While it often seems that companies skate through major breaches of consumer trust with little more than a short-term blip to cash flow or market capitalisation, the evidence suggests that the negative impacts may be more long-lasting and serious. And not just to the executives who lose their jobs — ultimately it looks like shareholders are the ones going for the biggest row.
When we started reporting the gathering argument by technology brands that trust matters as a competitive advantage, our readers started pushing back. In principle, the argument seems right — but where is the evidence that companies really pay a price for breaking their bond with customers?
Let’s review some of the decade’s major brand scandals:
- In 2017 it emerged that the Uber workplace was a toxic swamp with one of the ugliest and most misanthropic work cultures in Silicon Valley (and that’s saying something) but customers keep ordering its services;
- In 2016 Mark Zuckerberg and Sheryl Sandberg basically handed America to the Russians courtesy of Cambridge Analytica, but their revenues keep climbing;
- And starting in 2015 Volkswagen was caught lying through its rear exhaust pipes about its nitrogen oxide emissions — they were 40 times worse than claimed — yet its share price has added almost 50 per cent since the dark days of its dishonesty were revealed.
So where is the evidence that consumer trust really matters?
Happily, it’s there in the data. At least, it’s there in the foundational layer of trust: cyber security and data architecture.
At the most basic level, research by The Ponemon Institute found that the per capita cost of data breaches has increased by 60 per cent over the last decade. But that reflects the growing sophistication of attacks, as much as the impacts of data breaches or brand scandal.
Significant breaches generate plenty of media noise and bad headlines. Share prices get smacked and reputations tarnished. But life goes on. Yet shareholders tend to forgive, and consumers often seem disinclined to change their behaviour en masse.
Corne Mare, Director of Security Solutions, Fortinet Australia, noted that there can be exceptions to the rule when it comes to share price. Mare points to International Airlines Group, whose share price has not recovered since British Airlines was hacked last year.
“However, while immediate business performance may be impacted following a breach, it seems the market is quite forgiving of most companies when it comes to compromised data in the long term. And there is evidence that consumer and investor trust is not necessarily broken after a data breach,” Mare said.
“There has been some great analysis of the impact on the share price after a data breach. While after two weeks share prices dropped on average, for the companies examined they recovered after the first month and even performed better in the six months following a breach.”
On the flip side, however, Jacqui Kernot, Partner, Financial Services and Cyber Security at Ernst & Young, told Which-50 the firm recently encountered the first company to receive a credit downgrade due to cyber security breaches, years following an event.
“It is unlikely to be the last, now that a precedent has been set,” she said.
To understand what happens to companies when they fail to keep their customer data safe from malicious actors — or even accidental disclosure — Which-50 consulted industry and academic research, as well as cyber security experts, to try to quantify the consequences of breaking at least the foundational consumer trust.
Nick Savvides, Chief Technology Officer, APAC for Symantec, acknowledged that, while consumers may rank security as a key consideration when purchasing products or services, the reality shows otherwise. But that could change if consumers are offered security-focused alternatives.
“Consumers will often trade privacy and security for convenience. However, as companies place more focus on security as a differentiator for products and services, data breaches will begin to have more of an impact on the reputation of the company and potentially see consumers move on from a brand as a result of a breach,” Savvides said.
According to Steve Moros, Director of Cyber Security, Cisco Australia and New Zealand, “With an increased focus on compliance and regulation through GDPR — and in Australia with the mandatory Notifiable Data Breaches Scheme — we’re seeing the impact of these breaches publicly and more frequently.”
“Breaches cost more than money. A breach impacts trust, and when a brand is impacted this can result in challenges in customer retention. In the wake of a breach, CISOs are most concerned about operations (36 per cent), customer retention (33 per cent) and brand reputation (32 per cent), according to Cisco’s 2019 CISO Benchmark study. They (CISOs) are becoming strategic business advisors.
“Cyber security is no longer solely an IT issue. Organisations must manage threats as both a technical and financial risk. The key takeaway is that attacks are increasing rapidly and becoming more sophisticated, making it more challenging to defend,” he said.
“Increasing awareness of cyber security, and education, are the critical elements for organisations to adopt this into their process and culture, in conjunction with technology. This is the only answer when it comes to increasing cyber resilience and reducing the exponential volume and sophisticated attacks.”
