The new warfare: Cybersecurity in a digital era

weak-link
Credits: lexblogs.com

Ashley Madison, Adult Friend Finder, Last.fm, Tesco, LinkedIn, MySpace, Three, TalkTalk, Yahoo, Twitter, the National Lottery etc. all share a common feature: over the last few months these corporations have been the target of successful massive hacking operations aimed at stealing customer data. And the list keeps lengthening every day.

Cybersecurity is first and foremost a matter of education – a formerly blank executive training field that the likes of IBM have now penetrated. Human error represents a godsend for all hackers that no antivirus will be able to correct – “up to 90% of cyberattacks take place because computer users are both busy and gullible” writes Misha Glenny from the Financial Times. In September Russian hackers managed to break into the Democratic Party computer systems. The investigation showed that the attack was based on fraudulent emails sent to around a hundred members of the party. Around 20% clicked on the link despite the obvious risks it could entail. Although antispam filters have become increasingly sophisticated over the last few years, one cannot fully trust the machine (yet?) and blindly open messages landing into his inbox. In the same vein, ‘Ponzi 2.0’ chains can only flourish if the ‘links’ are gullible enough to hand money over to an unknown party. Reusing similar (and often benign) passwords on different websites is also a source of trouble – one of the reasons why ‘behavioural biometrics’ are being experimented. More broadly the analysis of human behaviour will become a cornerstone of the cyber war, both on the assailant and defender sides.

The corporate world has become increasingly aware of the threat over the last few years, even if in some cases the learning curve involved paying a high price. Small businesses, which have less budget to spend on ‘cyber-defences’, are particularly targeted. A third of small British businesses suffered a breach in the past year according to a UK government study, while insurer Beazley predicts a 400% increase in ransomware breaches this year – a particularly efficient attack as the corporate target is prevented access to all data unless it pays. In France, cybersecurity consultancy Wavestone showed that 100% of 128 large corporate websites were showing security loopholes, 60% of which could allow the hacker to download a batch of commercially sensitive data. More generally, the emergence of new technologies, such as driverless cars, will greatly rely on the ability of manufacturers to convince the general public that the ‘computer at the wheel’ cannot be corrupted. Poor security infrastructure design, resulting from a lack of time and budget, is pointed out as a root cause. A few days after the news were made public, the French government passed a law requiring all businesses to map their data and ensure appropriate protection and access by May 2018. In the US, a similar directive aimed at the financial services industry – the most affected by data loss – has been issued.

Large institutions are not immune either. Tesco Bank suffered a carefully planned and heavily publicised attack in early November. Money was stolen from 20,000 accounts (out of 136,000) and led all the bank’s customers with no access to their money for more than 24 hours. The investigation subsequently showed that management had been previously ignored warnings from third parties highlighting weaknesses in the Tesco and Tesco Bank mobile apps. Two of Russia’s largest banks suffered DDoS last month. Even the SWIFT messaging system, which governs financial transactions between banks across the world, has faced attacks. French newspaper Les Echos recently highlighted that cyberattacks had little impact on share prices, although this could likely change in the future.

Irrespective of size, the cost of replacing the entire software framework can be prohibitive for a business. Countless firms still run their operations on Windows XP, despite Microsoft not offering any security update since 2014 and security breaches having already been identified since then. For those favourite targets, the aim is less to prevent attacks than making the reward unattractive, by physically isolating critical data in separate infrastructures.

For a long time their basic features and limited memory space made smartphones unlikely candidates for cyberattacks. With the rise of open operating systems (Android and iOS) making devices accessible to third party app designers and the continuous development of new capabilities this is not the case anymore – one could even say that because we spend our life with smartphones in our pockets the potential risk of hackers accessing personal data through these devices is higher. Standard solutions have been recently developed – messenger app Whatsapp now offers encrypted communication protocols – and a handful of brands are now offering ‘military-grade security’ – at a (hefty) price.

The ‘internet of things’ is also adding further risk to the balance. These recently launched devices are numerous (6.2bn today and 20bn by 2020 according to Gartner) and usually designed with a time and money focus on tech specifications and push security into the background (or do not even bring it on their agenda), with no or weak default passwords. In September French web hosting company OVH suffered a ‘Distributed Denial of Service’ (or ‘DDoS’) cyberattack led by a network of more than 140,000 Web-connected video recorders, a significant figure but still very short of the 10m+ devices mobilised on 21st October to create the largest DDoS attack ever recorded.

