Two articles today in Fortune Magazine and Harvard Business Review each lifted a piece of the veil about a dirty little secret about data breaches. From Home Depot to Target to Sony, big companies that were hacked because of a successful phishing attack barely felt it compared to their total revenues or in their stock price.
Despite the fired CEOs, towering legal bills, and very unhappy consumers, the actual costs related to these massive data breaches turn out to be less than 1% of total sales after they are paid their insurance reimbursements.
Fortune said: "That is the stunning conclusion of an analysis by Benjamin Dean, a fellow at Columbia University’s School of International and Public Affairs. Dean—who also has a background in accounting—pored over 10-K filings for Sony, Home Depot, and Target after their recent, well-publicized security breaches. Keeping an eye out for breach-related expenses in these companies’ quarterly financial reports,
Dean discovered that the actual expenses reported by these companies amounted to less than 1% of each company’s annual revenues." For instance, “Sony believes that the impact of the cyberattack on its consolidated results for the fiscal year ending March 31, 2015 will not be material.” Translation: <Shrug>."
One more quote: "Target’s gross expenses totaled $252 million, insurance compensation brought that down to $162 million, and further tax deductions yield a final $105 million. While larger than either Home Depot’s or Sony’s outlay, the final amount is not so wounding in the grand scheme of things. “This is the equivalent of 0.1% of 2014 sales,” Dean notes."
The Harvard Business Review angle:
"Recent high-profile data breaches like those at Target and Home Depot have exposed the private sensitive information of millions of employees and consumers. While consumers are rightfully worried that their personal information may be compromised, shareholders and companies’ management have a wider set of concerns, including loss of intellectual property, operational disruption, decreased customer trust, tarnished brand, and loss of investor commitment. Companies are spending millions in litigation costs, efforts to restore brand loyalty, and refunds.
"However, even the most significant recent breaches had very little impact on the company’s stock price. Industry analysts have inferred that shareholders are numb to news of data breaches. A widely accepted notion goes that there are only two types of companies: those that have been breached and those that don’t know they have. It is true that that breaches are expected and have become a regular cost of doing business, but there are deeper reasons for the market’s failure to respond to these incidents.
"Home Depot’s hack, compromised 65 million customer credit and debit card accounts. Breach-related costs are estimated to be around $62 million. The company’s stock price decreased slightly one week after the announcement. In the third quarter of 2014, Home Depot showed a 21% increase in earnings per share .
"During the 2013 holiday season shopping period, Target was the object of then the biggest cyber attack on a retailer. Credit and debit card data of 40 million customers and personal information of about 70 million were said to be affected by the breach. The stock experienced a 10% drop in price in the aftermath of the security breach, but by the end February, Target had experienced the highest percentage stock price regain in five years.
There is some criticism about this way of looking at it. First of all, the analysis took revenues as the benchmark, not profits. It makes a difference to management if an attack consumes a big chunk of your profit or worse, pushes you from the green into the red side of the ledger,” Intel Security analyst Matt Rosenquist writes on their company blog. Second, there is the problem of consumer faith that might slip over time, but people are suffering from breach fatigue and expect identity theft to happen to someone else.
The upshot?
Companies need to invest in IT security or in the long run consumers will start paying cash only, and only patronize them when they have to. Once you are the victim of identity theft, you know the incredible hassle this involves and do not wish it on your worst enemy.
We need a much larger carrot and stick here for large enterprises. The incentives and deterrents need to be a lot larger—not with a $10 million slap-on-the-wrist settlement— that Target got away with in a class action lawsuit for their huge 2013 data breach.
HBR concluded: "Now that major security breaches have become an inevitability in doing business, companies should put strong data security systems in place, just as they protect against other types of business and operational risks. However, companies whose assets are primarily non-digital have less incentive to invest in prevention if they know their stock price will survive — and that takes a toll on the overall economy and consumer privacy.
For small and medium organizations, the picture could not be different. Almost 60 percent of SMBs that are hit with a data breach are out of business in 6 months.
Seen the fact that all these data breaches were the result of employees falling for phishing attacks, we could not agree more. Effective security awareness training is a must these days to protect against these kinds of attacks. Find out how affordable this is for your organization today.