Reading an IPO doc is...😓

Companies and their lawyers might love these long documents. But for investors, it’s a problem

This is edition 331 of Beyond The First Order, a premium daily newsletter that demystifies the hidden models, incentives and consequences of the most significant events across India and Southeast Asia

A 🔒 paid newsletter that demystifies the hidden models, incentives and consequences of the most significant events across India and Southeast Asia. Someone sent you this? Subscribe to BFO

Good morning,

One of legendary investor Warren Buffett’s favourite pastimes is to spend his hours combing through the annual reports and filings by companies. It’s probably taking him longer these days to pore through them. Not due to his age but because these reports are getting longer and longer. Take a look at the recent IPO documents filed by Indian companies, and you’ll know. Even B-schoolers will have a hard time filtering through them. 

On the topic of MBAs, do you think the pandemic has levelled the playing field in terms of gender-parity in B-school programmes? The signals from the US and India tell different stories. 

And I’m sure you’ve heard Apple’s stories about privacy. Turns out, when it comes to a face-off against the spyware Pegasus, that privacy is a myth. 

DRHPs of today are different

400 plus pages. 

If you wish to get a first look at the inner workings of a private company just before it goes public, that’s how many pages you probably have to read. Or at least speed-read. The draft red herring prospectus (DRHP)—a document that companies file with the regulator before they issue shares to the public at large—are really long.

Take the case of foodtech startup Zomato, which launched its IPO last week. Its DRHP ran into 416 pages. Internet platform company Info Edge, one of Zomato’s early backers, had only a 294 page-long DRHP when it launched its IPO in 2006.

In 2020, the DRHP of IT firm Happiest Minds Technologies had 438 pages. Contrast that with another IT company Mindtree, which, in 2007, had a DRHP of 282 pages.

Anecdotally, it seems like these documents—meant to introduce an IPO-bound company to investors—are getting longer. Which means it’s probably filled with a lot of clutter and useless information. Things that don’t really help an investor make a decision. 

It’s not unique to India, either. Over the years, the US version of the DRHP has exploded in size, too. 

Even annual reports, or what’s known as the 10-K in the US, have met with the same fate and are filled with terms that researchers call redundant, boilerplate, and sticky. Basically, it’s a bunch of pointless words that are repetitive and don’t add any value. 

Aswath Damodaran, Professor of Finance at the NYU Stern School of Business, writes that company reports have become less readable due to a few reasons:

  1. The increasingly complex share structures at companies.
  2. Restrictions by the regulator on future projections mean that companies end up telling stories but hold back details. Like focusing on the total addressable market (TAM)—“a critical number in determining value, but one that can be stretched to mean whatever you want it to, with little accountability built in.” 
  3. And that as loss-making companies go public, they’ve found creative accounting ways to make it look like they’re making money. 

And for investors who are trying to determine what value to ascribe to a company, this information overload meant to improve disclosures is actually a problem:

...behavioral research indicates that as people are inundated with more data, their minds often shut down and they revert back to "mental short cuts", simplistic decision making tools that throw out much or all of the data designed to help them on that decision. Is it any surprise that potential investors in an IPO price it based upon a user count or the size of the total accessible markets, choosing to ignore the tens of pages spent describing the risk profile or business structures of a company?

In turn, what that means is that companies can use distractions to squeeze out better IPO pricing. 

In Zomato’s DRHP, it says, “according to RedSeer, we have a large total addressable Food Services market opportunity of US$65 billion growing to US$110 billion in 2025.” That one line alone would’ve given it a reason to bump up valuations. 

On the other hand, its risk factors clearly outline this: 

We have a history of net losses and we anticipate increased expenses in the future. We expect our costs to increase over time and our losses will continue given significant investments expected towards growing our business.

Despite the company’s ‘promise’ of continued losses in the 400-page DRHP, its not-so-cheap IPO was oversubscribed 38 times. 

Even fintech player Paytm’s* DRHP, which dropped on Friday, falls prey to the complexity that hides its business layers. If you haven’t, you should read my colleague Arundhati Ramanathan’s breakdown of its DRHP in yesterday’s story aptly titled – Paytm IPO tells, and tells a lot, but doesn’t show.

Maybe India’s capital market regulator Sebi could ask companies to dumb down their DRHPs so the public at whom it is targetted can actually make some sense of it. 

PS 1: I tried to find if similar research has been done on the length of annual reports by Indian companies but I came up short. If you’ve come across something similar, I’d love to know. 