A pernicious characteristic of successful cyberattacks lies in the fact that very often they remain unspotted. In the Financial Times Violet Blue, a cybersecurity expert, explains for instance that he “keeps a little sticker over the cameras on all my devices to prevent unauthorised spying”. Your camera may be on without you knowing.

For all those reasons, cybersecurity has become a serious matter for intelligence services. In the UK, the government’s National Security Strategy elevated cyber security to the “tier 1” risk category and the MI6 has announced its intention to recruit more than 1,000 new staff by 2020, a 40% rise, primarily to foster their still rudimentary IT capabilities. As mentioned by Nigel Inkster, former director of operations for MI6, in the Financial Times: “The days in which intelligence officers could plausibly adopt different identities and personas are pretty much coming to an end. […] The challenge of having a credible digital footprint is significant.” Cyberattacks could impact traditional warfare; Chinese hackers for example tried to steal military data contained in nuclear-powered aircraft carrier USS Ronald Reagan. As a result, undercover moves usually belonging to the secret sphere emerged last month when US vice-president Biden publicly hinted that the USA could launch a retaliatory cyberattack against Russia while Angela Merkel later warned against this kind of attacks – symptoms of the unbearable tension this new type of war has triggered.

Not far from the debate around cybersecurity lies the one around the veracity of information found on the Web. In a world where anyone can publish and share information across the globe in seconds and where the content of the most visited encyclopaedia can be freely edited, we must become increasingly critical against the flow of data that we receive.

Defence against cyberattacks will represent one of the pillars of individuals’ and businesses’ security in the coming years and possibly decades. Fortunately or not, this post intended to show that we, as Internet users, largely hold the cards in that fight: let us make sure that we use them wisely.

More updates…

We start the week with the latest news that have been shaking up some of the topics we have already covered in this blog.

News brought to you courtesy of Warren. Credits: Daily Mail.
News brought to you courtesy of Warren. Credits: Daily Mail.
  • Apple struggles to maintain its market share in China according to the company’s latest filings released last month. Although Apple’s revenues in the country are up 50% compared with 2014, local rivals such as Huawei, Vivo and Oppo have been offering cheaper although similarly powerful devices. The firm is supposedly eyeing towards India as its next revenue growth driver. In the meantime it launched its latest ‘product’, a retrospective book entitled ‘Designed by Apple in California’, and priced the Apple way: $199 to $299 depending on the edition.
  • Twitter has announced it would cut 9% of its workforce in order to keep costs down. This comes at a bad time for the firm which have been increasingly criticised for allowing cyberbullying, racism and misogyny to flourish on its platform and now has to find a new COO after the departure of Adam Bain. Twitter responded by suspending several accounts belonging to right-wing extremist groups, although it has for the moment ruled out ‘instant message moderation’. The idea that “good speech naturally wins out” is a fallacy, argues heather Brooks in the Financial Times.
  • The election of Donald Trump in the US caused a mini-stock market shock to tech values. Mr. Trump is indeed believed to ease the tax policy surrounding corporate earnings made overseas – currently those earnings are taxed at 35% and the rate could go down to as low as 10%. This explains why Microsoft, Apple and Google have been keeping billions of dollars offshore. This news could have been welcomed but are investors actually fearing what executives are going to do with this ‘idle’ money?
  • Notwithstanding this rumour Facebook announced earlier this week a $6bn share buyback aimed at curbing the negative share price impact of an expected growth slowdown expressed during its latest quarterly result presentation. This decision represents an archetype of buyback for ‘wrong’ reasons, as flagged in my post a few months ago. Facebook is not buying shares because it believes they are cheap but because it needs to satisfy its existing shareholders – a typical value-destroying move.
  • Microsoft’s acquisition of LinkedIn could trigger a wave of antitrust challenges, according to Marc Benioff, Salesforce’s CEO. LinkedIn’s data could indeed provide Microsoft with a unique competitive advantage especially in the field of CRM – hence Mr. Benioff’s ire. As a response Microsoft proposed to give rivals access to its software and offer hardware makers the option of installing other services.
  • SoftBank is entering the ‘tech unicorn’ investor market the big way, through the launch of a $100bn fund anchored by Saudi Arabia. The implied equity cheque size (up to $5bn according to its CEO) could provide a private exit door for a handful of existing unicorns reluctant to go through the ‘IPO gateway’.
  • Sigfox, the French ‘Internet of Things’ specialist, could soon join the unicorn club, being valued at €600m according to its latest fundraising round. The operation was relatively unique in the sense that it gathered public entities, private companies and VC funds around the same (investor) table.
  • Fitbit could conversely become the next ‘unicorpse’. The company’s share price has declined by 80% over the last 18 months as tech behemoths have been progressively entering the field of connected objects. On its side, Fitbit tried to put the blame on one of its suppliers to explain its recent supply chain disruptions – whereas analysts attribute this phenomenon to incorrect demand forecast.
  • Karhoo has already reached this status, filing for bankruptcy after just 6 months of activity. The start-up, which raised $250m and was employing 120 people despite only generating $1m of revenues in London. A very aggressive promotional policy, consisting of ‘thousands of pounds of vouchers’, alongside a “ludicrous lack of corporate governance”, led the company to ruin in a highly contested market.
  • Nutmeg managed to raise £30m from international investors despite posting pre-tax losses of £9m this year.
  • Snapshat could be the big IPO of 2017, hoping to raise additional equity at an implied valuation of $20bn to $25bn – although the exact amount still needs to be determined. The two founders will keep the control in any case through the use of preferred shares.
  • Uber faces legal challenges in the UK, where a court ruled that Uber drivers were not independent but actually salaried workers. In France the fact that some Uber drivers could under some circumstances be promised a minimum wage is also a cause for dispute.
  • The Airbnb business model is being challenged in an increasing number of cities. After New York and San Francisco, Berlin and London have joined the fight to prevent the firm from putting pressure on dwelling supply and subsequently pushing rents up in the most touristic areas. After relentlessly fighting all forms of regulatory resistance, the firm has changed its approach and is now intending to strike as many tax deals as possible with the cities it operates in – bringing the figure up from 200 to 700 and covering 90%+ of its revenues.

