Marriott Fined by UK ICO, Downgraded by JPM, Sued by DC AG, and Recovers Next Day

On 7/9/2019 the UK Information Commissioners Office (ICO) has fined Marriott International ($MAR) 99,200,396 GBP in relation to the Starwood database incident that Marriott announced on Nov 30, 2018. Like most information security incidents, this falls into the category of not harming investors.

The stock closed on 7/8/2019 at 141.30 and opened on 7/9/2019 at 138.63. Before you listen to the infosec pundits about data breaches and stock prices going to zero (we’re still waiting on TGT and HD) it’s best to do some research.

MAR
MAR Daily Chairt

First, we take note of news events the same day. From the beginning of the day we have other events that would affect the stock price. In order on 7/9/2019 we have:

  • Downgrade by JPMorgan from Overweight to Neutral 6:29am ET
  • UK ICO Announcement at 8:30am ET
  • DC Attorney General files suit for deceptive pricing practices 2:04pm ET
MAR News
Wall Street News MAR

When we examine a 15 minute chart we notice a lower opening on 7/9/2019 which is to be expected with the downgrade announced prior to pre-market trading. $MAR reaches a low of 137.85 at the 10am candle and gives us a Bullish Hammer pattern followed by bullish green candles. All of the negative news from the downgrade and the fine by the ICO took 30 minutes to shake out before buyers stepped in to create a reversal pattern. The announcement of the DC AG office filing suit resulted in a $0.09 drop to 139.16 over the 15 minutes candle after the announcement. This was the low of the day to close. The stock closed higher to end the day at 139.52. On 7/10 the stock finishes digesting the morning news then takes off at 11:15 and doesn’t look back to close the day at 141.57. This is .27 higher than it was the day before the JPMorgan downgrade, the UK ICO fine, and the DC AG suit. Three negative news items in one day and the next day the stock is in better shape than it was the day before the news hit.

MAR 15 Min Chart
MAR 15 Min Chart

Conclusion

Multiple news events in one day, two being government actions, and one an analyst downgrade did not negatively affect $MAR beyond the day of the event. Buyers do not appear to think much of the UK ICO ability to make the full amount stick after appeal, JPMorgan’s ability to tell the future, and the ability of the DC AG to successfully make a case. Price action matters and the action has been to the upside.

#BTFD

HPE Unaffected Day After Hack Announced

The day before Thanksgiving the Navy announced a breach of a sailor’s PII on a laptop operated by HP Enterprise. The announcement came after hours which means our first trading day was the day after Thanksgiving. HPE closed at 23.22 on Friday and our bullish after hack thesis is still working the next trading day with a close of 23.34.

 

2016-11-28-hpe-tos_charts

Wendy's Breach is Yuge, But Saved By Brexit

Once again news of organized crime hackers is all over the news. This time $WEN keeps slowly upping the severity of the breach over time. This seems to be getting worse day by day, but it is still nothing compared to $BP failing to plug the leak for weeks.

This news cycle has been all over the map so there isn’t a breach trade here. What do you mean DearestLeader? Look at that Dip! It must be because of the news cycle!

2016-07-12-WEN-TOS_CHARTS

Yes, there is a dip and it was bought, and yes it is in a bullish channel. #BTFD

But this is not due to the news cycle. When we take a look at $SPY the whole S&P 500 fell off a cliff.

2016-07-12-SPY-TOS_CHARTS

This was mainly due to Brexit. As you can see $GBPUSD was completely destroyed the night of Brexit. It’s only natural to expect the whole market to crash into a buying frenzy the next day. Skeptics of course may claim that Kim Jong Un single handedly flew to the moon on a Unicorn to meet with the ghost of Kim Il Sung who instructed him to stuff the ballots in the UK in favor of Brexit while installing malware in the deep fryer at $WEN.