PS 2: In case you missed it, Sumanth Raghavendra had earlier written about Zomato’s DRHP as well: The non-obvious takeaways from Zomato’s IPO prospectus

*Paytm’s founder Vijay Shekhar Sharma is an investor in The Ken.

Privacy. That’s not iPhone

Have you watched that recent Apple iPhone ad? A guy buys a cup of coffee at a café. The barista hands it to him, with the guy’s name and what looks like a password written on the takeaway cup. And then, the barista follows the guy right into a taxi. The barista and the taxi driver then follow him into a bank, from where they’re joined by the bank teller as the guy heads to a supermarket, and so on. Finally, he ends up at home with a bunch of people representing businesses or apps that he has used throughout the day.

The point of the ad was to showcase the iPhone’s new privacy features in the latest iOS 15 operating system. Users can now control which apps are allowed to track their activity across other companies’ apps and websites. The people in the guy’s apartment eventually disappear after he picks up his iPhone and changes his privacy settings. 

The tagline: “Privacy. That’s iPhone.”

But apparently not.

Research by human rights group Amnesty International and journalism nonprofit Forbidden Stories suggests that even the latest iPhones and those running iOS 15 have been penetrated by Israeli spyware firm NSO Group’s Pegasus surveillance tool

“Apple prides itself on its security and privacy features, but NSO Group has ripped these apart. Our forensic analysis has uncovered irrefutable evidence that through iMessage zero-click attacks, NSO’s spyware has successfully infected iPhone 11 and iPhone 12 models. Thousands of iPhones have potentially been compromised.

“These attacks have exposed activists, journalists and politicians all over the world to the risk of having their whereabouts monitored, and their personal information and used against them.

“This is a global concern – anyone and everyone is at risk, and even technology giants like Apple are ill-equipped to deal with the massive scale of surveillance at hand.”

Now, just to be clear, the report also said that thousands of phones running Google’s Android operating system were targeted by Pegasus. However, Android, unlike iOS, does not keep accessible logs needed to detect Pegasus spyware infection. Also, Google does not boast of having “the most secure consumer mobile device on the market,” which is what Apple continued to claim after the Pegasus controversy.

Apple also claimed that the attacks are not a threat for the “overwhelming majority” of its users—in January, the company said there are now over one billion active iPhones worldwide. “Attacks like the ones described are highly sophisticated, cost millions of dollars to develop, often have a short shelf life, and are used to target specific individuals.” 

However, that distinction isn’t mentioned when Apple launches its new iPhones every year. Whether you’re a politician, activist, journalist or a regular Jane, you have to cough up at least US$700 if you want to buy the new iPhone. You wouldn’t want a spying tool built by a private company to so easily get access to your phone—including contacts, photos, emails, messages, microphone, and camera—if you’re paying so much for it, right?

Especially since security researchers have been warning about such vulnerabilities for years. And Apple just refused to accept it.

...despite its reputation for building what is seen by millions of customers as a secure product, some believe Apple’s closed culture and fear of negative press have harmed its ability to provide security for those targeted by governments and criminals.

“Apple’s self-assured hubris is just unparalleled,” said Patrick Wardle, a former NSA employee and founder of the Mac security developer Objective-See. “They basically believe that their way is the best way. And to be fair … the iPhone has had incredible success.

“But you talk to any external security researcher, they’re probably not going to have a lot of great things to say about Apple.”

What’s alarming is that the iPhone’s greatest vulnerability, according to experts, is one of its most popular features: iMessage, the instant messaging service. The iPhones have a feature called BlastDoor, introduced last year, which screens suspect messages before they enter your inbox. But Pegasus got through the BlastDoor as well.

“We have seen Pegasus deployed through iMessage against Apple’s latest version of iOS, so it’s pretty clear that NSO can beat BlastDoor,” said Bill Marczak, a fellow at Citizen Lab, a cybersecurity analysts’ unit based at the University of Toronto.


According to Wardle, the security features that Apple boasts about are a double-edged sword. “iMessage is end-to-end encrypted, which means that nobody is going to see you throwing that exploit. From the attacker’s point of view, that’s lovely,” he said.

“Once an attacker is inside, they, he or she can almost leverage the device’s security against the user,” Wardle said. “So, for example, I have no idea if my iPhone is hacked.”


That opacity may even undercut Apple’s claim that attacks “often have a short shelf life”. Because researchers find it very difficult to examine the inner workings of an iPhone, “unless the attacker is very unlucky, that implant is going to remain on the device, likely undetected”, Wardle said.