That is it for this week in terms of updates! Next post (hopefully later this week) will introduce the cybersecurity topic.

Floating or sinking? 5 questions to understand the IPO challenge

Mark Zuckerberg at the NYSE in 2012
Mark Zuckerberg at the NYSE in 2012

In this post I would like to take an interest in ‘Initial Public Offerings’ or ‘IPOs’. We all remember the big tech offerings of the last two decades (Yahoo in 1996, Google in 2004, Facebook in 2012) which made their founders join the billionaire club. Today a company founder is usually considered as ‘unanimously successful’ if he has managed to ‘float’ a significant share of his company – and if the share price has not collapsed since then, meaning that he has won a ‘seal of approval’ from the stock market. Behind this phenomenon, I have highlighted 6 questions worth thinking about in my view.

 

What are the pros and cons of public as opposed to private ownership?

‘Public ownership’ means by definition that shares are made available to the public. Shares in a public company are therefore much easier to buy and sell through marketplaces (stock exchanges) or ‘over the counter’ (where the buyer and the seller negotiate directly). Private company shares can only be exchanged through the latter way. This largely prevents small shareholders (such as employees) to monetise their shares.

Credits: www.cartoonstock.com
Credits: www.cartoonstock.com

Public ownership requires that all potential investors benefit from the same level of information. This explains why public companies’ annual reports are usually hundreds of pages long. Producing this information and, more importantly, making it compliant with regulatory requirements, comes at a (significant) cost, notwithstanding the fact that a public company may have to reveal competitively sensitive information – one of the reasons why they tend to have recourse to cryptic jargon. Conversely, private companies do not need to release any data to the public -they just need to maintain an even level of knowledge within their current investor base.

The fact that information is limited and that share trading mechanisms are more difficult to implement makes the potential shareholder base narrower in the case of a private company. As a consequence, the investor base in a private company is usually much more concentrated, meaning that it is easier for shareholders to push management in the same direction – this one of the core governance principles underlying private equity – and this may seduce ‘activist’ investors.

