Equifax had a data breach, a preventable one (or so they say *), in 2017. It was the biggest in US (and world) history, a dubious honor that could potentially be retained for a good long while. The consequences of said breach? Until last week, the answer would have been “pretty much nil.”
(* As remarked in a previous post, saying that Equifax’s data breach was preventable is to give Equifax too much credit.)
A Clockwork Pattern
Certainly, Equifax’s stock took an immediate hit in the week the breach was announced. Its price dropped about 30% from the previous day. But, over the course of one year, the stock regained its losses, falling short only 5% of its high point, pre-data breach. Then, about a month later, the stock took another hit of approximately 30%, but only because of poor earnings. According to an October 2018 article on fool.com,
Equifax’s management said that the slowing demand for mortgages, as well as currency headwinds, were largely to blame for the subpar performance.
The very short article goes on to note that the stock was probably also feeling additional pressure from the unresolved status of the data breach. Which sounds, if not plausible, at least logical; but if true, then how does one explain that Equifax had nearly recovered all its losses a mere month before? It’s not as if the company wasn’t feeling any pressure from the unresolved status of the data breach thirty days earlier.
The second stock price hit can only be explained if investors were focusing on operational revenue pressures, with the data breach having been largely written-off from future calculations (or at least severely discounted). And who would blame them? In the past 15 years, there never has been significant long-term repercussions from a data breach, especially when it comes to companies with international name recognition, be it stock prices, revenue, net income, etc. This pattern has been evident since at least the TJX (the parent company to TJ Maxx) breach of 2006.
Until now. (Or so it’s implied).
Rating’s Firm Downgrades
Moody’s, one of the top investment rating firms in the world, has downgraded Equifax’s future prospects and named cybersecurity as a key factor. This has prompted many media outlets to insinuate that Equifax’s 2017 data breach had a delayed impact on its stock price.
However, if you look into the fine print, it’s a mixed bag, since the downgrade is not necessarily because of the 2017 data breach as much as it’s about future cybersecurity concerns in general. Per cnbc.com:
Moody’s cited Equifax’s recent $690 million first-quarter charge for the breach as contributing to the downgrade. The expense represents the company’s estimate for settling ongoing class action cases, as well as potential federal and state regulatory fines.
“We estimate Equifax’s cybersecurity expenses and capital investments will total about $400 million in both 2019 and 2020 before declining to about $250 million in 2021,” the note says. “Beyond 2020, infrastructure investments are likely to remain higher than they had been before the 2017 breach.”
Equifax could be wrong about the money they set aside, certainly. The $690 million they’ve reserved could be insufficient. But chances are that it isn’t. There’s plenty of historical precedent to bet that Equifax won’t be drawing much more from their kitty than what they’ve reserved.
Compare that to Moody’s forecast that a total of $1.25 billion will be spent on cybersecurity expenses in the next three years, and that similar costs will continue to affect Equifax’s cash flow into the future, but at a reduced level (one assumes it will still be in the millions of dollars annually). One has to conclude that this was given more weight when Moody’s downgraded Equifax.
Equifax’s stock has dipped about 4% since Moody’s announcement, a far cry from the 30% dip about a year and a half ago, and the price is already trending upwards. Even Equifax’s (publicly-listed) closest rivals seem to have been affected by the same announcement, their listed prices shedding about the same amount, percentage-wise.
So, what were the consequences of the 2017 breach for Equifax? Until last week, the answer would have been “pretty much nil”… and that answer still holds.
You could point out that the company has spent over $1 billion in fines and other expenses, and has cost the CEO and other senior management their jobs as well as their reputation. So, it’s not “nil” by a long shot. On the other hand, how much of that figure was turned into nothing using accounting magic? And what sizes were the golden parachutes of the fired executives?
So, if you read online that Equifax’s future prospects were “downgraded for a cyber attack” and are under the impression that they’re finally getting what they deserve, chew on it a little bit more.
Related Articles and Sites: