What are the real world risks of a cyber security breach to CEOs and their company? We will explore the issues of reputational damage, incident cost, stock price impact, and increased regulatory attention. We will also discuss the fate of four CEOs who have faced cybersecurity breaches in the past three years.
According to Warren Buffet, "It takes 20 years to build a reputation and five minutes to ruin it. If you think about that, you'll do things differently." The “2015 Cost of Data Breach Study: Global Analysis” from the Ponemon Institute shows that companies suffer a higher churn rate, increased customer acquisition costs, reputation losses and diminished goodwill due to an information security breach.
The 2015 Information Security Breaches Survey, conducted by PwC states. “When asked what made a particular incident ‘the worst’, 16 out of the 39 organisations who responded cited that it was the damage to their reputation which had the greatest impact. This is an increasing trend, up from 30 percent of respondents in 2014 to 41 percent this year.”
Lastly, from the Global Risk Management Survey 2015, quoting Greg Case, CEO of Aon, “For the first time since 2007, damage to brand and reputation has emerged as the top-ranked risk in our survey. Interestingly, cyber risk has entered the top 10 for the first time this year. The connection between these two risks has been felt around the world in 2014, as a rash of data breaches demonstrated the fragile nature of consumer trust in leading corporations.”
An information security breach will rob a company of its good name, customers, increase new customer acquisition costs and decrease opportunities. The damage may also be compounded by individual or class action lawsuits from former customers. Consumers are now aware of the negative impact identity theft can have on their lives and are voting with their pocketbooks in increasing numbers.
According to the Ponemon Institute, the average total cost of a data breach for the participating companies increased 23 percent over the past two years to $3.79 million. The PwC 2015 Information Security Breaches Survey, showed much the same trend, “the survey did find that the total cost of dealing with incidents continues to increase. Looking at the single worst breach suffered, the costs to large organisations range from just under £1.5 million (£1,455,000) to £3.14 million. For small organisations, the range starts at £75,200 to £310,800. These figures account for activities such as business disruption, days spent responding to an incident, loss of business, regulatory fines and loss of assets.”
To put the escalating cost of cyber breaches into perspective, the Center for Strategic and International Studies estimates the annual cost of cybercrime and economic espionage to the world economy may be as high as $445 billion. That is nearly 1 percent of global income.
If there is a bright side to information security breaches, it is that they usually only affect stock prices for a very short period of time, if at all. In an article from Harvard Business Review, “Why Data Breaches Don’t Hurt Stock Prices”, Elena Kvochko and Raijv Pant assert that “Overall, stock prices during and following the high profile security data breache in the past several years have decreased slightly or quickly recovered following the breach.” This has been shown to be true for three of the highest profile information security breaches; however, we have a more recent example where that rule not has not held true for the short and near term.
As you can see from the top three companies, short and near term impact to the stock price was limited or non-existent. TalkTalk is an outlier possibly due to the manner in which the company handled the incident, cultural differences in attitudes towards privacy and the significant customer churn created by the breach. TalkTalk is a British telecommunications company which provides Internet access, pay television and mobile network services to businesses and consumers. In a report on customer confidence from Kantar Worldpanel, Imran Choudhary, Consumer Insight Director states:
Customers have lost faith in TalkTalk as a trustworthy brand. The provider saw its share of the home services market fall by 4.4 percentage points quarter on quarter in terms of new customers, only 1.4% of whom gave reliability as a reason for joining the provider in the last three months – well below the market average.
TalkTalk continues to offer some of the most attractive promotions across the home services market and almost a third of its new customers did choose it for this reason, but there can be no doubt that it lost potential customers following the major data hack. If it’s to recover from recent events TalkTalk will need to offer more than just good value.
At this point, there have been five arrests in relationship to the TalkTalk breach of October 2015, with suspects ranging in age from 15 to 18 years of age. Time will tell if the TalkTalk breach continues to negatively impact the company’s share price and its bottom line.