There was an interesting story released on Monday that doesn’t appear to have been picked up in a big way by the U.S. financial press (with just a few organizations, such as Bloomberg, having articles about it as of the time of writing); here’s a brief description from a BBC article on the subject:
“Chinese hackers have been blamed for infiltrating confidential systems within Coca-Cola (KO) for more than a month, Bloomberg has reported.
The fizzy drink firm was breached in 2009 when a malicious link was emailed to a senior executive. Hackers were able to spend a month operating undetected, logging commercially sensitive information. The US Securities and Exchange Commission (SEC) said Coca-Cola did not publicly disclose the attack.
Last year the SEC outlined guidelines for companies who had been hit by cyber-attacks, saying that transparency on the issue was in the interest of investors and other stakeholders. However, companies have so far been reluctant to do so - fearing for reputational loss and negative impact on stock price.
"Investors have no idea what is happening today," Jacob Olcott, a former cyber policy adviser to the US Congress told the financial news agency. "Companies currently provide little information about material events that occur on their networks."
In Coca-Cola's case, hackers masqueraded as Coca-Cola's chief executive, sending an email to Paul Etchells, Coca-Cola's deputy president for the Pacific region. The email contained a malicious link which was clicked on - allowing for hackers to install key loggers and other forms of malware on Mr. Etchells' machine. In the days that followed, hackers took emails and stole passwords to give themselves administrative privileges on the network. The infiltration was - according to internal documents seen by Bloomberg - blamed on state-backed Chinese attackers.
The hack came at a time when Coca-Cola was looking to acquire the China Huiyuan Juice Group for about $2.4bn. Had the takeover happened, it would have been the largest foreign takeover of a Chinese company. However, the deal collapsed three days after the cyber-attack, Bloomberg said, citing internal sources.”
Here’s a bit more on the attacks from the Financial Post:
“Computer hackers made daily incursions through Coca-Cola networks over a period of at least one month, often using systems that were first compromised by infected e-mails sent to company executives. The messages were disguised to look authentic but actually contained malicious software, or malware, that gave intruders a pipeline into the company’s networks, according to the report.
In the first two days, the hackers uploaded a dozen tools allowing them to steal e-mails and documents, installed a keystroke logger on the machine of a top executive in Hong Kong, and stole computer account passwords for other Coca-Cola employees, including those with administrative powers, to help them move freely across the company’s network, according to the report.”
As noted by the Post, Coca-Cola spokesman Kent Landers said that makes disclosure in public filing when they believe they are appropriate and in accordance with federal securities laws.
With a bit of research, I found an article from Bloomberg suggested that the SEC guidelines for cyber-attack disclosure was essentially voluntary (“recommended”), except for a few key companies – for example, the article noted a letter from SEC Accounting Branch Chief William H. Thompson to Amazon (AMZN) Worldwide Controller Shelley Reynolds requesting that the company, in future filings, “please expand this risk factor to disclose that you have experienced cyber-attacks and breaches.”
Here’s a bit more from the Disclosure Guidance filed by the SEC back in October 2011:
“Although no existing disclosure requirement explicitly refers to cybersecurity risks and cyber incidents, a number of disclosure requirements may impose an obligation on registrants to disclose such risks and incidents. In addition, material information regarding cybersecurity risks and cyber incidents is required to be disclosed when necessary in order to make other required disclosures, in light of the circumstances under which they are made, not misleading.Therefore, as with other operational and financial risks, registrants should review, on an ongoing basis, the adequacy of their disclosure relating to cybersecurity risks and cyber incidents.”
My interest in this isn’t in Coca-Cola’s disclosures (though it certainly seems that the fallout of a multi-billion dollar acquisitions, assuming this was the cause, is relevant information for investors to have); I’m more concerned with the implications it may have for investors looking to capitalize upon the rising middle class. For investors considering direct investments in emerging markets, I would simply warn that one should proceed with extreme caution – read a few dozen posts by John Hempton of Bronte Capital (link) to get an idea of as to why.
My opinion is that the best way to approach this is to stay with the U.S.-based multinationals that have solid geographical diversification and (as always) operate in industries that you thoroughly understand; you may not enjoy the explosive growth that some people can’t seem to live without, but that’s a small price to pay for the ability to sleep soundly knowing that you’re investment has limited direct exposure to any one of the rampant risks lurking in the emerging world.
About the author:
As it relates to portfolio construction, my goal is to make a small number of meaningful decisions. In the words of Charlie Munger, my preferred approach is "patience followed by pretty aggressive conduct." I run a concentrated portfolio, with a handful of equities accounting for the majority of my portfolio (currently two). In the eyes of a businessman, I believe this is adequate diversification.