go with the house? How about 0% interest for 36 months? The effect of this is less income for saving, but when you”re only getting 2% on a 10 year treasury why bother saving?
The effect of more spending rather than saving changes incentives for financial crime. Everyone loves to hit a home run. As the US economy was coming out of the recession many companies such as Amazon were beating earnings by a huge amount. Call options trading at .50 prior to earnings popped up to $13 the day after. If you were in the right place at the right time that was a home run. This is why people love the derivatives market. Home runs are also popular with salespeople. Why chase a $500k deal when you can close a $10M software deal? It is more likely to hit singles than home runs, but everyone loves the long shot, even though slow and steady wins the race.rnrn rnrnCybercriminals also want to close big deals. A savings account with $100k is worth more in terms of time and hassle than picking off many people who only have a few hundred in their account. This will have a profound effect on the face of financial crime. Consider a millennial worker who is highly leveraged. On pay day one could look at their checking account pending transactions and see a direct deposit for X and a set of ACH transactions the same day for 90%+ of their pay going to mortgage, car, credit cards, etc. Contrast this to a baby boomer who is afraid of the stock market and is holding cash in a savings account to maintain liquidity. Who is going to be the windfall profit for the cybercriminals? The millennial is going to have very little cash on hand and would be a target of convenience if the criminals already have access to the bank account. The boomer has more to lose, but also consider that this demographic is more prone lose money to charity phone scammers than hackers. One way of keeping others from stealing or sweet talking you out of your money is to spend it within seconds of it arriving. Because there will be little in the way of cash available the only viable target will be credit cards where consumers have zero financial risk from fraudulent or criminal activity. This approach pushes risk away from the consumer public and back on the banks that are issuing credit cards. Mission accomplished.
A strategic goal of information security is to reduce the incentive to commit cybercrime. Federal Reserve monetary policy has accomplished consumer protection via ZIRP, leading to a change in consumer behavior, leading to a near zero risk of cybercrime against consumer bank accounts by decreasing incentive for targeting cash. Millions of dollars in spending on boxes in data centers have not stopped cybercrime, but have contributed greatly to climate change. The Federal Reserve may have solved a large segment of consumer cybercrime problem that the Information Security Industrial Complex has yet to scratch.
The June issue of Compliance and Ethics Professional has a brief but interesting article by Sally March titled Are you confident it’s confidential? One of the references in the article cites the Ponemon Institute report “Reputation Impact of a Data Breach”. This is an older report from 2011, but we can examine the findings and determine the accuracy of the claims.
The study surveyed 843 senior-level individuals with deep expertise and knowledge about their organization’s brand and reputation management objectives.
We asked individuals participating in our study to estimate the economic value of their organizations’ corporate brand or reputation. The responses ranged from a value of less than $1 million to more than $10 billion. Using an extrapolation method we determined the average value of reputation or brand image for the organizations participating in the study – which is estimated as $1.56 billion. Depending upon the type of information lost as a result of the breach, the average loss in the value of the brand ranged from $184 million to more than $332 million
The results are extrapolated which means they are estimated, but that will allow us to see if the persons surveyed were correct in their assumptions. Table 1. Calculus on the economic impact of reputation decline from data breach states that Diminished value resulting from a data breach of customer data is 21% while Diminished value resulting from a data breach of employee data is 12% while Diminished value resulting from a data breach of IP data is 18%.
Based on what we know in our previous studies of company valuation after a data breach these numbers do not sound correct which would mean that the impact is being overestimated. For our purposes we will look at equity performance since the data breach of several high profile companies with high profile data breaches. The change in consumer sentiment will be felt on the Income Statement which will be reflected through the stock price. We believe this is a more realistic way to determine economic impact as US markets are liquid and efficient.
Below are selected stock charts from TGT, HD, and SNE starting from the time their data breaches were reported in the news to the present day. We will also examine LL which experienced a dangerous consumer products scandal, broke by Case Capital Management that was aired on 60 Minutes to compare real world consumer harm vs. virtual consumer harm with regard to company performance.
We can distill the information provided by the stock charts down to the equity that was affected by the event, the stock price on the day of the event, the current stock price, and the change in value. As we can see the companies suffering from a consumer data breach experienced an average increase in value of 24%. While the company that experienced a real world hazard has decreased by 79%.
Day Of Event
Conclusion: The estimates in the Ponemon report of a 21% decrease in economic value. We do not see this reflected in equity prices as valuations have increased since the event. We believe that the economic impact of consumer data breaches is overstated as consumer sentiment has not shifted to a degree that has an effect on earnings. It is likely that the personnel surveyed had overestimated the impact due to marketing material produced by the Information Security Industrial Complex. The impact to many corporations have been mitigated by Cyber Insurance (TGT, HD) or by CapEx and other cost reduction measures brought on by Shareholder Activists (SNE). Shareholder Activists and executives should reevaluate spending priorities in light of the current trends in equity performance after a data breach event.