2016-07-12-GBPUSD-TOS_CHARTS

We don’t have a trade on since the news cycle is never ending and everyone is tired of hearing how consumers were inconvenienced and have to get a new card with no money out of pocket thanks to the Fair Credit Billing Act.  $WEN is not that exciting with perfect timing you’re only making .20 per day. We would rather be long $ES_F and ride the wave.

 

Efficient Markets in Security

We have a question from #DTsR listener @fsmontenegero regarding security and efficient market hypothesis. That is a very broad topic that could go in many different directions, and the ambiguous answer is one that people are sure to dislike.

Efficient Markets Hypothesis (EMH) via Investopedia:

…defined as a theory that it is impossible to beat the market because stock market efficiency causes existing share prices to always incorporate and reflect all relevant information. According to the EMH, stocks always trade at their fair value on stock exchanges, making it impossible for investors to either purchase undervalued stocks or sell stocks for inflated prices. As such, it should be impossible to outperform the overall market through expert stock selection or market timing, and that the only way an investor can possibly obtain higher returns is by purchasing riskier investments.

 

I’m not a fan of EMH for the same reasons I’m not a fan of the economic theory of perfect competition. Generally speaking many of these theories and hypothesis were invented as an unrealistic baseline. Why would anyone want to do that? My Finance II professor had a nice simple explanation. There are so many variables in the world it’s difficult to compare one company to another. We use many different theories and hypotheses to create an apples-to-apples or even playing field to compare Company A to Company B. We then add real world variables to help determine which one is the better company. We also have to realize that Investor A may be more concerned with double bottom line efficiency, while Investor B may care about triple bottom line corporate social responsibility. Once you get past a few variables you can come to different conclusions.

Another interesting fact from class is that with all the financial professionals and their predictive models the best you can hope for is to get it right 60% of the time. A coin toss has a 50% chance of winning so why spend all this time and money on financial engineering and forecasting? It turns out that 10% is huge so it’s definitely worth the effort. The lesson here is small percentages have big effects so don’t thumb your nose at 1%. 1% better than you were yesterday is better than 0%. You can take this to anything beyond finance as well. 1% improvement in this iteration of your anti-bribery, infosec, environmental, or other programs is a win. Iterate often and don’t give in to managers who say we need to show 5% improvement before beginning your next iteration because you’re likely to iterate only once or twice per year. If you get 1% 12x per year that’s a better payoff.

There is also another angle to everyone knowing the same thing. It does no good unless you act on it. This is a lesson learned from Tom Sosnoff, founder of ThinkOrSwim (now part of TDAmeritrade) and TastyTrade.com. Every stock market pundit can say what they want. For example, I think the US Dollar is going to continue to decline over the next 3 years due to Quantitative Easing and the debt the Government has taken out. Well, that’s great what kind of trade are you going to put on and why? Information needs to be insightful and actionable. Otherwise you’re just talking on CNBC or you’re the guest columnist of the week in SC Magazine or CISO Online. If you watch any of Tom’s shows they always have a trade to go with a hypothesis.

To illustrate the failure of EMH we can look at many of the recent hacks such as $TGT. The intruders something about $TGT that they didn’t know. We do not have an efficient market here because one side knows more than the other. Based on what was reported there has been speculation that $TGT had a team that notified another team who didn’t respond. If we follow this scenario we have two different levels of knowledge on one side with a different level on another side. Definitely not equal. Then when we look at actionable information, the hackers were taking action against $TGT while their response teams were still in the dark.

Let’s also take a look at EMH from the investor’s point of view. Until we tested our hypothesis of shorting the equities of hacked companies many people in the Infosec world made the mistake contributing to echo chamber that hacked companies were going to $0 just like the political doomsayers state that the USD is going to $0 because of Federal Reserve money printing and the debt load the US is carrying. If you were to take action on those (bad) assumptions would be down $45,000 in our simulated portfolio of hacked stocks. The same would have happened if you had bet long on EUR/USD. If you were to have placed a $100,000 bet on the dollar going down the day after President Obama was reelected, you would have had to put up $2,276.30 in collateral to borrow $100,000 from your broker and you would be down $17,000 on your $2,200 bet. As a matter of fact the whole notion that the USD was going to $0 was a fantasy, much like hacked companies going to $0. The reality hurts the wallet big time. There’s a saying, markets can remain irrational longer than you can remain solvent. If you had bet against the USD since the election you would have lost more money than you had put up on the wager.

2015-02-21-USDvsEverything-ThinkBack
When FX Trades Go Wrong

 

When you panic sell on news of a hacking there will always be someone there to #BTFD. If investors did know everything the big funds know, then they wouldn’t be selling and the buying pressure would be lower because there would not be a discount from selling. EMH and other theories are excellent in a classroom setting, but quickly fall apart once you enter the real world. Not everyone can know everything, but do your research and put the research to the test and you will be victorious. All strategies need to be insightful and actionable. Some people have the insightful part down, we all need to work on the actionable.

Where Are The Infosec Activists

In continuing our exploration of the world of Corporate risk and the markets we will take a look at the role of activist investors, who they are and what they want. Activists are becoming a prominent factor in how the Board and C-Suite address investor demands. Their activities affect all aspects of a company and when they arrive your department may be in for the shock of its existence.

Who are the activists and what do they want?

According to Investopedia an activist investor is:

An individual or group that purchases large numbers of a public company’s shares and/or tries to obtain seats on the company’s board with the goal of effecting a major change in the company. A company can become a target for activist investors if it is mismanaged, has excessive costs, could be run more profitably as a private company or has another problem that the activist investor believes it can fix to make the company more valuable.

The most common type of activist investor believes they can improve a company’s value for the shareholders by attempting to direct divestures, cost cutting measures, breaking up a big company, or a change in strategy. The more uncommon type of activist investor may buy shares and attempt to control a company for the purposes of making an ethical change such as environmentalism or removing child labor from the supply chain. Activist investors also fight among themselves, as Carl Ichan and Bill Ackman have been for years. Ichan likes Herbalife, while Ackman thinks it’s a scam (paraphrasing for him). Ackman even put up a site, Facts About Herbalife along with a 300+ slide presentation as to why they’re a ripoff. Ichan keeps buying the stock while Ackman was the biggest shortseller. When activists attack it will either make or break your company. These guys are serious about what they do. Starboard Value published a 294+ slide presentation on what needs to change at Darden Restaurants, especially at Olive Garden.

As you can guess, a lot of their activities are focused on cutting costs and increasing revenue. The latter is always great, but what happens to your Infosec or sustainability program when the Wall Street pole axe meets your budget? You should read what happened to Timkin. No, seriously you need to read it to understand what an activist takeover and breakup looks like. Bill George of Harvard Business School gives a hint,

“Activists think long term is 12 months and the first thing that goes is the stuff that pays off in five or 10 years,”

Let’s pretend you had an infosec program at Timkin. This is what you would be dealing with (****emphasis mine****)

Buried in a November Timken investor presentation is a chart bound to please Wall Street. Titled “Yesterday and Tomorrow,” it sketches how capital was allocated before the split, and how it will be used now. Pension fund contributions drop from nearly a third of cash flow to near zero, ****while capital spending is roughly halved. And instead of using 12 percent of cash flow to buy back stock, share repurchases will consume nearly half of cash flow over the next 18 months. In other words, less cash is being invested in the business or earmarked for benefits to employees, and more money is going to investors.**** While TimkenSteel’s board has authorized a three million share buyback by the end of 2016, Timken has plans to repurchase 10 million shares by the end of next year.

For academic purposes let’s assume all budgets will be cut by 50%. Don’t think it won’t happen. I’ve been on the buying end where the acquirer says cut everything by half in 1 year and tell management they’ll need to figure out how to make things work with half. In terms of Infosec and Environmental programs you look at what was required by law or regulation and then make a list of what wasn’t a requirement and begin pricing out the synergies obtained by downsizing personnel and equipment. But on the bright side there will be a complete Compliance checkup as part of the Freddy Kruegar cutting. Don’t think Symantec will protect you from Dokken.