Paying the piper
And it also turns out that, yes — the financial impacts of failing to manage the risk can be significant, as an academic study from the UK demonstrates.
According to Leonard Kleinman, Chief Cyber Security Advisor, RSA Australia, the Warwick Business School at the University of Warwick in the UK has studied the long term impact of cybersecurity breaches on companies. “They did in-depth research on this topic. There were some qualifiers — for instance they looked at breaches that were reported in the media.”
And, he says, these were typically large organisations with billion-dollar valuations.
The initial reactions were those you might expect. “One of the common observations was that the share value and the liquidity of the firm dropped significantly on the day of the breach and for a few days after that. It did pretty much dissipate within two to three days.”
More interesting, however, is that the researchers also discovered real and lasting impact on firms over the long run. “For long periods into the future, these companies typically paid lower dividends, so investors suffered over time. Second, the organisation that experienced the breach also invested less in research and development for up to five years after the attack.”
Kleinman said this was presumably because funding was diverted to everything from greater investments in security hardening programs to try to remediate problems, to brand rebuilding and media management.
The report, called Cyber Attacks and Stock Market Activity, authored by Dr Daniele Bianchi and Dr Onur Tosun, analysed data breaches at 41 publicly listed companies in the US between 2004 and 2016.
Describing their paper, the authors noted, “As a matter of fact, the knock-on effect of a data breach can substantially affect a company’s reputation, resulting in abnormal customer turnover and loss of goodwill, which in turn affect firms’ policies and ultimately revenues and profits. For this reason, companies are often reluctant to reveal information about security breaches due to fear of both short-term and long-term market reactions.”
The study focussed solely on breaches reported by the media, including stolen hardware, insider attacks, poor security, and hacking.
These occurred at large companies, with an average size of $US35.4 billion in total assets, consistent with existing evidence that hackers are more likely to choose high-profile targets.
“In the long run, security breaches appear to have a more significant impact on firms’ strategies and policies than their cash flow,” Bianchi said.
The paper did not examine consumers’ and regulators’ reactions to the breach — for example, if class actions were launched or fines issued by regulators — but noted that reduced spending on R&D and lower dividends was an attempt to manage the financial risks.
“Incidents of security breaches that reveal sensitive and confidential information can lead to litigation and government sanctions, but also to a loss of competitive edge against competitors through a reduction of resources dedicated to R&D, dividend payments, or investments more generally,” said report co-author Onur Tosun.
Who can we blame?
The study also found that CEOs are unlikely to lose their jobs, and in fact even enjoy a pay rise after cyber attack. That’s because firms tend to double down on their investments to address possible structural flaws, and try to maintain the integrity of the firm in response to reputational damage they have suffered.
But someone needs to get the blame.
Mare, a cybersecurity professional with more than 15 years’ experience, highlighted several instances where C-level staff members resigned or retired after a data breach in recent years — including Target CIO Beth Jacob, OPM CIO Donna Seymour, Sony Pictures Entertainment chief Amy Pascal, and Equifax’s CIO David Webb and Chief Security Officer, Susan Mauldin.
Gartner analyst Paul Proctor argues that more CEOs will be fired for cyber security breaches in the future. A prime example is Equifax CEO Richard Smith, who resigned after backlash over a massive data breach.
The increased pressure on executives is helping raise the importance of cyber security in the C-suite and board. Chester Wisniewski, Principal Research Scientist at cyber security company Sophos, says until a few years ago there was very little evidence that cyber security mattered to companies over the long term.
“After the incidents at Target, Equifax, and others, we are now seeing executives forced from their posts and more and more public companies like Facebook having to acknowledge cyber-risk to regulatory authorities. This is having an impact on shareholder value and public trust in affected companies,” Wisniewski said.
Getting back to business as usual
Savvides, meanwhile, said the outcomes will vary by organisation, based on their response, and the extent of the data breach.
“While most companies will eventually return to normal business practices post-breach, the speed at which an organisation bounces back continues to be the biggest variable,” he said.
Kate Healy, Principal Cyber Security Strategist at Telstra, said companies often underestimate the ongoing operational effort required to recover from and remediate a breach, which can take months or even years.
“One of the challenges observed in this space is that most organisations are not prepared for an incident,” Healy said.
