Data Security Crashes Without Good Governance

Data Security Crashes without Good Governance

In case we needed another reminder that ESG is not just about “E”-related things, and that there are real risks, costs, and opportunities associated with each pillar (E, S, and G), here is a prime example. It shows why the “G” in ESG – Governance – matters for companies that care about data security and cybersecurity. As this example shows, not all data losses are the result of evil-doers hacking into networks and stealing files. 

Give Away Computers Without Erasing Files?

On September 20, 2022, in his Opinion column “Money Stuff”, one of our favorite financial journalists (Matt Levine at Bloomberg) reported the following (the italics are ours):

The Securities and Exchange Commission today announced charges against Morgan Stanley Smith Barney LLC (MSSB) stemming from the firm’s extensive failures, over a five-year period, to protect the personal identifying information, or PII, of approximately 15 million customers. MSSB has agreed to pay a $35 million penalty to settle the SEC charges.

The SEC’s order finds that, as far back as 2015, MSSB failed to properly dispose of devices containing its customers’ PII. On multiple occasions, MSSB hired a moving and storage company with no experience or expertise in data destruction services to decommission thousands of hard drives and servers containing the PII of millions of its customers. Moreover, according to the SEC’s order, over several years, MSSB failed to properly monitor the moving company’s work. The staff’s investigation found that the moving company sold to a third party thousands of MSSB devices including servers and hard drives, some of which contained customer PII, and which were eventually resold on an internet auction site without removal of such customer PII. While MSSB recovered some of the devices, which were shown to contain thousands of pieces of unencrypted customer data, the firm has not recovered the vast majority of the devices…

In June 2021, MSSB obtained another fourteen of the missing hard drives from a downstream purchaser. Based on forensic analysis of these hard drives, thirteen of the devices contained a total of at least 140,000 pieces of customer PII. The vast majority of the hard drives from the 2016 Data Center Decommissioning remain missing… 

We are rather dumb-struck by this. It’s one thing to maintain good cyber-defenses and still get hacked; it is something else to ignore good governance practices entirely. This is not a situation where an employee fell for a phishing scheme; it’s more like giving a wallet you don’t want any more to someone you don’t really know and neglecting to remove your credit cards. That brings us to the following: corporate governance isn’t just about making sure there are qualified people on the board of directors and putting good policies in place. It’s about follow-through. 

Training, Transparency, and Communication

This is more than just embarrassing for Morgan Stanley. Who knows where those devices that hold customer data will end up, and what fallout there may be in the years to come? Failing to protect customer data can result in substantial financial costs (such as paying ransomware to recover stolen data, or having to give every affected individual a year’s subscription to a data monitoring service), a loss of trust on the part of your customers, employees, and suppliers, and possibly irreparable damage to a company’s reputation and brand, which could affect shareholders for years. 

The demand for transparency into how companies use and protect customers’ personal data is growing, and most large companies have mandatory training showing employees how to spot phishing scams and avoid downloading malware. But Morgan Stanley’s unforced error reminds us that while transparency and training are important, it is also essential to have a culture of risk awareness and a protective attitude toward data—in other words, good governance. 

According to Keri Pearlson, executive director of Cybersecurity at MIT Sloan, technologies and training and awareness programs have greatly increased in recent years as cyberthreats have grown. But as we said above, that’s not enough – Pearlson says the weak link is typically people and behavior, noting “We put so many resources into ‘locking up’ using technology that we forget about the back doors in the organization, and that’s usually people.”

We’ll bet that Morgan Stanley has a policy about wiping hard drives clean before getting rid of old computers. But apparently no one followed through, and no one checked before those computers went out the back door. This article from the MIT Sloan School offers some good advice when it comes to such policies: communicate in terms that will resonate. A major insurance company figured out that the word “cybersecurity” wasn’t connecting with its employees, and that “protect our data and systems” was more effective. 

IBM states that in 2021, the average cost of a data breach rose to $4.24 million, the highest in the 17-year history of the firm’s Cost of a Data Breach report, and the 2021 Verizon Data Breach Investigations Report notes the human factor was involved in over 85% of breaches. As MIT’s Pearlson observes, the human element is by far the largest risk, and that’s where governance and corporate culture make a difference. As Pearlson notes, it’s about “infusing safety into the organizational fabric so every employee is constantly reminded of their role and responsibility to keep the organization safe.”

KMPG recommends taking an ESG approach to cybersecurity, and says that consumers are becoming more aware of potential vulnerabilities at companies with which they share data.  This includes personal identification data that could be used in identity theft, credit card and bank account information that could result in fraudulent transactions and irreversible money transfers, and data about your purchases, medical history, political affiliation, and other things that are simply not anyone else’s business but yours.

You may have heard the phrase, “Privacy? Get over it” –  mostly from Gen Z-ers who seem to have no qualms about giving away their personal data via apps. Every company that collects our data – whether through a social media platform, as part of a banking relationship, or in any other part of our increasingly online lives – is essentially saying “trust us, we won’t do foolish things that put your data at risk.” Strong governance may be the most important way to deliver on that promise. As a bonus, companies with good governance practices tend to be managed well in general, which helps to create value for shareholders. 

To find out how OWL ESG can help you to evaluate the quality of corporate governance within companies in your industry, or in your investment portfolios, contact us