But enough of the scary Halloween stories. Did activist investors have something to do with the Sony hack? When we look at the Q3 2014 Third Point Investor Letter on page 9 we find this bit of information (****emphasis mine****)

 

In May of 2013, Third Point announced a significant stake in Sony and suggested to the company’s CEO, Kazuo Hirai, that he should seriously consider spinning out 15‐20% of the company’s undervalued, American‐based Entertainment business. At the time, we explained that partially listing the Entertainment segment would have three positive effects: 1) highlighting its profitability; 2) increasing investor transparency, thereby allowing the market to properly benchmark the company against its global media peers; and ****3) incentivizing Entertainment’s management to run the company more efficiently by engaging in cost cutting and laying out clear earnings targets****

While, regrettably, the Company rejected our partial spin‐out suggestion, they made some changes that were consistent with our goals. ****In the Entertainment business in particular, Sony has cut costs, improved its dialogue with investors, and undertaken key management changes. **** In Electronics, Mr. Hirai’s team deserves credit for transitioning away from personal computers this year and improving television profitability in 2015. They have also improved investor transparency. Still, they have a long way to go and we continue to believe that more urgency will be necessary to definitively turn around the company’s fortunes.

A key tenet for us in making constructivist investments is our margin of safety. While we are most focused on the potential upside available to shareholders if management undertakes changes, we are unlikely to make a significant investment in a situation where constructivist‐driven change is the chief catalyst unless we see minimal downside. Sony was exactly the type of investment where the risk/reward ratio was skewed in our favor. Thanks to this investment principle, despite enduring profit warnings nearly every quarter we were invested, incurring worse news about Electronics than we expected, and suffering from market disappointment at the pace of Japanese macroeconomic reforms, we still managed to generate nearly a 20% return on this investment before exiting.

By the way Third Point is the No. 3 most well-known activist firm according to the 2014 Activist Investing Annual Review.

If we read into the report we can see that Third Point wanted Spin off its entertainment division. Sony didn’t go along with the plan. They did engage in cost cutting, but not to the level that Third Point wanted. Still, they exited with a 20% gain. Now let’s step back and drink a dose of reality. We have heard terms such as clueless or incompetent used to describe the security program at Sony. There may have been some of that, but in reality they had an activist investor who was pressuring them into some serious cost cutting. We also have to stop and consider that management isn’t clueless either. They know exactly what they are being told to accomplish. Are the activists clueless MBA’s who just “don’t get it” when it comes to Infosec? That’s an irrelevant question because they make a ton of money doing what they do. They don’t need to get Infosec at all. We won’t know how much Sony Entertainment’s Infosec program was cut, but don’t expect a well funded Infosec program or any program if you have an activist in house. Based on Third Point’s opinion they didn’t cut their overall budget enough. I would have to agree with Third Point that management has a long way to go to make Sony an efficiently run shop.

 Where are all the Infosec Activists?

If there are activist investors who attempt to stamp out child labor in shoe factories, or prevent the dumping of waste into rivers then where are the activist investors who buy companies and make them spend more money on Infosec? Children working in sweatshops and oil covered birds are things that matter to the public. Data breaches, not so much.  As an industry Infosec is still struggling to quantify what the ROI is on all those headcounts and equipment. In order for an Infosec activist fund manager to make change they would need to increase spending before a breach and demonstrate to the rest of the shareholders that was a good idea with real numbers.

One thing Wall Street has figured out is that nothing bad will happen if you don’t spend money on a JPMorgan sized Infosec program. While it’s likely every Infosec Professional’s fantasy to force management to spend money on a better security program it’s nothing but a fantasy out of touch with the financial reality of our world. There’s no money in spending on security, the preventative benefits are dubious at best, and consumers just don’t care. There’s a lot of money in cutting expenses and carving companies up like a roast. The hackers may not get you, but the activists will. Better call Dokken.