“Twenty-two per cent of global respondents to the 2019 Telstra Security Report said they did not have or did not know if their organisation had an incident response plan. Incident response plans are critical in not only managing an incident but minimising the impact through appropriate communication with stakeholders and customers.”
Customers’ reactions to data breaches vary widely. Consumers seem to weigh how the breach directly impacts them against how useful or convenient or necessary is the service the company provides. Experts did argue that consumers would be forgiving if a breach was handled quickly and transparently.
“Consumer responses run the gamut from taking no action, to changing who they do business with, to improving their own personal security and thinking more about what they do online,” Ernst & Young’s Kernot said.
Graeme Pyper, ANZ Regional Director for Cloud Protection and Licensing Activity, Thales (which acquired Gemalto earlier this year), highlighted the connection with brand trust and dependency on its products or services.
“If you come out with one data breach, users consider what was lost, weigh up the services and carry on with their business. However, if it’s continual poor practice and publicity over a continued period of time, I think brand trust diminishes.”
He cited the example of UK telco TalkTalk, which suffered a data breach in 2015 in which the details of more than 150,000 customers were stolen — including bank account details of about 15,000 of those customers. Initially, it lost 95,000 subscribers, and after a further breach approximately six months later lost more than 150,000 customers.
“It’s not about what you find initially, it’s about what you find over a longer term. And the more things you find out, you need to disclose that. So for TalkTalk it was about drip feeding more and more bad news to those impacted which in turn affected their brand reputation. All in all, it cost the company £60 million. On top of that, TalkTalk was also fined £400,000 by the ICO.”
At the other end of the scale, if consumers see little or no consequences from a data breach it is easy for them to go back to our normal ways. Or, as Pyper put it, “If something is too hard we won’t do it”.
He offered the example of car hire service GoGet, which identified a breach in mid 2017 and revealed in January 2018.
“It is still utilised and, in fact, we haven’t heard anything since from the brand. For those people who don’t own cars but need an option for transport, GoGet is an accessible solution — so the need for service would outweigh the threat of abandoning the brand.”
Joss Howard, NCC Group APAC Head of Risk Management and Governance Consulting, says customers are likely to be upset initially, but few actually leave, referencing the example of Carphone Warehouse in the UK.
“The company did see customers return after the breach. Customer belief is that a company that has suffered the breach will implement the necessary security controls to prevent another occurring. Further, customers are also reticent to leave due to the impact that changing from one vendor to another might have on them. So this, in addition to the belief that the company will increase its security posture, would potentially see minimal loss of customers,” Howard said.
She also noted customer reaction can often be more difficult to measure in the case of B2B2C models, like credit rating agency Equifax.
“Equifax has already spent $US1.35 billion, which doesn’t include any lawyers’ fees, to sort out the data breach it had back in 2017. However, the long-term impact is hard to determine in this case, as the relationship consumers have with Equifax is often via some other party — so they can’t really take their business elsewhere,” Howard said.
However, beyond taking their business elsewhere, consumers could begin to demand compensation for breaches through the courts.
Howard highlighted the example of Morrisons supermarket case in the UK, where the victims of the breach are claiming that Morrisons is vicariously liable for the actions of an employee who stole customer data.
Richard Gerdis, GM & VP Sales, APJ, Delphix, also raised the possibility of litigation as an emerging threat.
“While there is still uncertainty about the right to sue for breach of privacy in Australia, we have seen that, in countries where such laws are well established, such as the US, new records are being broken each year in terms of the number of security class actions,” he said.
A shift in behaviour?
Howard noted that, since GDPR came into force one year ago, NCC’s clients have increasingly been queried by their customers about what personal data is being kept, and the protection measures that are in place.
A number of experts noted Australia’s resistance to MyHealthRecord — more than 2.5 million people opted out of the ehealth system — demonstrates that customers won’t share their data if they suspect it will not be kept safe.
Chester Wisniewski of Sophos summarised the consumer mood: companies are witnessing an increase in awareness at the consumer level, but it hasn’t yet crossed over into widespread behaviour change.
“Awareness of the incidents certainly increases, but there is little indication that consumers are changing their behaviour with regard to online services. There is a lot of talk among average people about Facebook and privacy, the Huawei controversy and similar high profile debates, but there has yet to be a mass revolt or wave of cultural change about security and privacy,” Wisniewski said.