What are the real-world risks of a cyber security breach to CEOs and their company? We will explore the issues of reputational damage, incident cost, stock price impact, and increased regulatory attention. We will also discuss the fate of four CEOs who have faced cybersecurity breaches in the past three years.
According to Warren Buffet, “It takes 20 years to build a reputation and five minutes to ruin it. If you think about that, you’ll do things differently.”
The “2015 Cost of Data Breach Study: Global Analysis” from the Ponemon Institute shows that companies suffer a higher churn rate, increased customer acquisition costs, reputation losses and diminished goodwill due to an information security breach.
The 2015 Information Security Breaches Survey, conducted by PwC, states, “When asked what made a particular incident ‘the worst’, 16 out of the 39 organizations that responded cited that it was the damage to their reputation which had the greatest impact. This is an increasing trend, up from 30 percent of respondents in 2014 to 41 percent this year.”
Lastly, from the Global Risk Management Survey 2015, quoting Greg Case, CEO of Aon, “For the first time since 2007, damage to brand and reputation has emerged as the top-ranked risk in our survey. Interestingly, cyber risk has entered the top 10 for the first time this year. The connection between these two risks has been felt around the world in 2014, as a rash of data breaches demonstrated the fragile nature of consumer trust in leading corporations.”
An information security breach will rob a company of its good name, customers, increase new customer acquisition costs and decrease opportunities. The damage may also be compounded by individual or class-action lawsuits from former customers. Consumers are now aware of the negative impact identity theft can have on their lives and are voting with their pocketbooks in increasing numbers.
Incident Cost
According to the Ponemon Institute, the average total cost of a data breach for the participating companies increased 23 percent over the past two years to $3.79 million. The PwC 2015 Information Security Breaches Survey showed much the same trend, “the survey did find that the total cost of dealing with incidents continues to increase. Looking at the single worst breach suffered, the costs to large organizations range from just under $2.2 million to $4.9 million. For small organizations, the range starts at $108,183 to $447,118. These figures account for activities such as business disruption, days spent responding to an incident, loss of business, regulatory fines and loss of assets.”
To put the escalating cost of cyber breaches into perspective, the Center for Strategic and International Studies estimates the annual cost of cybercrime and economic espionage to the world economy may be as high as $445 billion. That is nearly 1 percent of global income.
If there is a bright side to information security breaches, it is that they usually only affect stock prices for a very short period of time, if at all. In an article from Harvard Business Review, “Why Data Breaches Don’t Hurt Stock Prices,” Elena Kvochko and Raijv Pant assert that, “Overall, stock prices during and following the high-profile security data breach in the past several years have decreased slightly or quickly recovered following the breach.”
This has been shown to be true for three of the highest-profile information security breaches; however, we have a more recent example where that rule not has not held true for the short and near term.
As you can see from the top three companies, short- and near-term impact to the stock price was limited or non-existent. TalkTalk is an outlier possibly due to the manner in which the company handled the incident, cultural differences in attitudes toward privacy and the significant customer churn created by the breach.
TalkTalk is a British telecommunications company which provides Internet access, pay television and mobile network services to businesses and consumers. In a report on customer confidence from Kantar Worldpanel, Imran Choudhary, Consumer Insight Director states:
“Customers have lost faith in TalkTalk as a trustworthy brand. The provider saw its share of the home services market fall by 4.4 percentage points quarter on quarter in terms of new customers, only 1.4% of whom gave reliability as a reason for joining the provider in the last three months — well below the market average.”
TalkTalk continues to offer some of the most attractive promotions across the home services market and almost a third of its new customers did choose it for this reason, but there can be no doubt that it lost potential customers following the major data hack. If it’s to recover from recent events TalkTalk will need to offer more than just good value.
At this point, there have been five arrests in relationship to the TalkTalk breach of October 2015, with suspects ranging from 15 to 18 years of age. Time will tell if the TalkTalk breach continues to negatively impact the company’s share price and its bottom line.
Regulatory Attention
Under HIPAA alone, health information privacy complaints have risen from 6,534 in 2004 to 17,779 in 2014. At end of October 2015 the complaints received by Health and Human Services totaled 123,065. That is a 592 percent increase without two months of additional data.
The UK’s Information Commissioner reports similar challenges for 2015, “There was a 44% rise in the number of data security incidents in the health sector compared to the previous quarter (from 193 in the first quarter to 278 in the second quarter). The health sector continued to account for the most data security incidents. This was due to the combination of the NHS making it mandatory to report incidents, the size of the health sector, and the sensitivity of the data processed.”
Regulatory attention increases the likelihood of fines and an additional cycle of negative publicity. Even with increased regulatory attention and negative press, fines are still relatively rare when compared with the volume of breaches reported. Regulators have been warning that information security breaches will see increased scrutiny and higher fines. Last year’s record-breaking fines from the U.S. Federal Communications Commission and recent enforcement action from the U.S. Federal Trade Commission have shown these warnings to be far from idle.
The CEO’s Fate
Target: On May 8, 2014, Forbes reported that Target CEO, President and Chairman Gregg Steinhafel resigned from all his positions, “Following The Massive Data Breach And Canadian Debacle.” In this instance, Steinhafel’s departure from Target may not be solely attributed to the Target breach but also to a poor outcome with Target’s failed expansion into the Canadian market.
Home Depot: Frank Blake announced his retirement as CEO, shortly before the September 2014 breach came to light. He could have easily dropped the incident in the lap of the incoming CEO, but he didn’t. He captained Home Depot through the choppy waters of this incident with great skill. The company’s share price didn’t skip a beat; however, in February 2015, he stepped down as chairman of Home Depot as well.
Sony: In a February 12, 2015, article from the Huffington Post, Amy Pascal, former CEO of Sony, openly admitted that she was fired as a direct result of the December 2014 breach.
TalkTalk: Dido Harding is currently the CEO of TalkTalk. Recently, the company disclosed the October 2015 cyber security incident cost them over 100,000 customers and a financial loss of $83,132,024 USD. This comes on the back of the recent announcement of three Wipro employees arrested for hacking TalkTalk.
Summary
Information security breaches directly affect the reputation of a business, but it is unclear how detrimental that is to the bottom line. Only TalkTalk suffered significant reduction in their share price. There is little doubt that heavily publicized information security breaches will draw the attention of regulators. There is less certainty that attention will result in a significant fine.
The impact of the cyber security breach on the CEOs of Target, Home Depot and Sony was more severe than the impact on their companies. They were no longer in their positions within six months of the breach. The apparent six-month window is still open for TalkTalk’s CEO. The long-term risks of an information security breach to companies appear to be changing, but the near-term risk to corporate CEOs seems clear.
This article was written by Richard Starnes from CSO and was legally licensed through the NewsCred publisher network.