We have a question from #DTsR listener @fsmontenegero regarding security and efficient market hypothesis. That is a very broad topic that could go in many different directions, and the ambiguous answer is one that people are sure to dislike.
Efficient Markets Hypothesis (EMH) via Investopedia:
…defined as a theory that it is impossible to beat the market because stock market efficiency causes existing share prices to always incorporate and reflect all relevant information. According to the EMH, stocks always trade at their fair value on stock exchanges, making it impossible for investors to either purchase undervalued stocks or sell stocks for inflated prices. As such, it should be impossible to outperform the overall market through expert stock selection or market timing, and that the only way an investor can possibly obtain higher returns is by purchasing riskier investments.
I’m not a fan of EMH for the same reasons I’m not a fan of the economic theory of perfect competition. Generally speaking many of these theories and hypothesis were invented as an unrealistic baseline. Why would anyone want to do that? My Finance II professor had a nice simple explanation. There are so many variables in the world it’s difficult to compare one company to another. We use many different theories and hypotheses to create an apples-to-apples or even playing field to compare Company A to Company B. We then add real world variables to help determine which one is the better company. We also have to realize that Investor A may be more concerned with double bottom line efficiency, while Investor B may care about triple bottom line corporate social responsibility. Once you get past a few variables you can come to different conclusions.
Another interesting fact from class is that with all the financial professionals and their predictive models the best you can hope for is to get it right 60% of the time. A coin toss has a 50% chance of winning so why spend all this time and money on financial engineering and forecasting? It turns out that 10% is huge so it’s definitely worth the effort. The lesson here is small percentages have big effects so don’t thumb your nose at 1%. 1% better than you were yesterday is better than 0%. You can take this to anything beyond finance as well. 1% improvement in this iteration of your anti-bribery, infosec, environmental, or other programs is a win. Iterate often and don’t give in to managers who say we need to show 5% improvement before beginning your next iteration because you’re likely to iterate only once or twice per year. If you get 1% 12x per year that’s a better payoff.
There is also another angle to everyone knowing the same thing. It does no good unless you act on it. This is a lesson learned from Tom Sosnoff, founder of ThinkOrSwim (now part of TDAmeritrade) and TastyTrade.com. Every stock market pundit can say what they want. For example, I think the US Dollar is going to continue to decline over the next 3 years due to Quantitative Easing and the debt the Government has taken out. Well, that’s great what kind of trade are you going to put on and why? Information needs to be insightful and actionable. Otherwise you’re just talking on CNBC or you’re the guest columnist of the week in SC Magazine or CISO Online. If you watch any of Tom’s shows they always have a trade to go with a hypothesis.
To illustrate the failure of EMH we can look at many of the recent hacks such as $TGT. The intruders something about $TGT that they didn’t know. We do not have an efficient market here because one side knows more than the other. Based on what was reported there has been speculation that $TGT had a team that notified another team who didn’t respond. If we follow this scenario we have two different levels of knowledge on one side with a different level on another side. Definitely not equal. Then when we look at actionable information, the hackers were taking action against $TGT while their response teams were still in the dark.
Let’s also take a look at EMH from the investor’s point of view. Until we tested our hypothesis of shorting the equities of hacked companies many people in the Infosec world made the mistake contributing to echo chamber that hacked companies were going to $0 just like the political doomsayers state that the USD is going to $0 because of Federal Reserve money printing and the debt load the US is carrying. If you were to take action on those (bad) assumptions would be down $45,000 in our simulated portfolio of hacked stocks. The same would have happened if you had bet long on EUR/USD. If you were to have placed a $100,000 bet on the dollar going down the day after President Obama was reelected, you would have had to put up $2,276.30 in collateral to borrow $100,000 from your broker and you would be down $17,000 on your $2,200 bet. As a matter of fact the whole notion that the USD was going to $0 was a fantasy, much like hacked companies going to $0. The reality hurts the wallet big time. There’s a saying, markets can remain irrational longer than you can remain solvent. If you had bet against the USD since the election you would have lost more money than you had put up on the wager.
When you panic sell on news of a hacking there will always be someone there to #BTFD. If investors did know everything the big funds know, then they wouldn’t be selling and the buying pressure would be lower because there would not be a discount from selling. EMH and other theories are excellent in a classroom setting, but quickly fall apart once you enter the real world. Not everyone can know everything, but do your research and put the research to the test and you will be victorious. All strategies need to be insightful and actionable. Some people have the insightful part down, we all need to work on the actionable.