The long-held view is that breached companies are cast aside by consumers, investors and shareholders. A breach isn\u2019t just a temporary glitch \u2013 it\u2019s a mistake, a faux pas, which you can\u2019t just shake off.This warning that has been used by information security professionals over the course of the last five years and for good reason; nothing gets a CEO or CFO\u2019s attention on security matters more than "this is losing us money".However, on closer inspection, it could be argued that this reputation argument is a falsehood.Over the course of the last 18 months, we\u2019ve seen some of the biggest, most widespread, data breaches in the history of the Internet.Target was compromised via its third-party air conditioning supplier in 2013 (40 million credit card records were stolen); Sony Pictures Entertainment was allegedly hacked by a nation-state, resulting in the release of one unreleased film, the postponement of another, and terabytes of sensitive data posted on Pastebin. Then there\u2019s been Anthem, JP Morgan, OPM, Sears and Talk Talk to name just a few other breaches affecting millions of people.Breaches are now becoming a daily occurrence, but the companies themselves appear unmoved.Consumer trust is often damagedOne thing is clear; a data breach is a PR and financial disaster. Companies often spot the intrusion too late, and respond inadequately, resulting in falling (temporary) sales and journalist outrage.Customers, for one, will often vote with their feet. UK-based fraud prevention company Semafone last year found that the overwhelming majority of people would not do business with a company that had been breached, especially if it had failed to protect its customers\u2019 card data. In the survey, conducted by OnePoll, 86.55 percent of 2,000 respondents stated that they were \u201cnot at all likely\u201d or \u201cnot very likely\u201d to do business with an organization that had suffered a data breach involving credit or debit card details.\u00a0The numbers were slightly lower if home and email addresses and telephone numbers had been lost.\u201cThese figures serve to underline what we should already know \u2013 that the reputational damage suffered by companies who fail to protect personal data can translate directly into a loss of business,\u201d said Tim Critchley, CEO of Semafone.\u00a0...the reputational damage suffered by companies who fail to protect personal data can translate directly into a loss of businessTim Critchley, CEO of SemafoneIt\u2019s true to say that customer loyalty damage is done in the event of a breach, and that sales do take a nose-dive. Target\u2019s sales fell by 46 percent year-on-year in the fourth quarter of 2013 to $520 million (or 81 cents a share), while eBay (breached mid 2014) admitted declining user activity impacted its quarterly net revenue.There are other financial costs to bear, including additional security (pen testers, consultants, security vendors, PRs and lawyers), litigation and fines by data protection authorities.This said, it could be argued that big, established companies are confident they can ride on past the fines and fees, and keep hold of their customers. UK\u2019s TalkTalk even locked some customers into contracts \u2013 albeit with improved packages - on that basis.To add to this, there is a theory that stocks eventually recover, a view backed up by Sean Mason, director of threat management at Cisco security services, a man who\u2019s previously claimed to have \u201cdebunked the myth that breaches materially impact stock price.\u201dHe\u2019s got a point. For example, Home Depot\u2019s data breach, which saw the compromise of\u00a065 million\u00a0customer credit and debit card accounts, saw breach-related costs come in at around\u00a0$62 million. The company\u2019s stock price decreased minimally one week after the announcement but in the third quarter of 2014 Home Depot showed a\u00a021 percent increase in earnings per share\u00a0Target\u2019s breach, culminating in the loss of over 100 million customer records, saw the retailer\u2019s stock drop 10 percent afterwards. But by February the retailer had experienced its highest percentage stock price regain in five years.There are other notable examples; Sony Pictures Entertainment saw its stock price keep growing following the announcement of its breach in 2014, while stock prices at JP Morgan Chase were stable following the breach and then rose shortly after. EBay, closing at $51.88 after breach on 21 March, grew to $59.74 exactly a year later.Amar Singh, former CISO at News International and founder of Give01Day, told CSO Online that this is because breaches have no long-lasting effects: \u201cLet\u2019s be honest, a cyber-attack is not having life impact. CEOs and CFOs are not idiots\u2026but unless [a breach] really affects \u2018real\u2019 life, organizations don\u2019t care. Your data is my data \u2013 it\u2019s all virtual. A culture change is required, but sadly you still can [ride this out].