Serious cyber security breaches can have an immediate and noticeable impact on a company. But what about the long-term effects that boards and managers need to consider?
The immediate consequences for the organisation and for its customers are obvious.
Operationally, a serious breach can impact all aspects of the business. Depending on your product or service, your customers can be seriously affected. In fact, depending on the service you provide and the nature of the breach, the effect can be catastrophic.
- What Cybersecurity Questions Should Directors Ask In An Age Of Digital Acceleration
- Addressing Escalating Cyber Challenges As A Non-Technical Director
- People, Devices And Apps All Have Identities. Each Offers A Rich Target For Cyber Attackers To Exploit
- Accelerating Digital Transformation Requires An Aggressive Approach To Securing Identity
- Identify The Red Flags That Tell Boards To Dig Deeper Into Cybersecurity
- COVER STORY: Do Companies Really Pay When They Breach Consumer Trust?
Reputation and brand damage are also huge issues. If your customers’ trust in your company is severely compromised it may take years to recover. In the worst case, the loss of trust may be permanent.
There is another critical issue to consider, says Thomas Fikentscher — Regional Director ANZ, CyberArk. “Digital transformation is accelerating rapidly due to the impact of the pandemic. This means the risks of a breach in the digital armour are getting worse as the reliance on digital infrastructure is increasing.”
According to management consultancy McKinsey and Company, in just six months during 2020, its corporate clientele experienced seven years worth of digital transformation. They had no choice — business as usual was no longer an option.
“But in such a setting, companies and boards need to be confident that digital acceleration can be undertaken safely,” says Fikentscher.
“You can innovate at speed without adequate cybersecurity … until you get hit,” says Roger Sharp, the founder of North Ridge Partners and the chair of Webjet. “When you get hit, innovation grinds to a halt as all hands move to the pump, focusing on survival.”
He says, “If you don’t have appropriate cyber security in place, you’re playing roulette. It doesn’t really matter how well you’re innovating — it could all be undone in a minute.”
Counterintuitively, the focus on the short-term hit can mask long-term damage. Especially if, as often happens, the share price rebounds as the noise dies down. The amount of focus and time that an incursion requires can result in organisational paralysis.
There is evidence, indeed, of a more corrosive long-term impact from serious breaches.
A study by Dr Daniele Bianchi and Dr Onur Tosun at the Warwick Business School in the UK found that, over a five-year time frame, dividend payments fell and innovation suffered, as measured by R&D spend.
According to Tosun, in a blog outlining the results, “As a matter of fact the knock-on effect of a data breach can substantially affect a company’s reputation, resulting in abnormal customer turnover and loss of goodwill, which in turn affects firms’ policies and ultimately revenues and profits.”
This, he says, is one reason why companies try to hide news of breaches.
“Although measuring the true cost of security damages to a business is often difficult, examining the changes in market activity and valuations around hacking events provides an efficient way to assess the immediate economic impact of security breaches. Studies show that the effect of security breaches on market activity is highly significant,” Tosun said.
It wasn’t simply stock returns that were affected, as the paper notes. “In fact, both trading activity, proxied by the dollar-valued traded volume, and market liquidity, proxied by a normalised bid-ask spread, suggest that market quality tends to deteriorate and is dominated by a selling pressure.
According to Tosun, “This is consistent with the conventional wisdom that posits that successful cyberattacks represent unexpected negative shocks to a firm’s reputation and, in turn, on its growth prospects.”
The study also suggested that security breaches were negatively, yet weakly, associated with dividend payments and R&D investments. “Target firms tend to pay no dividends and invest less in research and development within the five years after a cyberattack.”
This is not surprising, says Fikentscher. “The resources that would otherwise be invested in innovation — and therefore growth — are diverted into addressing the security risk exposed by the breach.
“And the amounts can be huge. After it was breached in 2017, Equifax embarked on a $1.2 billion transformation program both to improve its business but also to ensure it had the best infrastructure, process, and talent in place to protect its customers’ data,” he said.
Credit rating risk
The study also indicated that breaches tended to lead to “a deterioration in credit ratings while they issue more debt and increase leverage after a cyber attack.”
In turn, that increases the risk of financial distress and bankruptcy.
According to Warwick Business School’s Tosun, “To alleviate the increased risk, firms can decide to accumulate cash due to its cushion effect through keeping external funds and cutting secondary investments such as R&D. That is supported by these results.”
Ultimately, Bianchi and Tosun found that CEO compensation, R&D expenses and dividend policies significantly react to hacking events for target firms. “Overall, these results indicate that, in the long run, security breaches are significantly associated with future changes in firms’ strategies and policies above and beyond future cash-flows and operating performances.”
This article was produced by the Which-50 Digital Intelligence Unit