On the contrary, public companies can attract a higher number of small investors and could thus raise a higher amount of money – a few years ago raising money to fund growth was one big reason for companies to go public, at least in Europe. Nowadays, with quantitative easing in place and interest rates in negative territory, private companies can fund their growth without having to go public – see Uber’s recent $3.5bn fundraising round.

Source: Financial Times
Source: Financial Times

So, to summarise, going public provides liquidity to existing shareholders and enables the company to tap into a wider investor base, but this comes with a price associated with the publication of regulated information.

 

Why is there a push for private tech companies to go public? Is this push unanimous?

Tech company shareholders (e.g. venture capital funds) perceive the current environment (excess of liquidity, stock markets reaching all-time highs etc.) as extremely favourable for introducing new stocks at a relatively high price compared with historical standards. These funds typically have 10-year lifespans and are in a pressure to return liquidity to their investors. Pressure has been formalised in Spotify’s last debt fundraising round terms: the more the company waits to file for an IPO, the more expensive the debt will become. Separately, employees in these companies accepted to trade a share of their cash compensation for shares (‘stock-base compensation’ represents 31% of revenues at Twitter) and would like to see their hard-working, poorly remunerated efforts ultimately pay – as mentioned earlier, it is nearly impossible for an individual shareholder to sell the shares he owns in a private company.

On the other side, you have management teams which, as mentioned above, do not perceive the need to go public any more to fund growth, although they can clearly see the regulatory burden associated with public ownership.

Source: Financial Times
Source: Financial Times

To hep the two sides meet, ‘secondary markets’ have recently developed as a middle ground between unstructured private ownership and fully-fledged public stock markets. These secondary markets enable early-stage investors to cash out while maintaining the ‘private’ nature of the company.

 

Why is the IPO window said to be narrowing?

The number of IPOs has over the last few months collapsed – only 14 since the beginning of 2016 compared with an annual average of 49 since 1980. Not that the flow of candidates has dried up: Misys, a UK financial software provider, cancelled its IPO last month while O2 has indicated that the company’s planned IPO would not happen this year.

After having been attracted by the new shiny unicorns, ‘public investors’ are now proving much more cautious in their approach – possibly still having in mind the misfortune of past so-called ‘success stories’ such as Zynga. See for example this list of ‘top 10 IPOs to watch in 2016’ and compare it with the actual number of completed IPOs to get a feel of the chilly market weather.

Yes, 2015... Credits: www.turner.com
You could recycle the list for 2017. Credits: www.turner.com

Now a shiny brand name and a glossy equity story are usually not enough and the days of valuation based on revenues (i.e. putting aside any profitability consideration) or eyeballs (the mantra of the late 1990s) are over. Investors are looking for an established business model, a diversified product portfolio (suspected to be the cause of Dropbox’s IPO delay), a clear strategic edge, proven profitability (at least in some geographies) or a clear path to achieving so in the short-term, and a robust and fully committed management team with significant ‘skin in the game’.

This list of selective criteria does not prevent some IPOs to successfully complete. Coupa (despite having not made any profit) or BlackLine are two recent examples of recently floated companies which experienced significant share price growth on their first day of trading.

 

If the environment happens to be so favourable, why are Airbnb or Uber delaying their IPO?

Airbnb and Uber are often announced as the ‘hottest IPOs of 2017‘ – alongside with Snap. Those two brands however have been enjoying success for years now and one could wonder why these firms have been waiting before testing the public markets.

Credits: www.licdn.com
Credits: www.licdn.com

The reasons can be found in the previous questions. Airbnb currently does not need public markets to raise new money. Uber is burning cash at a gigantic speed – more than $1bn in H1 16 according to estimates – which makes the aforementioned ‘path to profitability’ tedious at best. Another less honourable reason is that the firms’ current valuations ($68bn for Uber, $30bn for Airbnb) would probably not withstand public markets scrutiny. Indeed, these valuation figures are purely based on extrapolations of the last fundraising round (see my previous post for further explanation) and tend to be substantially higher than the value allocated to a larger share of the equity.

As another example we could have mentioned Palantir which, despite being privately valued at $20bn, has yet to report a profit. According to Alex Karp, the company’s CEO, the IPO was postponed on the belief that large public companies struggle to recruit the most talented engineers – this statement must have been welcomed by Alphabet‘s teams.