\u201dReputational damage is realReputational damage sees a differing of opinion, though. InfoSec folk largely agree that breaches impact on the bottom line, but that \u2013 managed and responded to adequately \u2013 it can become business as usual (BAU). Stock prices recover, and stake holders are appeased. Data protection authorities can be held off at arm\u2019s length.But ask them if there\u2019s a longer, more intangible brand damage done and it\u2019s a hard one to call.Earlier this year, Ponemon Institute\u2019s "The Aftermath of a Mega Data Breach: Consumer Sentiment," revealed that data breaches was up there with poor customer service and environmental disasters for impacting brand reputation.Elsewhere and the Forbes Insights report, \u2018Fallout: The Reputational Impact of IT Risk\u2019, indicated that 46 percent of organizations had suffered damage to their reputations and brand value as a result of a breach. Another 19 percent of organizations suffered reputational and brand damage as a result of a third-party security breach or IT system failure.Jane Frankland, managing director of consultancy KnewSmart and formerly of Sensepost and NCC, said that such figures highlighted the importance of brand and corporate reputation \u201cand the damage a breach can do if it\u2019s not dealt with properly.\u201dEd Wallace, director of advanced threats at MWR InfoSecurity, agreed with the latter point, but suggested that breaches are par for the course for companies.\u201cBeing breached currently, by and large, doesn\u2019t affect your reputation. There are few exceptions of course. But how to manage a breach can affect your reputation and that\u2019s a very different thing.\u201dSingh took a stronger line: \u201cSony hasn\u2019t gone bust, they\u2019re still up and running, Target is still around\u2026small companies don\u2019t believe it either and yet more of them go bust than larger companies.\u201d\u201cThe reality is that there is no accepted formulae for measuring \u2018brand reputation\u2019,\u201d added Cisco\u2019s Mason. \u201cBrand value is generally accepted as a number of intangible data points that point towards consumer feelings toward the brand and how much of a premium they would consider paying above a competitor -- it really has nothing to do with monetary loss.\u201dFrankland believes companies are waking up, but this requires good CISO-CEO communication.\u201cOrganizations must protect their corporate reputation as an increasing importance is being placed on business ethics and governance. Furthermore, consumers, investors, partners, employees and shareholders are holding organizations accountable for their actions. Corporate reputation matters.\u201cA favorable corporate reputation is a valuable, yet intangible asset. It plays a vital role in attracting the best talent, suppliers and investment.\u201d The best talent will take jobs, suppliers will reduce contractual risks by working with partners they trust, and financial analysts include reputation metrics as part of investment criteria.The experts were in agreement that this must be made known to the CEO, with Frankland in particular stressing the responsibilities are on the CISO\u2019s shoulders.\u201cWhat C-levels want from a CISO is a risk metric and a value in terms of cost. They want to understand exactly what their liability will be if such an event were to take place. CISOs need to be able to give C-level execs a definitive answer on this, yet often it\u2019s hard as asset registers are missing, digital footprints are unknown, risk models are complex and claim forms are dubious.\u201cIt\u2019s also not just a case of response and reputational damage costs or legal and contractual fines. In some cases, it\u2019s all of those plus more and an organization may be brought to its knees. In others, it might not be as bad as the organization thinks.\u201dMinimize damage with proactive responseIt\u2019s clear then that breaches do result in damaged trust, to a degree brand reputation, and bottom line. Target and JP Morgan pledged to spend additional $100 million and $500 million on security post-breach, while Target also had to pay back card issuers, and lost $236 million in breach-related costs ($90 million of which was offset by insurance).The experts believe that this cost \u2013 and brand damage \u2013 can be significantly reduced if a breach is responded to properly.\u201cAn organization can minimize the impact by taking appropriate action,\u201d said Frankland. \u201cFor example, an organization can ensure that it has an incident response plan; a crisis management plan, full media training for any spokespeople, and that a war games exercise is performed to test resilience.\u201dMason added: \u201cBefore a breach happens, you should have your people and processes nailed down. If and when a breach does happen, ensure you\u2019re communicating as required, as quickly and truthfully as possible.\u201dWallace says response is vital, especially with new laws like EU\u2019s GDPR pushing companies to report breaches \u2013 or face fines. Other experts, including lawyers, call for internal communications to be joined between management, PR and regulatory and litigation experts when dealing with breaches.