It’s the phone call no IRO wants to receive. You’ve spent all day methodically preparing for earnings and then, out of the blue, a call comes through from PR saying the results have been leaked early.
That was the situation faced by Microsoft in January, when a data aggregation firm found the company’s unpublished results on the company’s website and published them more than an hour before the scheduled time. This leak, along with similar incidents at Transocean in February and the Walt Disney Company and NetApp last November, have prompted IR departments across the US to review their web security and disclosure processes.
‘We did a review of our practices and procedures to ensure [data] could not get to the web early,’ reveals Bill Pfund, head of IR at WMS Industries, in an email. ‘It is a scary thing these days.’ Intel and Marathon Oil also confirmed to IR magazine that they had checked their procedures following the leaks.
Microsoft was caught out after someone at the company accidentally moved a copy of the earnings release to a public-facing server. This allowed the release to be discovered by a search spider operated by data vendor Selerity. Search spiders are computer programs that trawl websites looking for information of value.
Once it had a copy of the release, Selerity made it available via a premium service the firm operates on StockTwits, an online investment community, as reported by IRWebReport. From here, the release was distributed more broadly. Soon Reuters was ringing up Microsoft, asking it to confirm whether the publicly available earnings release was genuine.
‘I got on the phone with NASDAQ, I got legal involved, I got PR involved, and we pushed everything early so we could get full access for everyone – and trading never ceased,’ says Microsoft’s general manager of IR Bill Koefoed. ‘The bad guys’ technology is getting more robust and they’re getting in there and sniffing everywhere. It would have been a non-event a year or two ago when people were putting stuff up on the web at a time when these sniffers didn’t exist.’
NetApp, by contrast, did see trading halted on November 17 after Bloomberg found its earnings and distributed the details early to the market. The company’s shares fell 7.5 per cent on the leak, prompting NASDAQ to step in and stop trading. Bloomberg was also responsible for the leaks at Transocean and the Walt Disney Company.
Following the leak, NetApp made changes to its disclosure process, although the storage specialist will not reveal any details. ‘While we have taken steps to change our process, I am not at liberty to discuss these changes,’ comments Shauna O’Boyle, senior manager of IR, in an email.
Microsoft has also tweaked its procedure to ensure the situation isn’t repeated. ‘We’ve changed the process such that there needs to be an approval before posting anything on a public-facing server prior to the earnings release,’ explains Koefoed. ‘We’ve added a step into the process, for sure.’
The safest way for companies to protect themselves against leaks is to ensure sensitive documents are not placed on public-facing servers before the time comes to release them. Another option is to include random sets of numbers to prevent web users from guessing the file name of the next release – although this approach is not seen as sufficiently secure by IR website specialists.
‘I would say the best safeguard is timing,’ says Bradley Scott, product manager for SNL IR Solutions. ‘Make sure your sensitive material is not available on any public server, either yours or anyone else’s, until the information has been disseminated publicly through a wide means.’
Companies that upload information to a public server early could fall foul of Regulation FD, adds Scott. ‘Just having it up there is not acceptable,’ he notes. ‘If people don’t know where to find it, you’re not in compliance.’
‘In many cases I think companies assume the website is going to be secure and only publish information when ready,’ states Darrell Heaps, chief executive of Q4 Web Systems, in an email. ‘Because most web content management systems are not designed for financial disclosure, however, non-published, uploaded files – aka PDFs – are accessible if the distinct file name is entered into a browser.
‘This, combined with an internal process that sequentially numbers files – which makes them easy to manage internally – creates a significant gap in the company’s disclosure controls and puts the company at risk.’
If you are the victim of a leak, the most important step is to push out your earnings as quickly as possible to give all investors equal access to the information, says Scott: ‘That’s what companies have done. Typically, they’ve issued their press release early or filed with the SEC early.’
The leaks have also rekindled the debate about web disclosure, with some market participants claiming companies put themselves at increased risk of leaks if they adopt the practice of online disclosure.
Microsoft began using web disclosure – where companies self-publish the earnings release to the corporate website, instead of sending it out over the wires – for its 2010 first quarter results, which came out in October last year. In doing so, it joined a growing band of companies choosing to self-publish earnings, including Google, BGC Partners and Expedia.
‘There are all sorts of security issues,’ says Neil Hershberg, senior vice president of global media at Business Wire. ‘The disclosure process is deceiving in that it appears to be a simple process but it is actually a lot more complex in terms of work flow and things that could possibly go wrong.’
Koefoed, however, is adamant that Microsoft’s decision to opt for web disclosure has no connection to the leak. ‘I just want to be clear it had nothing to do with that,’ he states. ‘Unfortunately, it was human error: someone made a mistake. We’re not happy about it, but I think we did what we needed to do at the time and got the information out quickly.’
Timeline of a leak
– Sometime before 2.50 pm EST: Selerity’s search spider finds Microsoft’s earnings release on a publicly facing server
– 2.50 pm: Selerity sends out Microsoft’s earnings over its premium service on StockTwits
– Around 3.30 pm: Reuters contacts Microsoft asking whether the earnings are genuine
– 3.57 pm: Microsoft sends out its advisory release with Marketwire three minutes early
Selerity, the data vendor that broke Microsoft’s earnings early, operates a premium service called LiveEarnings, which gives investors access to ‘machine-readable, actionable insight’. It costs $50 a month or $500 for the year. On its website, Selerity says it uses a combination of proprietary technology and human analysts to gather data. LiveEarnings is delivered through a feed on the investment community website StockTwits.
Less is known about Bloomberg’s website-scraping operation, responsible for the leaks at Transocean, NetApp and the Walt Disney Company. As IR magazine went to press, the news provider had not acknowledged publicly that it runs such an operation, although the Wall Street Journal has reported that Bloomberg journalists regularly trawl company websites in search of documents awaiting distribution, citing people familiar with the situation.