Why investors should care about cyber breaches

Major security breaches continue to hit headlines, as businesses are forced to shift from focusing on the imminent nature of threats to calculating their potential financial impact.

Companies are investing billions of dollars in cybersecurity, but the average return on spending for security technology is only 14%. Every year the cost of a data breach continues to rise.

In spite of this, investors and shareholders don’t react strongly to news of a breach.

Target’s stock fell 11% after it revealed it was the victim of one of the largest breaches ever to have happened in the retail industry. But its stock quickly bounced back. Now, its stock is trading at the same level as before the breach.

Home Depot, another victim of a major data breach, has seen its stock surge to a record high and it is now offering customers a free year of identity protection service with credit monitoring if they use a payment card at its stores. News of the data breaches at JP Morgan left its stock largely unaffected. Shareholders seem confident that even large-scale cyber breaches don’t have a long-term impact on a company’s future.

Advocates of cyber-resilience have long been saying that businesses should assume they have already been hacked and develop their strategies based on this assumption. There is also a belief that customers are “numb” to data theft news. That assumption is incorrect.

A study by Experian, the international credit reporting conglomerate, shows three factors have the greatest impact on brand reputation: poor customer service, environmental disasters and cyber breaches.

The impact of cyber breaches on corporate reputation is a new trend and shows tremendous shifts in customer perception. The risk of exposing potentially sensitive information ups the stakes for all commercial organizations. For example, media companies need to protect their sources, as revealing them could have serious consequences.

But there are even more reasons why investors may want to look closer at the impact cyber breaches have on companies. After all, “Every leader is a digital leader. Every company is an IT company.” Therefore, in our digital world, every company can be breached. And the indirect costs of these breaches can be huge: costs related to third-party liability, delay of implementation of clouding, mobile capabilities, and data loss.

Home Depot reports it is facing up to $62 million in costs to cover the investigation and mitigation following its recent breach. This is somewhat offset by an insurance reimbursement of around $27 million it hopes to receive.

According to recent data, the average cost of a security breach can reach $5.5 million. The average annualized cost amounts to $11.56 million while the net increase in costs of a breach grew to 26% this past year alone.

These figures are estimates. Top executives and corporate IT risk managers have been trying different tools and approaches to measure direct costs on their businesses. But lack of relevant data and the complex nature of the assets make it difficult to comprehensively measure costs of cyber breaches. Industry executives from insurance, IT, financial services and consulting industries are looking into several models for quantifying cyber threats, including value-at-risk.

So far there has been no comprehensive estimate of how much companies are spending on cybersecurity and what they get in return. In fact, officials from the US Department of Homeland Security have confirmed that many businesses never know they have been robbed of confidential in-house and customer data.

The fact that breaches are in many cases reflected in stock prices also means that industries are still far away from finding a silver bullet with regard to pricing these breaches . There is a strong push away from hypothetical causes towards measuring observable losses and pricing and measuring the effects of data breaches on intangible assets and third-party liabilities .

Authors: Elena Kvochko is Manager in Information Technology Industry at World Economic Forum. Rajiv Pant is Chief Technology Officer at The New York Times and World Economic Forum’s Young Global Leader.

Image: A man types on a computer keyboard in Warsaw REUTERS/Kacper Pempel