Portfolios and Modernity
What volatility CAN'T teach us about risk: Sure, Insurance; Colonial; Cryptocurrency; Gov and the Last JEDI
Risk Developments this letter:
Sure, Insurance
Colonial
Cryptocurrency
Gov and the Last JEDI
Jumping In
This week I’m going to change it up a bit and jump straight into things. Honestly, I’m a bit burnt out from writing three long pieces on “Crime and Punishment” and thank you to all the readers who actually stuck it out with me. Also, it was a big week in risk news, so there’s still plenty to talk about! That said, I did want to give you something a bit more timeless.
One thing I’ve been thinking a lot about is how risk does not equal volatility. In business schools across the world students are taught Modern Portfolio Theory (MPT) and the Capital Asset Pricing Model (CAPM). This theory holds that by diversifying one’s portfolio of assets, risk, as measured by volatility, can be reduced. That is to say, if I want exposure to the booming wireless carrier market, but I don’t want to bet on any one company’s management team, I can buy a sector. The same goes for asset classes. There are unique correlations among asset classes, so by diversifying among uncorrelated assets, one can reduce overall volatility (i.e. when stocks are down bonds are up). This measure of correlation with the market, often referred to as systematic risk, is called Beta. The expected return of any asset is made up of Beta, Alpha and Epsilon. Alpha is the asset’s uncorrelated return above (or below) the market. Epsilon is the error term that captures non-market risk.
This view of risk is clearly wrong, but it has its merits. We have discussed before how “all models are wrong, but some are useful.” The problems with CAPM and MPT are that they make some staggering leaps to demonstrate some pretty intuitive findings. Diversification is good if you don’t know how things will turn out, bad if you do. If you have any advantage, why would you hedge against it?
You wouldn’t. As Michael Keppler points out in this paper, many of the greatest investors eschew MPT. Warren Buffet famously laughs off MPT. His teacher, Benjamin Graham, took the view that financial risk is “a loss of value which either is realized through actual sale, or is caused by a significant deterioration in the company’s position – or, more frequently perhaps, is the result of the payment of an excessive price in relation to the intrinsic worth of the security.” In other words risk is the permanent loss of value. The causes of risk are, fear, fecklessness and greed. This is a fairly romantic view of risk, notably from an era with fewer and less complex systems.
Still, it’s better than the CAPM alchemy that equates risk with volatility. Keppler goes on to point out another definition of risk, one based on liquidity. Robert Jeffery acknowledges that some circumstances may force you to permanently realize paper losses. He defines risk as “the probability not to have enough cash to make necessary payments.” This strikes me as a nice balance between the excessively rational MPT and the romantic view that risk is wholly about character. Risk is not only the idea, as we’ve stated before, that “more things can happen than will,” but also the degrees of freedom one has when put into a difficult situation.
Risk Developments
Sure, Insurance
Let’s start with some insurance news. Aon plc and Willis Towers Watson’s seemingly perpetual merger talks moved one step closer by bringing in yet a third mega insurance broker, Gallagher. Aon and Willis, number two and three by revenue would sell off $3.57B in assets, including Willis’ reinsurance brokerage arm, to Arthur J. Gallagher and Co. This effort to appease European regulators would make the combined Aon and Willis bigger, but not number one, the spot currently held by Marsh.
The other big insurance news is all cyber. The Paris based insurance conglomerate AXA, will stop covering ransomware for cyber policies in France. This decision has two advantages for AXA, first, it will not have to pay ransoms (obviously) and second, because cyber criminal organizations often do significant research on their targets, it will make AXA insured businesses less desirable targets. Of course, they will also potentially lose a lot of business, because ransomware has recently become the type of cyber loss with the highest median cost.
Insurers that are staying in the market are doing so at a dear price, with a 35% increase in premiums this year. While this volatility may be an unwelcome surprise for customers, it is a sign that the market is maturing.
Colonial
One ransomware event we have to talk about is the Colonial Pipeline incident. For those asleep for the last week, Colonial Pipeline’s IT systems (not the actual pipeline) were being held hostage by the ransomware gang known as DarkSide. After shutting down the company, that provides half of the automobile fuel to the East Coast of the United States, DarkSide apologized, worried that they had gone too far and possibly raised the ire of the United States Government, which was threatening to their own government backers, Russia.