JPM Doubles Security Budget

Among more grandstanding, Only fall of global firm will shake up cyber security, we have found some interesting news about $JPM. They have doubled their information security budget. We will need to see what CEO Jamie Dimon has to say in his next letter to the shareholders, but this is an extremely useful tip. In his last letter to the shareholders that we reviewed in April 2014 he stated that $JPM has an annual cyber security budget of $250M and 1000 employees. Since the breach hit the news summer of 2014 this new revelation means that $JPM will be spending approximately half a billion dollars on cyber security.  Central Bankers may not have been able to create the inflation they were desiring, but the hackers are creating inflation in security budgets. Does anyone have bets to place on who the first private sector CISO with a billion dollar budget will be?

2015 Portfolio Update

As mentioned on the #DtSR podcast I have been covering a simulated portfolio of hacked stocks. The strategy is to assume all companies that get hacked will go out of business because customers will go elsewhere. We short sell 100 shares into the close on the day news breaks. As you can see doing so would net you around -$45,000. Notice the big winners, Lockheed-Martin, and LinkedIn, who have more than doubled since they had a breach. That’s over half the portfolio. Diversifying into other hacked stocks didn’t help much either. On the bright side Sony continues to be a winner, no PolarVortex required.

2015-01-30-Simulated portfolio

Standard & Poor's says breaches have no material impact

 

Surprise! Staples (NASDAQ: SPLS) had a breach and the financial industry once again says it is not a major event. Standard & Poor’s is not a small organization and they’re usually right, except when downgrading the US. You never downgrade the US. So far data breaches still fall into the nuisance category. This is mainly because all of the big players have a good set of lawyers and some Treasury professionals that acquired the right kind of insurance.

20141222-SPLS-News

Home Depot earnings indicate there is no fear

Home Depot (NYSE: HD) continues to grow with consumer fears of the data breach well behind us. Consumer behavior continues to demonstrate that the public is not bothered by these events. Earnings and the stock price continue to rise after the breach which goes against the conventional wisdom in Infosec that customers will leave after a breach and that there will be a stock sell off as a result.

If we expect customers to disappear sales should be down, not up. We have to consider the reality of the retail situation. Not everyone is near a Lowe’s (NYSE: LOW) or Ace Hardware. $HD is the only game in town for most shoppers. Even if alternatives are in your area, would you drive out of your way to avoid shopping at $HD? Consumer behavior is driven by price and convenience, not the fear of hackers taking their credit card numbers. Under the Fair Credit Billing Act (FCBA) consumer liability is limited to $50 for fraud. Who is going to drive out of their way for a maximum of $50 in risk? Also consider most credit card companies will eat that $50 due to price matching competition with other issuers. Consumer risk is effectively $0.

The numbers speak for themselves. The latest earnings release from $HD shows that this fiscal quarter  the number of customer transactions is up by 3.2%(355.4M) , with an annual increase of 3.3% (344.3M). Net sales are up 5.4% ($20,516M) with EBITDA up 5.7% ($7,185M) .  EPS was $1.15 per share.  Online sales are up 40% for the quarter and up 50% vs FY13Q3.

The earnings transcript is also quite interesting. The term “security” is only brought up once in the opening remarks.

Before I close, I’d like to briefly comment on the data breach. First, we apologize to anyone impacted by this. From the start, our guiding principle has been to put our customers first. Our customers won’t be responsible for any fraudulent charges incurred through the breach and we will continue to offer free credit monitoring and ID theft protection to any impacted customers. We will continue to invest and enhance security measures to protect our customers’ information.

The statements from Carol Tome, CFO are also interesting in that the breach cost less than $TGT. Also consider that all of this is going to go away due to their insurance policy.