 

Many of the tech start-ups, from small to very large, will have to face the ‘IPO hurdle’ in the coming months or years. In a world where investor liquidity does not represent a discriminating factor any more, public markets may become the next justice of the peace.

Updates, updates…

Some more follow-ups this week:

  • coupa-softwareEarlier this month Coupa Software proved to be one of the very few completed AND successful tech IPOs this year, despite reporting a loss of $24m for total sales of $60m. The shareholders were wise enough to limit the sale to $153m worth of shares, a fraction of the $1bn+ total enterprise value, in order to price the IPO at the top of the range. On the first day of trading the share price had jumped by 121.7% to $39.71, although it has since cooled down to c.$27. In any case this event shows a clear investor appetite for this kind of assets – good news for the likes of Uber and Airbnb.
Coupa Software share price evolution in USD since IPO. Source: Yahoo Finance
Coupa Software share price evolution in USD since IPO. Source: Yahoo Finance
  • On the contrary Theranos, once valued at $9bn, is close to bankruptcy after the FDA pointed out failures in its patient data collection procedures, highlighting the risks for investors who put their money in unicorns operating in ‘regulated’ areas such as healthcare or financial services – remember Lending Club.
  • Credits: rt.com
    Credits: rt.com

    Airbnb is facing ‘life-threatening’ disputes in New York and San Francisco whose governors have expressed the intention to rein the ‘short-term rental’ offering in. It is indeed argued that this type of systems contributes to the increase of rents in tight dwelling supply areas since landlords prefer to rent unoccupied flats on a short-term basis rather than putting it back on the market. So far the New York governor has approved a law which allows the city to fine landlords who list apartments for rentals of less than 30 days – a ‘half-baked measure’ difficult to enforce given that the authorities do not have access to the landlords’ identities.

  • After China, Uber is facing tough competition in Russia where Yandex Taxi, funded by the eponymous deep-pocketed search engine, has decided to cut its minimum base fares in half, leading to a taxi driver protest.
  • More generally the funding environment for start-ups has deteriorated slightly as investors prove increasingly selective in their investment decisions. Venture capital investment in European companies dropped 32% yoy in Q3, in line ith the 35% YTD drop noticed in California. The IPO window has also proven more and more difficult to reach, with investors perceiving some proposed valuations “ludicrously overpriced compared to existing peers”.
  • Credits: www.juancole.com
    Credits: www.juancole.com

    Twitter is back in the doldrums after the last takeover candidate, namely Salesforce, dropped the case after careful deliberations. The share price had already taken a hit after Microsoft denied interest, lowering the competitive tension. Although some experts believe that the company would represent a great ‘trophy asset’ for an activist shareholder, management has now shifted its attention back to streamlining its cost structure, initially designed to serve more than 500m users, way higher than the actual user base (300-350m). This exercise will result in 300 employees losing their job this year, according to Bloomberg.

Twitter share price evolution over the last 60 days in USD. Source: Yahoo Finance
Twitter share price evolution over the last 60 days in USD. Source: Yahoo Finance
  • Carrefour and Auchan have launched initiatives to tap into the wisdom of start-ups to boost their digital capabilities. Les Echos reports that Carrefour has built relationships with more than 150 start-ups and has invested in the VC fund Partech Ventures while Auchan organised earlier this month its first ‘Salon des start-ups’. Due to its close proximity with historical retailers, Lille appears as the spearhead of ‘French retail tech’, having hosted the #conext show as well.
  • UBS became the latest major bank to join the ‘robo-advisor trend’ after it announced that it would roll-out such a service in the UK no later than next month. This decision will make the service available to users with as little as £15k in personal savings, although the 1% annual fee levied for customers investing solely in ‘passive’ funds is still high compared with industry best practices. In the same vein Charles Schwab announced its robo-advisor service was now managing more than $10bn in assets, a c150% yoy growth. The first independent ‘French tech’ player, Yomoni, has much more modest ambitions, targeting $1bn of AuM by 2020.
  • Apple reported its first annual decline (9%) in iPhone sales volumes (in line with analysts’ expectations) despite the misfortune of the Samsung Galaxy S7.
Updated chart showing yoy ASP and sale volume evolution for the iPhone. Sources: SEC filings, author analysis
Updated chart showing yoy ASP and sale volume evolution for the iPhone. Sources: SEC filings, author analysis

That’s it for now!