As the Q2 reporting season winds down, a nightmare scenario for investor relations professionals comes to mind: accidentally leaking your company’s earnings release or M&A announcement by inadvertently posting it online. Such a leak spreads easily into a widespread spill into social or traditional media.
Can’t happen? Well, it does. A panel discussion at the NIRI 2011 Annual Conference in June was all about warning IR people of this potential mishap. Two folks from Microsoft, IR manager Dennie Kimbrough and IT manager Josh Bailey, courageously provided the red meat of the NIRI panel discussion called “Keep a Lid on It: How to Guard Against Leaks, and What to Do if One Happens.”
Most importantly for all of us in investor relations, the Microsoft staffers shared lessons learned on how to guard against similar leaks at our companies.
The software giant is one of a handful of companies – Walt Disney, NetApp and Transocean are others – recently tripped up by the interplay of humans and technology, causing the inadvertent, early and selective release of earnings.
For MSFT, it happened on January 27, 2011. According to Kimbrough, the first word of a problem came about 12:35 p.m. Pacific time, an hour before the market would close. A Reuters reporter called to confirm an online report of the software giant’s Q2 earnings – not due out until after the close. Not the media call you want to get.
It seems MSFT’s 77-cent earnings per share figure was already out on StockTwits, through the work of Selerity, a “low-latency news aggregator.” For us non-techies, that means Selerity uses web crawler programs to snoop around continually for information on web pages that might move stocks – and move the data quickly to its clients, who are hedge funds, banks and prop traders.
What Selerity’s crawlers found was a page where someone at Microsoft posted Q2 earnings data on what they assumed was a secure “staging” page, but actually was a live web page. “It was just a simple human error,” Kimbrough said.
There was no link to it, as an official news release gets when posted to a website, but crawlers don’t need a link. Kimbrough said MSFT put its earning data up on the blind (but public) web page at 11:23 a.m., and Selerity’s crawler found it six minutes later. Selerity sent the numbers right out to its clients – and broadcast MSFT’s 77-cent EPS on StockTwits at 12:50, a full 70 minutes before the close.
Bailey, the Microsoft IT guy, explained three kinds of web crawlers: Those used by search engines “play nice” with web administrators in handling nonpublic files. Others scrape email addresses and phone numbers from thousands of websites to enable marketers to spam us. A third, scarier group of crawlers search for not-yet-public pages, systematically guessing URLs that might provide interesting data (something like “…/earnings/Q2/press release.html”).
The problem isn’t brand new. Another panelist, Andy Backman (a former IRO and now CEO of InVisionIR) recalled an encounter 10 years ago when a reporter guessed the URL for his company’s second-quarter earnings release – and reported the numbers an hour and a half before the release was due out.
Of course, the damage-control step to take if a leak of this sort happens is to issue the darn news release – get it out fast! Microsoft posted a brief statement to its corporate blog immediately after the reporter’s call and had the full earnings announcement up by 12:55 Pacific time, about 20 minutes after the reporter’s call.
But prevention is the real need.
And prevention is where IROs can play an important role by taking precautionary steps as part of the team that develops earnings and M&A announcements:
- Keep online staging areas secure to prevent public posting of earnings and similar announcements. “The only way to protect yourself against web crawlers is to keep your files on your side of the firewall,” Bailey says. Both in-house staffers and third-party service providers like lawyers, CPAs and newswires need to have strict procedures in place. The IRO needs to check.
- Don’t allow anyone to leave drafts lying around on a printer or desk. This is the old-fashioned leak, allowing non-confidential employees or even members of the public who pass by to see nonpublic information sitting out in the open. “Shred everything. Lock it away,” Backman advises.
- Demand better code names for M&A projects or offerings. Lawyers and I-bankers love to create code names. And they’re fun – we all get a sense of adventure working on a hush-hush project called “Operation Pegasus.” Trouble is, Backman notes, code names are almost always picked because they point to the real name. We’re making a bid for Procter & Gamble, so we call it Operation Pegasus. Sometimes namers use a double entendre (the acquisition of Energizer might be “Project Bunny”). Backman suggests: Pick a code name that has nothing to do with the target company – a code name.
In many respects, IR professionals need to be a little paranoid. For most of us, Q2 reporting is finished (my excuse for not posting in July), but security of financial information is a process issue we can start working on now for next quarter.
As gatekeepers of material information, IR people need to work with colleagues in finance and IT to ensure that “Top Secret” remains so right up until our broad dissemination to the market.