Let’s get into the details, shall we? The attackers requested $5M payable in cryptocurrency for the decryption key. 100GB of data were exfiltrated to U.S. based servers on their way to Russia. Private and public sector cooperation stopped some of that data exfiltration part way. There are at least 24 other affected companies suffering from DarkSide’s ransomware attacks. This is because DarkSide is not a single entity, but a franchise model.
These distributed cells are called affiliates and they subscribe to Ransomware as a Service. In return for the software they share 10-25% of their ransoms with the software developer. For an in depth write up with detailed code analysis, check out this FireEye post. The interesting thing about this model is that the revenue share drops significantly at $5M, precisely the amount that was demanded. This, and the apology, demonstrates that the attackers are reasonably rational economic actors.
The response, however, may not have been quite as rational. Conflicting reports differ on whether or not the ransom was paid. Of course, it is in the company and the U.S. Government’s best interest to claim the ransom was not paid, to prevent free marketing for DarkSide’s affiliate program. The reports that the ransom was paid are painfully true sounding, “Once they received the payment, the hackers provided the operator with a decrypting tool to restore its disabled computer network. The tool was so slow that the company continued using its own backups to help restore the system, one of the people familiar with the company’s efforts said.”
Cryptocurrency
After the Colonial story we’re going to have to talk about Bitcoin, of course. Although Tesla is pulling back on accepting Bitcoin as payment, other corporates are still excited to get in on the action. Palantir is said to be considering holding Bitcoin on its balance sheet, and you know what, after all the ransomware, it doesn’t seem like too bad of an idea. At least you can hedge against future cybercrime, even if you won’t be able to do much else with the cryptocurrency. Another corporation getting into Bitcoin. The bank has announced plans to offer Bitcoin derivatives to customers, and also to risk its own capital with a new cryptocurrency trading team.
While companies might be excited, regulators are understandably less enthusiastic. After the Colonial Pipeline hack, made possible in part by cryptocurrency, there are other reasons that regulators might not embrace Bitcoin. The SEC is telegraphing its sentiments about the possibility of a Bitcoin ETF and they are not overly positive. In addition, the SEC chairman said cryptocurrency exchanges need direct oversight.
There is lots of volatility in cryptocurrency, but that is not the same as risk. Volatility in an upward direction is something most people are pretty happy about. What regulators should be worried about is the probability of permanent loss. As it stands, cryptocurrencies occupy a legal gray area. They are fundamentally pseudonymous, but inherently traceable. This means DarkSide and its affiliates are all on chain, and tracing those payments, should be possible in theory. Whether or not this is good for corporate treasuries, traders and consumer of financial products is yet to be seen.
Gov and The Last JEDI
Speaking of the government, there’s big news from financial regulation to defense and cyber too. Janet Yellen chose an acting OCC head, who is not any of the five previously reported front runners. Michael Hsu, a veteran of the Federal Reserve under Yellen, is said to be focused on climate change and technological change in the banking sector, which puts him at odds with the dominant bitcoin narrative, although in my long piece on cryptocurrency, I allude to why bitcoin should be thought of as an environmental boon, despite its other drawbacks.
Meanwhile, a U.S. Senate committee voted to increase domestic tech spending and limit American investment in Chinese technology companies. Concurrently, business groups are trying to roll back the Trump era ban on telecommunications technology imports from China. Will globalization come roaring back, or won’t it? One thing is for sure, the volatility of globalization may be up, but the odds of the permanent loss of globalization are zero.
In two last pieces of government news, the Department of Defense’s hotly contested JEDI contract, won by Microsoft after Oracle claimed it was written too specifically as a hand out to AWS, is in jeopardy. Amazon, has deployed a litigation strategy aimed at defeating the deal, even if they cannot salvage it for themselves.
Lastly, I have to mention the White House Cyber Executive Order. This 8000 word order is 11 sections long, although there are only six meaningful ones: information sharing, modernization, software supply chain, cyber safety review, incident response, detection and remediation (Here are my notes by section). The efforts at information sharing and modernization are filled with buzzwords about zero trust and machine readable information sharing, which are not bad ideas, but it’s still hard to pin down what they mean. The most significant section is the supply chain, and a welcome addition. Also helpful is the Cyber Safety Review Board. Incident response, detection and remediation seem like table stakes, but it’s good that they are there. Not sure how many agencies are held up by the lack of directives not lack of budget, but it’s good that it’s there, nonetheless.