In the third quarter, as a percent of sales, total operating expenses decreased by 56 basis points to 22.6%. Our third-quarter expenses included $28 million of net expenses incurred as part of our data breach. We carry a $100 million insurance policy for breach-related expenses. The gross amount of breach-related expenses incurred in the quarter was approximately $43 million. For the fourth quarter, we are projecting our known gross breach-related costs to be approximately $27 million and after insurance, a fourth-quarter net breach expense of approximately $6 million. For fiscal 2014, given our projected known net breach-related expenses of $34 million, we now expect fiscal 2014 operating expenses to grow at approximately 27% of our sales growth rate

The breach was $28M net. Considering that their sales for the quarter are $20.514B you’re looking at $.028B in net expenses from the breach. There’s a term for that. It’s called a rounding error.

Questions from Wall Street also curiously point to no real effect. JPMorgan (NYSE:JPM) notes that sales slowed in September and then took off in October. The CFO predicts things will go to the upside as nobody on the call says stores are reporting any customer blowback from the breach.

Chris Horvers – JPMorgan Chase – Analyst
Thanks. Good morning, everybody. A couple questions. So can you talk about whether you’ve seen or you saw any impact from the credit breach? What did you hear from stores? What was the pro saying in September, October? September trends did decelerate and then reaccelerate pretty nicely in October. So was curious if you thought any of that was the breach and what you are hearing in the field around it?

Craig Menear – The Home Depot, Inc. – President & CEO
Chris, really it’s very difficult for us to be able to determine if there was any impact. We were very, very pleased with the fact that we had positive transaction growth in each month during the quarter. And I think that represents strength for our customers, confidence in The Home Depot and we appreciate that.
Carol Tomé – The Home Depot, Inc. – EVP, Corporate Services & CFO
And don’t mean this to sound defensive, but if you look at a three-year stack, September was our hardest comparison.

Chris Horvers – JPMorgan Chase – Analyst
Understood. Right. Okay. And no real like, I guess, your stores aren’t communicating anything up to you that’s conclusive in either direction?

Craig Menear – The Home Depot, Inc. – President & CEO
No.

Chris Horvers – JPMorgan Chase – Analyst
Okay. And then as a follow-up, Carol, curious if you could talk about your thoughts on November. Of course, you said nothing has come to your attention, but you’ve heard a lot of retailers speak to a pickup or at least as good as sort of the trend from 3Q. So was curious how you would describe your view of November.

Carol Tomé – The Home Depot, Inc. – EVP, Corporate Services & CFO
Happy to talk about our perspective on November in the fourth quarter. As you know, it’s always tricky to forecast where sales will go in the fourth quarter because we’re heading into winter and I don’t know about where you are, Chris, but it’s mighty cold here in Atlanta. That being said, we are two weeks into November and I must say that I’m impressed with the sales that we’ve reported to date. So if there’s a bias in our forecast, I would say the bias is to the upside.

Chris Horvers – JPMorgan Chase – Analyst
Thanks very much. We like the word impressed. Good luck in the fourth quarter. Thanks, guys.

The stock is up about 10% since the breach. You don’t want to be on the wrong side of the trade like this person. Evidence suggests you never short a breach. You will be destroyed. You have to buy in before anyone else does. You have to buy the dip.

$HD: shorted this bad boy at $90 and have been destroyed. skyhigh expectations being dashed are my only hope for redemption

— tryingtomakeabuckinthemarket (@contrarianspeculator) Dec. 13 at 12:32 PM


2014-12-13-HD-TOS_CHARTS

Target Continues to Conquer All

Black Friday is back and the retail sector is better this year.  According to reports Target (NYSE: TGT) sales figures are up 40% over last year. Consumers really did not care about the hacking last year, and this continues to prove that such events are largely forgotten and do not influence consumer behavior.

As we can see investor confidence is higher than last year. TGT is now above the resistance of 73.50 from 7/22/2013 on the weekly chart. We are likely to see a continuation if the new support level holds.

2014-11-30-TGT-TOS_CHARTS