So, the next time you’re thinking about buying a new iPhone, just take all its privacy features and claims with a pinch of salt. It’s just a regular smartphone.

PS: If you’re an ethical hacker, you can win up to US$ 1 million under Apple’s bug bounty programme if you help the company find security issues and flaws related to zero-click attacks like Pegasus. But clearly, you have to be really good. No one seems to have cracked it. Except for NSO, of course.

The road to gender parity at IIMs begins elsewhere

The pandemic made it harder to get admission into top MBA programmes across the world. In 2020, people applied to business schools to get around a tenuous job market. And in 2021, many international students who deferred last year’s admissions are heading back to school.

According to the Graduate Management Admission Council, which conducts the commonly accepted GMAT entrance exam, 67% of business schools globally reported increasing applications in 2020. And 43% of those schools reported application growth of over 20%. 

But how does diversity of applications factor in this mix?

At least in terms of gender diversity, there’s some data: 62% of business schools offering a full-time MBA reported an increase in applications from women candidates. This is compared to only 42% that reported a rise in 2019. 

What it means is that today’s MBA cohort is closer to gender parity. 

Of Forté’s [the Forté Foundation, a nonprofit focused on gender parity in business] 52 member schools, 22 reported 40% or more women enrolled in 2020. Only 12 of its schools could make that claim five years ago, and only one school could 10 years ago.

In India, things are looking a little different at some of its top b-schools. 

The admission of fewer women in Indian Institute of Management-Calcutta (IIM-C) this year has come as a blow to the premier B-school’s attempt to strive towards gender parity in its flagship two-year MBA programme.

Whereas 35% of the 2020-’22 batch were women, the ratio has dipped to 31% in the 2021-’23 batch, the same level as four years ago. The ratio of women at the institute was barely 16.6% in the 2016-’18 batch before efforts were made — in pre-interview screening and through increased weight in shortlisting — to improve the ratio to 31% in the 2017-’19 batch.

Is it because fewer women candidates registered for the Common Admission Test (CAT), the GMAT equivalent for IIMs? 

Well, out of 244,000 CAT applicants in 2019 (for admission in 2020), 35% of them were women. And that was a six-year high. And the following year, among 227,000 candidates, 80,000 were women. Which is 35% of the applications again. 

While the premier b-schools could do more for gender parity, India first needs to improve the share of women taking the CAT. Gender parity is something even the pandemic couldn’t change. 

That’s it for today.

If you have any thoughts about the length of IPO documents, the Pegasus snoop, or on how to improve gender parity at India’s business schools, we’d love to hear from you.

Stay safe,

PS: Don’t forget to read this story today. It is free till 12pm IST.

A lot has been written about Zomato and its IPO — valuation, profits, unit economics and much more. But how will Zomato’s IPO impact the Indian public markets? Find out in our specially unlocked story of the day- free to read only till 12 noon IST:


Read the full edition. Sign up now.

Receive our premium newsletter, Beyond The First Order delivered to your inbox every weekday for the next 30 days.

If you’ve already signed up, just enter your email below or login using Facebook or Google

Recent Editions of Beyond The First Order


How often is Beyond The First Order published?

Five days a week. From Monday to Friday.

Do I need to login to the website to read the newsletter?

Nope. We send the day’s edition right to your inbox, where you can read it in full.

I have already paid for a subscription to The Ken. Do I need to pay separately to read this newsletter?

Nope. Paid, premium subscribers of The Ken get our newsletters delivered for free.

My corporate or campus has paid for a subscription to The Ken. Do I need to pay separately to read this newsletter?

Nope. You have complete access to our newsletters for free.

How do I pay to access your newsletters?

In two ways. You can buy a premium subscription to The Ken here which will give you access to all our stories and newsletters. Or you can purchase each newsletter for Rs. 99 or $2/month.

What modes of payment do you accept?

We accept all major international credit and debit cards. Your payment will automatically recur every month if your card supports it. You can stop this anytime from your Account section.

How are your newsletters different from your stories?

Our stories are typically long, originally reported, narrative and analytical in nature. Our newsletters are more timely and help you connect the dots on recent events.

I am a premium subscriber to The Ken but I am not receiving your newsletters. Can you help?

Sure. Just write to us at support at the-ken dot com. We’ll get this fixed.

Can I claim GST credit for this subscription?

Of course. Just enter the GST details during checkout, and you’ll get a GST invoice from us.