If you know me, ESG is something I care deeply about. So, when I started seeing news articles about “the death of ESG,” you know I had to jump in and regulate. Is ESG dead? No. Dying? Maybe. Why? You’ll see. Read on.
Also, hacking! I’ve been listening to a pretty great book on hacking. And so hacking’s been on my mind lately. And then Caesars! And MGM! And…wait they did it how? JFC. It just can’t be that simple, can it? The good news is, simple problems tend to have simple fixes. See more below, along with that vital book reco.
Is ESG Headed For Extinction?
Here’s what’s what…
ESG, Basically.
For those unfamiliar with ESG, here’s a quick explainer: ESG is this sort of new movement in corporate governance to advance initiatives focused on the environment, social causes, and better governance. Getting away from all the corporate-speak, it’s just a nice bucket to put a lot of things in that folks (typically on the left and center-left) feel are important, e.g., reducing carbon footprint, making supply chains more sustainable, increasing diversity on corporate boards and in management roles, keeping a better eye on not breaking the law, etc. The problem is, in the world today, we seem to have two kinds of people:
Those who feel that these are all pretty obviously good things; and
Those who feel that this is what’s going to bring down all of society.
And lately, we’re in this sort of pitched battle between the two narratives. But that’s not news to anyone.
Corporate Law, Also Basically.
(Note: I do a bit of corporate law explaining here. For fellow corporate lawyers out there, feel free to scroll ahead. For non-corporate-lawyers, feel free to send me a tuition check.)
What we’re here to talk about today, though, is corporate governance (the process by which corporations make decisions, do stuff, etc.). Under Delaware law (which controls in matters of corporate governance for a large number of the world’s leading corporations, and is what we’ll work off of here), corporations are controlled by their boards of directors. Boards are comprised of directors, who are elected by shareholders to basically steer the company in a manner that will be best for shareholders. But what is best? This is where things get complicated.
Is it money? I mean, everyone likes money. Hell, it’s the reason why people buy stock, right? Share price goes up, shareholders rejoice. So, boards should do whatever it takes to make the stock price go up, and that just means increasing earnings. So simple! But let’s say that a drug company like Johnson & Johnson were to diversify into other drugs, like heroin. Sure, entering into the global heroin trade might boost earnings for the next quarter or two, but long term, this wouldn’t end well. So there’s this issue of term. The mandate isn’t to maximize cash ASAP; it’s to maximize value over time.
This is where things get complicated, because boards don’t get issued their own personal Nostradamus. There’s just no way of knowing exactly, today, how things will play out over time. So if a board chooses an option B over an option A and the company loses money over the subsequent year, can shareholders sue the company (in what’s called a derivative suit) for screwing it all up? Not exactly.
In Delaware, directors are protected by what’s called the “business judgment rule,” which provides a shield from liability for a director so long as they’ve taken informed action, in good faith, and with an honest belief that the action they’ve taken is in the best interests of the corporation.
Super clear. I know. Corporate law is basically just paint-by-numbers.
The Case For ESG.
So, now that we’ve mastered corporate law, it’s time to figure out how ESG fits in to all of it.
At the end of the day, corporate boards need to focus squarely on maximizing profit over time. ESG initiatives, for the most part, aren’t concerned with near-term profits, or profits at all. And, at first blush, it appears that we’re at an impasse.
But what happens to a company when global stocks of its required raw materials fall precipitously, thereby raising production costs and decreasing margin? Or to a company that gets “cancelled” for a social miscue, eroding its customer base? Or to a company that gets fined into oblivion for regulatory infractions?
For the lion’s share of companies out there in the world, these are all risks. And if you ask me, ESG is just risk management rebranded. And there isn’t a corporate board out there that doesn’t engage in risk management.
So, why all the fuss with ESG then? It all comes down to one central question: How near or likely does a risk have to be in order for it to be worthy of active mitigation in the face of the imperative to maximize profit?
Again, we return to our two discrete types of people, now just phrased another way:
Those who feel that environmental, social, and governance risks are likely and / or nearer-term; and
Those who feel that environmental, social and governance risks are unlikely and / or more distant.
If you scratch at the surface of that, though, you’ll see that I’ve sort of led us into a trap. Because once we start thinking about ESG less as “does one care?,” and more as “does one, as an investor, care enough to sacrifice returns?,” things actually get a bit more fuzzy. The same initial Group 2 members are still very much in Group 2 here. But those initially in Group 1 might find themselves less sure of their answer now that returns have entered the equation. (This is sort of also why the notion of an “ESG fund” is kind of silly. Every company should enact ESG measure because they’re vital to a stable, long-term future for society as a whole, but that’s hardly an investment thesis.)
But, while a lot of companies haven’t been doing much of anything really with respect to ESG, I nevertheless think it’s vitally important to get away from the rhetoric that “Oooh, corporations are evil, and they just want to make money at the expense of people / society!” That dystopian hash pipe serves no one.
