Sitting down at a security conference the other day, someone asked me what cybersecurity brand / reputation creation is all about. After sharing the highlights with the table, who were all seemingly quite interested in the possibilities, there was one sales person “vendor” who jumped in to say that he couldn’t see any value. His loudly stated belief was that if you go back and look at the big data breaches, you will see that the stock prices recovered. His assessment was simply that the brand just had to not pour gas on the fire and wait it out.
This certainly wasn’t the first time I have heard this argument. In fact, I expect to hear it raised in any group security conversation. So what gives? Is he right, wrong, or somewhere in between? Is the stock price really all that matters? Or is this perhaps a widely shared attitude/perspective that ultimately does more harm?
Let’s break it down the key interest groups and see where things land. What can be learned from security, marketing, and the chief executive perspectives?
Data Breaches and Stock Prices:
Perspectives: Short Term (Marketing and Security Focus)
The Ponemon Institute needs no introduction to anyone in cybersecurity. They are highly respected for their reporting and insightful analysis and are quoted tirelessly by security executives everywhere. And as their detailed report on the subject of reputation and share value highlights, this is an area that needs to be better understood by all. And thankfully, they see that CMOs are integral to the discussion.
The loss of stock price is possibly a blind spot for CMOs and IT practitioners | the biggest concern to both IT practitioners and CMOs if their organization had a data breach is the loss of reputation. Only 20 percent of CMOs and 5 percent of practitioners say it would be a decline in stock price. In fact, in organizations that had a data breach, only 5 percent of CMOs and 6 percent of IT practitioners say a negative consequence of a data breach was a decline in stock price.
Ponemon Institute | The Impact of Data Breaches on Reputation and Share Value
Ponemen’s report goes on the note that “there is a clear and direct correlation between a data breach and a stock decline”, with an average 5% drop after a breach event is publicly disclosed and then a “full recovery of index value about 45 days following the event”. And this is pretty much the narrative revealed by many other recent studies on the subject.
That’s surely music to the ears of those who believe that stock price alone is all that matters. But it should not be taken out of context to suggest that just waiting and average of 45 days means that everything will by hunky dory. The report also reveals averages of 7% loss of customers, 31% of consumers discontinuing their relationship, and 66% of IT practitioners not believing their company’s brand is their responsibility, among many other negatives. There’s clearly much more involved and at stake when it comes to the long-term outlook.
Perspectives: Long Term (CEO Focus)
Now that we know that the stock price does, indeed, initially recover rather quickly (just weeks, on average), what does the long term outlook really look like? Before we can answer that, we need to consider all the obvious factors that could weigh down the business. What will perhaps impact valuations and other key business metrics over a much longer time horizon? And what, in addition or relation to the stock price, is keeping the CEO and board members up at night?
- Changes in Management: CEO, CIOs, CISO, and many other key executives may very well be shown the door. Golden parachutes cost the business money. And no executive wants their name mentioned in perhaps countless negative articles. This certainly cost Equifax dearly.
- Profitability: If enough customers, partners, or investors move out, what will that do to the business? What levers can be pulled to compensate? People? Pricing (+ /- or inverse of what was intended)?
- Cost of Capital: This is defined as the opportunity cost of making a specific investment. For example, the cost of a company having to “invest” in more security rather than upgrades to a line of business that would could have generated more revenue/profit.
- Insurance Premiums: The Target breach saw insurance covering about $90 million of what is ow around $300 million (and counting) in total cost/damages. And Deloitte Advisory has shown that 2.38% of the total costs of a breach are for insurance premium costs. And we all know what happens to insurance costs after a big claim is made.
- Brand Reputation: Will the brand damage ultimately be a little or a lot? By comparison, you might see on the local news that a restaurant failed their health inspection. Even if they pulled it back up to a 100 on the next report would you go back? Granted, not everyone will get the news and punish the business. But what if enough do?
- Pay & Bonuses: Of course pay and bonuses might be negatively impacted in the short term. And, quite possibly, for the very long term. Expect the CEO and other key executives to get hit the hardest in response to a data breach. The CEO of Yahoo, Marissa Mayer, lost her annual cash bonus of $2M as well as an annual stock award worth millions more.
- Employees (retention): Employees often enter their own brand crisis as a result of a breach, even when they are not directly implicated. We see this time and time again as LinkedIn profiles suddenly just say *undisclosed* for their employer and the resumes start hitting the recruiters. And you can bet the Chief People Officers (aka Human Resources) are reporting that churn up the the CEO.
- Ongoing Litigation: When just about every email you personally have to deal with suddenly has “attorney/client privilege” in the subject and/or body, you are in a different state of mind. Add to this records retention and e-discovery requests and its clear that the business just changed.
- Customer Churn: What’s to be expected around the abnormal turnover of customers? According to IBM’s 2017 Cost of Data Breach Study, it’s an increase of 5%.
- Regulatory Oversight: Those in highly regulated industries (healthcare, finance) may very well find themselves subject to much greater regulatory oversight, if not having to pay for a regulator to sit in their office every day to watch and report on their compliance.
- Customer Loyalty: Even those customers who do stay with you might just be a bit less loyal. You haven’t lost them, but their long term investment in your goods and services is diminished.
- Executive Agenda: All those great plans that the CEO was pitching to the board and investors might have just flown out the window. So what’s the cost to losing the vision for the future?
Now, let’s look at what all these factors should be expected to do the the beloved stock price over time:
In the long term, share prices continue to rise on average, but at a much slower pace. We saw a 45.6% increase in share price during three years prior to breach, and only 14.8% growth in the three years after. Daily volatility was about the same for both periods.
Breached companies tend to underperform the NASDAQ. They recover to the index’s performance level after 38 days on average, but after three years the NASDAQ ultimately outperforms them by a margin of over 40 percent
Comparitech | Paul Bischoff | Analysis: How data breaches affect stock market share prices
Surprised? I’m guessing the answer to that is a resounding no.
It’s refreshing to see that both marketing and security leaders agree that reputation is really the key. But it’s also a bit concerning that those beliefs seldom drive the vision and execution so that it truly does drive the company value. This means that if marketing and IT don’t appreciate the long-term outlook of the company valuation, then it’s unlikely that they will invest as much as they should to protect the really bad from happening.
To close, as none other than the financial mastermind Warren Buffet has said time and time again, reputation is everything:
It takes 20 years to build a reputation and 5 minutes to ruin it. If you think about that, you’ll do things differently.
the top priority — trumping everything else, including profits — is that all of us continue to zealously guard Berkshire’s reputation…We can’t be perfect but we can try to be. As I’ve said in these memos for more than 25 years: “We can afford to lose money — even a lot of money. But we can’t afford to lose reputation — even a shred of reputation.
Lose money for the firm and I will be understanding. Lose a shred of reputation for the firm and I will be ruthless.
Now we all just need to masterfully apply that to information security. Hindsight is not 20/20 here. The failures of any cybersecurity program that misses out on the opportunities to create and lead with their brand and reputation, both internally and externally, has already been foretold.
If there’s only call to action for marketing, it should be to really help define what the brand is for the cybersecurity program. Then, measure that against internal and external sentiment for reputation. And in the end, then turn it into a real source of pride and leadership. That is what will help keep the business on track long after any incident.