Just because today’s tech titans are the new robber barons, does not mean data is the new oil. This oft made comparison not only smacks of convenience, it lacks imagination, which in turn leads to serious miscalculations when it comes to information security, data privacy, valuation and, perhaps most critically, public policy. Yes, countries will go to war over data and the 2015 nation-backed attack on Sony Entertainment was likely the opening salvo. Yes, the world is ravenously dependent on data and the technologies and infrastructure that pipes it like so many cars, pipelines and oil wells before it. Yes, data poses systemic risks to the global economy. However, this is perhaps where the comparison stops.
For one, despite naive views to the contrary, oil is a scarce asset, whereas data is not. It was not until the advent of blockchain technology, that the concept of data singularity even became possible. A barrel of oil or the unexploited resource deep underground or trapped in shale deposits cannot have a digital twin and certainly not with a fractional cost of zero. While digital tokens can represent a share of an underlying asset such as oil, the fact of the matter is that the party that has the care, custody and control of the asset – in oil’s case typically a gun-toting nation state – will ultimately have the final say on how it is monetized and apportioned. This is one of the reasons oil and natural resources are so often a casus belli and the subject of expropriation and nationalization cases. Oil, like other tangible assets, labors under a high “drag coefficient” or friction and is geographically constrained. Data, by contrast, is not only borderless, it is formless and infinitely liquid. Wars waged over oil and natural resources are subject to the doctrine of realpolitik, whereas information warfare, psyops and cyber threats play to doctrine of the id and superego turbocharged by Moore’s law and globalization.
Both asset classes create negative externalities, where the carbon-hungry robber barons of yore inadvertently triggered man-made climate change, today’s tech titans have opened a Pandora’s box of cyber threats. Both pose grave societal threats, the latter are tearing at the very fabric of democratic institutions and the post-war world order with frightening ease, distorting the very nature of truth, trust and fidelity leaving behind no smoking craters. Indeed, it does not augur well that Twitter, used by more than 336 million people, including the U.S. president, had over 70 million fake or suspect accounts – roughly the size of its U.S. user base. In the hands of fake news-inducing bots or politicians, data and its attendant distortion can become a weapon of mass destruction.
The opening salvo of this cyber warfare may have very well been the Sony Entertainment cyber-attack over The Interview film in 2014. This attack, which was perpetrated by North Korean-backed operatives with the nom de guerre Guardians of the Peace, successfully crippled the firm’s entire value chain, causing an estimated $100 million in direct costs, not to mention second and third order effects. Since then, there is not a corporate board that is not at a minimum cyber aware, which has been aided by the sharp reality that GDPR, Europe’s far-reaching data privacy rules, will be equally consequential as suffering the unwanted sunlight courtesy of a cyber-attack or data breach. Boards would be well served to push the enterprises they govern to ascribe uniform and comparable economic value to their data. If nothing else, this exercise would help firms find those illusive information “Crown Jewels” that so many cybersecurity professionals speak of. Just as a financial stress test can help a bank back into its potential capital shortfall with a high degree of precision, stress testing the share of enterprise value derived from unique data assets can produce a similar outcome. For some firms the number will be equal to 100% of enterprise value.
Perhaps most insidiously, the biggest departure between data and oil stems from its valuation, which flies in the face of the billions of dollars spent each year on digital transformation and data monetization efforts. A barrel of oil and its derivatives enjoy a universally accepted transparent economic value, which is part of what enables oil-rich nations to garner future value based on proven reserves. Indeed, Venezuela’s cryptocurrency, the Petro, however fanciful, aims to play at this temporal economic relationship, although the effort has failed due to hyper-inflation and rapidly unraveling economic and social order. For data rich firms, such as Google, Facebook, Twitter, Apple, Amazon, among others, data performs much less like oil and much more like cash liquidity in a bank. In short, you only know it matters (and how much) through its scarcity caused by a bank run, lock out or some calamitous event restricting access.
Today, there is no generally accepted accounting principle (GAAP) for how firms can ascribe an economic value to data on their financial statements or balance sheets. Most publicly-listed firms will pay lip service to digital transformation efforts or outline how they are hardening their cybersecurity posture because customer privacy and intellectual property protections matter. However, ironically, given this gap in accounting standards their economic recognition of these investments and, conversely, their informational risk exposures go unrecognized and largely unhedged. This is one of the largest shortfalls of management accounting practice, investor and consumer protections and regulatory oversight leaving trillions of dollars of potential economic value at risk and unrecognized.
A simple example illustrates the challenge. Thousands of companies buy cyber insurance each year making it the fastest growing segment of the insurance market. In the U.S. alone, more than 80 insurers are chasing the cyber ambulance offering customers all manner of coverage, whether it is a placebo or panacea. Compared to the clarity of insuring a home, however, the lack of a universally accepted approach in valuing data is revealed. A million-dollar home would presumably be insured for a million dollars, lest the homeowner face a financial shortfall. Today, however, due to the lack of a uniform data valuation method, the market is relegated to woefully ineffective linear math that is a function of the total number of personal records multiplied by an expected notification fine in a breach, which equals a recommended sum of coverage. This sum, however suitable, only countenances first order economic harm to an enterprise and relates more to customer privacy and notification requirements than to second and third order impacts on an enterprise. Ask a hospital that loses access to patient records due to a ransomware attack how much they care about notification costs when a patient’s life-saving surgery is held at bay?
In persistent threat scenarios, such a ransomware attack on a business with no monetary goal, much like Delta Air Line’s 2016 ground halt due to systems failures, the lack of access to data is a veritable Achilles heel for many firms. Just as financial regulators backed their way into the risk profile of systemically important banks after the financial crisis by running stress tests (pitiably, many of these rules that made the global economy safer are being relaxed), firms can similarly stress their operations to understand their data dependency and how it relates to how all other tangible or intangible assets are monetized. This Enterprise value of Data (EvD) will, in rudimentary form, provide a new read on the share of enterprise value derived from information or data and, therefore, provide a more accurate risk profile. Long-range, incorporating this type of risk metric as a real time reporting variable for publicly traded companies will greatly improve investor and regulatory protections.
Just as crude oil is largely worthless to a group without the assets to refine or monetize it, not all data is created equal nor will it prove financially valuable to external parties who do not have the other assets required to exploit a firm’s “secret sauce.” It is for this reason most economically-motivated cyber-attacks demand a ransom, often incomparable to the value of informational assets they absconded with or the size of their dragnet. The WannaCry ransomware attack for example, which spread to more than 150 countries over a weekend affecting thousands of firms, only got away with a comparatively small amount of bitcoin given the global dragnet. The NotPetya cyber-attack exacted a much heavier toll, largely on Danish shipping giant A.P. Møller-Maersk, which even at an estimated $300 million in losses, remained a rounding error nonetheless to Maersk’s fortress balance sheet. Facing such certain economic costs due to data risks, it would seem firms should spend nearly as much time quantifying the enterprise value of their data, as they do trying to build firewalls and justifying digital transformation investments. Doing so would make the world a materially safer place.