In the fallout from Equifax’s 2017 data security breach, many were angered to learn that though the credit bureau publicly announced the breach in September, it had known about it since late July. This failure to immediately notify consumers that the breach had compromised the personal information of millions of Americans helped further damage public trust and sent the company’s stock prices tumbling. What few knew is that before the incident occurred, Equifax had been warned about its vulnerability to data theft.
At this point, it’s unclear whether Equifax can recover, or if the company—and its shareholders—will continue to suffer. In the same month that Equifax revealed the data security breach that impacted millions across the country, NPR reported that the firm suffered from another, separate hack involving payroll information.
The Equifax data security breach illustrates an important lesson not only for the general public on how to keep personal information safe, but also for investors whose portfolios took a serious hit.
What ESG Ratings Can Indicate about Publicly Held Companies
As the Telegraph reported, investment index company MSCI gave Equifax its lowest possible environmental, social, and corporate governance (ESG) rating in July 2017. While several issues were noted, MSCI specifically called out that the company “faces a high risk of data theft and associated reputational consequences.” ESG ratings, as an article on the Harvard Law School Forum on Corporate Governance and Financial Regulation explains, evaluate how a particular company manages its performance in certain areas “over time and as compared to peers.”
ESG ratings provide another data point to help investors better understand the companies they may be interested in including in their portfolios. For its ESG ratings, MSCI uses a scale that ranges from AAA to CCC. Companies with AAA ratings indicate leaders on ESG issues, while companies that receive B or CCC ratings—as in the case of Equifax—are considered “laggards.”
The problem with laggard companies is that low ESG scores indicate areas of weakness relative to other companies in a similar industry. This can be a cause of concern for all investors, and especially for impact and socially responsible investors.
While poorly managed ESG issues are bad enough, it can get worse. A report from AQR Capital Management found that stocks with poor ESG ratings may experience higher volatility, or risk, than stocks with strong ESG ratings.
Data Security and ESG Strategy
When thinking about ESG factors, many people’s minds may not leap to data security. However, the mishandling of individuals’ personal data can greatly affect their financial well-being and privacy. One Seattle woman alleged that her identity was stolen 15 times in the months after the Equifax breach. And not everyone is lucky enough to catch fraudulent activity early and shut it down fast. Permanent credit damage can occur, which can affect access to mortgages, car loans and other consumer lines of credit.
This mishandling and subsequent damage angers consumers and hurts an organization’s reputation. It could potentially lead to lawsuits and expensive settlements. This, in turn, can affect share prices. The Sustainability Accounting Standards Board includes data security and consumer privacy as a component of their Social Capital rating. They emphasize that technology companies especially can face serious reprecussions for inadequately protecting personal data: “The reputational issues around the care and treatment of that data are vastly important to these companies’ long-term value.”
Pay Attention to ESG Ratings (Even with ESG Funds)
Many funds labeled as socially responsible contain shares in companies ranked as poor managers of ESG issues. In fact, John Hale, director of sustainable investing research at Morningstar, found that many so-called “ESG funds” still held Equifax shares—even after the company received its CCC rating from MSCI. Working with a trusted advisor who’s willing to go deep on ESG issues can help ensure that an impact portfolio is living up to its name.
If maintaining a socially responsible portfolio is an investment priority, it follows that investors should pay attention to ESG ratings. At the very least, it’s likely that they’ll want to review their holdings periodically to make informed choices about whether to continue to hold shares in companies with the lowest ratings. Portfolios that pay attention to this area may, as the Equifax data security breach demonstrated, avoid losses from companies that put people or planet in harm’s way.