Wednesday, April 6th, 2011
an important notice

They are starting to pile up in your inbox — notifications from retailers, hotels, and financial companies, alerting you to the fact that your name and email address were compromised when “an unauthorized third party” gained access to a database entrusted to Epsilon.

We won’t get into the privacy issues here (for example, perhaps we should also be concerned about “authorized” third parties).  Nor will we explore the investment implications for firms, positive or negative.Of potential direct impact:  Epsilon contributes more than twenty percent of Alliance Data System’s revenue, but the stock has not fallen much as of this writing, a few days after the breach.

Instead, let us dream about other bad things happening.  (I guess those are properly called nightmares.)  Such dreaming is a key part of risk management, but it’s the hardest part of it.  It’s easy to look back on what has occurred before and to consider what would happen to the markets, our assets, and our plans if history were to repeat itself.  It’s especially easy to “fight the last war.”

It’s much more difficult to look forward and speculate about what might go wrong the next time something really does goes wrong.  But you can guess that one category to be concerned about is the reliability of networks and their security systems.  In that realm, we could imagine doomsday scenarios of the electrical grid going down or the proverbial “being bombed back to the stone age.”

For those of us that labor in the investment markets, the “stone age” was when there were pieces of paper that changed hands as economic interests did.  That’s long gone and hopefully never coming back; that era has been supplanted by a wired one with different kinds of risks, many of which we haven’t yet encountered.

And so we must ask ourselves, even though we don’t want to, what would happen if . . .?

If there was a disruption in the payments system, in the functioning of the exchanges, in — let’s get down to brass tacks — the informational structure at your own broker?

There are safeguards and contingency plans, but what is a realistic assessment of the probabilities of failure for the systems great and small that form the foundation of investment commerce?  How much due diligence has been done by regulators and institutional players (the same groups we always rely on to do our dirty work) on the systems themselves?  How much planning for outlier events?

Many of the potential problems in this realm fall into the category of cyber crime.  We know one of NASDAQ’s businesses was hacked, and there may have been other incursions that we aren’t aware of.  Such activities may be state-sponsored, designed to make money, or just the result of hackers on a joyride of sorts, seeking to exploit the holes in the system that has evolved.  (There are always holes.)  Other disruptions may be the result of unintended consequences, as the structure of the business gets more complex and the moving of electrons becomes a game in itself.  The list could go on to include natural disasters, attacks, and other events we’d prefer not to consider.

The reality is that just as we don't think of the physics of everyday life, we don't contemplate the “normal workings” of investment market structure.  They are assumed.  Should they ever be disrupted, what are the ramifications?  How would you react?  What, if anything, can you do to prepare?

The next time an email arrives that is entitled, “An Important Notice,” what surprise might it reveal?  We don’t get any clarity by not asking the hard questions.