Instead, let’s look at it from the perspective of corporate law, and how corporate law informs the manner in which directors go about their business. It can both be true that: i) a corporate director cares deeply for the environment, for social causes and for good governance; and ii) upon careful, good-faith consideration, investment of the corporation’s capital on efforts to mitigate environmental, social and governance risks, at this time, will not yield any substantially likely return on such investment.
Now, for what it’s worth, I think the latter position is wrong. But what I want to emphasize here is that it’s not patently unreasonable.
The zinger is this:
ESG isn’t fading right now because of pressure from those who aren’t concerned about it. It’s fading because those who are concerned about it aren’t concerned enough.
Given the ways in which society today at least seems to be changing, cause for ESG concern should be on the rise. And history is rarely kind to those on the wrong side of it, profits notwithstanding.
Hacking.
The depressing reality of being a hack-watcher is that, on any given week, I have enough material to write an entire newsletter just about hacking. The particularly depressing part is seeing people adopt this sort of learned helplessness after hearing about so many large institutions succumb to hacks. (E.g., if that big company got hacked, I could definitely be hacked, so like why even bother trying to stop myself from being hacked?, etc.) But enough of that nonsense. We don’t play that here.
When I write about hacking (whether here on Business Thoughts, or elsewhere) I try to focus on the “how” as much as the “so what?” But, the “how” is much harder to write about to an audience that, in most cases, isn’t deeply interested in the ins-and-outs of cybersecurity. What makes this job sort of easy, unfortunately, is that the “how” is often so gobsmackingly stupid that it extracts from most that most prized reaction to a piece of writing: “you’ve gotta be f-ing kidding me.”
Welp, here we go…
The Fallibility Of Man.
In this day and age, with the internet having been around for so long now, you’d think that big companies and their armies of security researchers would have been able to do so much to making hacking so much harder, and less common. Surprise, they have.
But the one thing these techno-wizards can’t seem to do (because it’s god’s work, not theirs) is to make people smarter. That’s right folks. The success of so many huge hacks has hinged, in each case, on some human, somewhere across the attack surface, proverbially “falling for it.”
That’s what happened recently with Caesars and MGM.
Ocean’s…What Number Are We On Again?
In each case, the victim organization was subjected to an impersonation attack against its IT support system. That is to say, “Hi, this is John Doe Employee, and I’d like you to reset my password,” except it’s not John Doe Employee, it’s hackers impersonating him based on data they scraped from sites like LinkedIn.
Far from some techno-wizardry, these guys just simply manipulated unsuspecting humans. And that’s what so much of hacking hinges on: unsuspecting humans. [1]
Specifically with respect to the Caesars and MGM hacks, I still haven’t been able to figure out how the hackers were able to actually make use of the reset password. Did the IT helpdesk person set the password to, say, “password123” and then tell the fake-John-Doe that password over the phone? In this day and age, that’s just not done, I think.
More typical would be a password reset link sent to John Doe’s e-mail. There’s two options here:
“Hey, no that’s my old e-mail address, my new e-mail address is John.Doe.Hacker@gmail.com…yeah I changed my name.”; or
The hackers already had access to John Doe’s e-mail account and were able to make use of the password reset e-mail sent there.
Option 1 seems unlikely, as the reset link would likely have gone to John Doe’s work / organizational e-mail, i.e. John.Doe@caesars.com, and if there were any changes there, well, wouldn’t the IT helpdesk for Caesars know from their end?
But going with Option 2, if the hackers were already in John Doe’s e-mail (i.e., through a successful phishing attack), wouldn’t they already have sufficient access and not need the subsequent phone attack (or “vish”) against the IT service provider?
My only guess is that the e-mail credential was somehow different from, say, a systems access credential, and so they got one in order to get the other, and then were able to access the company’s data. But that’s just a guess, at this point.
Nevertheless, this attack would have been pretty easy to stop, if only the credentialing system required the use of 2-Factor Authentication, or “2FA.”
As long as access to the system not only required John Doe’s password, but also the entry of a unique, variant numerical sequence (which, presumably, the hackers did not possess [2]), this hack would not have worked.
Do This. Right Now.
Think learned helplessness is stupid? Cool, me too. Here’s what you can do instead:
Physical Security Keys — Secure as many accounts of yours as you can by requiring the use of a physical security key, such as the Google Titan or the YubiKey 5. There’s a ton of other alternatives, but those are two of the most reputable.
2FA Apps — Use 2FA apps to secure accounts that you can’t secure via a hardware key. Common examples include Google Authenticator and Microsoft Authenticator.
Unique Passwords — Use a password manager that you can itself secure with a physical key (i.e., via Step 1) and use that to store unique, strong passwords for every account you have which uses a password. Common examples are Google Password Manager and Apple’s iCloud Keychain.
Additional Steps — If you really want to take it a step further, sign up for services like Google’s Advanced Protection Program or the relevant alternative your service provider of choice offers.
And now, the obvious disclaimer: Nothing is perfect. None of this guarantees 100% foolproof protection from hacks. But it’s (relatively) easy, and free in some cases, cheap in others.
Practice good cybersecurity.
Don’t be the weak link.