Morgan Stanley’s Andrew Harmstone on cyber security and ESG

The Morgan Stanley portfolio manager on the investment impacts of new EU regulation on data protection

I always feel like somebody’s watching me.
And I have no privacy.


The lyrics to Rockwell’s 1984 hit Somebody’s Watching Me are the musings of a paranoid individual worried that his neighbours, his mailman and the IRS are watching him. Since then, concerns about data privacy and cybersecurity have grown far beyond the snooping mailman; due to the internet, the volume of data gathered and developments from spyware to smart TVs that actually do watch back.
Data privacy falls within the Social pillar of Environmental, Social and Governance (ESG) considerations and, in our opinion, can translate into tangible value. In May 2018, the European Union (EU) General Data Protection Regulation (GDPR) will become effective. Its goal: to give EU citizens control over their personal data.

The GDPR will likely have far-reaching effects – non-compliance could mean significant penalties of up to 4% of a company’s annual global turnover or €20 million

Because large companies are global, the GDPR will likely have far-reaching effects – non-compliance could mean significant penalties of up to 4% of a company’s annual global turnover or €20 million – whichever is higher. Along with responsibility, accountability (making automated decisions such as profiling contestable), explicit consent and data portability, the regulations include a new right to erasure.
This suggests that investors who purchase shares of companies that are behind the curve in terms of data privacy protection capabilities and general cybersecurity could be assuming real risks. Potential lawsuits, reputational damage, revenue loss, intellectual property theft and the cost of infrastructure repairs are significant risks on their own. The prospect of a fine bolsters the case for considering a company’s strict adherence to the regulations when considering potential investment.
There is a massive amount of information that could now be subject to ownership rights at the individual, data-subject level under the GDPR.That data was already owned by the companies that collected it, analysed it and sold it for big profits. For industries that have grown up around a model of data being free, this could lead to significant disruptions. For others, it creates investment opportunities. The number of security incidents against companies has been rising at over 60% a year since 2008. The growth of the “Internet of Things,” with now billions of connected items, will likely open up new sectors to the risk of cyberattack – from household items to medical devices to autonomous vehicles.
As a result of increasing cyberattacks, spending on security software in the Americas, EMEA and Asia Pacific (including Japan) is on a consistent upward trend, with highest spending in the US. We would not be surprised to see other regions catch up: the GDPR for instance, should increase cyber security spending in Europe. This supports our more general view that the economy is undergoing not just a cyclical increase in investment, but also positive secular trends.

Opportunities are not limited to the investment side. Stock prices also appear to react to how well companies handle privacy along with other ESG issues. We found that over 12 months ending June 2017, social scores in the US, Europe and Japan were positively associated with IT sector stock market performance, and the highest-scoring companies were the best performers. Understanding cybersecurity and acting as responsible shepherds of customer data contributes to reduced risk for companies. It could also lead to a more attractive cost of capital and lower operating costs.

What was paranoia in 1984 is reality in 2017. Somebody is watching you and gathering your data in previously unimaginable quantities. But with regulations such as the GDPR in Europe, you will own your data. This regulatory change is one aspect of the fast-evolving cyber-environment, which is disrupting industries worldwide. The risks and costs to companies of not keeping up with change are
great, be it from fines, reputational damage or lower productivity due to cyberattacks – each can erode companies’ profitability. Therefore, data privacy and security, within the Social pillar of ESG concerns, is a factor worth considering when assessing investment opportunities.

Andrew Harmstone is a portfolio manager in Morgan Stanley Investment Management’s Global Multi-Asset team