To Catch a Breach: Why Companies Aren’t Investing in Cybersecurity
February 21, 2020 | By Michael Adkison
Researchers: Vernon J. Richardson, Rodney E. Smith, Marcia Weidenmier Watson
How much do you trust a swipe of your credit card? With just one swipe, an unsecure system can read your credit card’s number, expiration date, and security code. Consumers across country say that identity theft from hackers is their biggest fear. But there’s a major problem: security breaches are far too common.
As Cisco CEO John Chambers famously said: “There are only two types of companies: Those that have been hacked and those that don’t know they have been hacked.”
Six years ago, the Target Corporation faced one of its biggest challenges in its century of business: a security breach in which hackers stole 40 million credit cards and 70 million customers’ personal information. The fallout from the breach resulted in the resignations of Target’s CEO, CIO, and CISO, and more than $100 million in reparations over the next year.
Desperate times call for desperate measures, right? Except that $100 million is less than .01 percent of the company’s sales revenues that year, hardly leaving a dent in Target’s earnings. Maybe the problem isn’t your credit card; maybe it’s the companies that aren’t investing in cybersecurity for their customers.
Many companies that have faced cybersecurity breaches, like Target, don’t face much economic downfall in the aftermath of a breach, so many companies opt to not invest in security. Vernon J. Richardson, Rodney E. Smith, and Marcia Weidenmier Watson investigated this notion in their 2019 publication Much Ado about Nothing: The (Lack of) Economic Impact of Data Privacy Breaches.
As Sony’s director of information security Jason Spaltro said in 2007, “I will not invest $10 million to avoid a possible $1 million loss.” Somewhat ironically, Sony Pictures itself was hacked in a massive security breach just seven years later, despite publicized warnings from auditors, which begs the question these researchers ask: do these companies care about cybersecurity?
The Aftershock
In recent years, there have been many studies and articles on the effects of a security breach, but never to the extent of this article. “Much Ado” examines the repercussions of more than 800 breaches across over 400 companies between 2005 and 2017, including high-profile breaches like Target (2013), Home Depot (2014), and Equifax (2017).
Many of these previous articles focus on the stock market reaction to a breach (i.e., does a breached company’s stock increase or decrease?), but less so analyze other measures of “breach aftershock.” The writers analyze four specific measures for the effects of a breach on a company: stock market reaction, company performance, impact on audit, and impact on SOX 404.
Much of the previous research on reaction to a cybersecurity breach finds that there is little lasting effect on the stock market. “Even if there is a short-term scare and reaction on the stock market to a data breach, we would expect no long-term impact because there is generally a minimal impact on future performance.”
Think back to Economics 101: while stocks might drop for a short period of time, more likely than not they will revert to their original stance in the long run. But those effects in the short run tend to vary, with some companies’ stock significantly dropping and others’ facing little change. Overall, however, studies show that most companies do face some negative, if brief, repercussions in the stock market.
Prior studies have analyzed the effects of a breach on a company’s overall performance, but most of these studies lack the breadth of “Much Ado.” The writers ask three questions to examine breaches’ impact on company performance:
- How do breaches affect the company financially?
- Does preventing breaches cost more than experiencing one?
- Do breaches tarnish a company’s reputation, future sales, and profitability?
In 2017, the average cost of a breach was $7.35 million, a five percent increase from the year before. While breaches seem to grow more expensive, there is not a significant financial impact in experiencing breaches. Investigating the effects on a company’s reputation or future is difficult, but the researchers analyzed future financial statement data on breached companies to see how a security breach alters a company’s reputation.
When a driver gets in a car accident, his or her insurance rates skyrocket; so, when a company is breached, their audit fees must increase, right? Probably, but the facts aren’t so clear because the first studies on the relationship between cybersecurity and auditors occurred in 2016. That study found that auditors do tend to raise their fees after breaches, because of the increased risk.
Subsequent studies, however, have found that it’s not quite so simple. “The impact of a breach on audit fees is not clear,” the writers say. “But, one cannot discount the opportunity for auditors to opportunistically charge more following a data breach.
In 2003, the Securities and Exchange Commission (SEC) adopted Section 404 the Sarbanes-Oxley Act, commonly known as SOX 404. SEC registrants, under SOX 404, must include statements assessing internal security and potential risks. In just one year of SOX 404 reporting, nearly fifteen percent of SEC companies found potential security weaknesses in their Information Technology (IT) controls. “SOX 404 is most effective at identifying control problems when there are credit card breaches (100 percent) and insider breaches (33 percent), but not other types of breaches.”
Just like the other measures of breach effects, there are mixed results for previous studies on SOX 404; while the risk-assessment has some advantages, there are some weak spots which leaves businesses susceptible to security breaches.
Breaking Down a Breach
The million-dollar question, then, is whether or not any of these measures are substantially impacted when a company faces a breach. The researchers used a sample of 827 breaches across 417 companies (which, they note, is a much larger sample than many prior studies) and matched these breached companies with other businesses of similar size, stock performance, and returns. After multiple tests and studies, the results are staggering.
Breaches occur more frequently in retail, banking, and internet service companies, and the number of breaches has significantly increased since 2009. The data reveals that, rather than the breach itself, the market reacts to disclosure of the breach— for a few days. “By the 12th day following the disclosure, cumulative returns are equal [between breached and matched firms] and remain equal for the rest of the selected period.” In the short run, the market jumps in fright after disclosure of a breach, but in a longer period of time (even just a month), there is hardly a difference between a breached and an un-breached company.
When it comes to future performance, experiencing a security breach has little, if any, direct impact on future revenue, sales growth, or returns. Think about Target’s breach: are you shopping at Target any less than you were six years ago? Target’s annual report for fiscal 2018 reported a net income of $2.9 billion, which is the same net income for fiscal 2013, right before the security breach. So, while a breach might alter net income in the short run (as it did for Target, which had net losses of over $1 billion in 2014), future earnings in the face of a breach are practically unpredictable.
And that pattern continues across the board. The data shows that even auditing fees are not significantly different between breached and un-breached firms, even though raising fees seems to be the obvious choice for an auditor when their client is breached. And the researchers find that SOX 404 reports have little predicting power regarding breaches. “Breach firms only report internal control weaknesses in about 2 percent of the firm years prior to the breach disclosure and after the disclosure,” and matched firms report at an equal rate.
Let’s get this straight: no long-term consequences on returns, no effects on future performance, no changes in fees, and no way to predict a breach. So, why would a company even bother trying to protect their security? “On average, there is little impact from a data breach,” the writers say, “except in those rare situations involving massive data exposures.” Some companies have a lot to lose in the face of a breach; Equifax lost nearly 36 percent of its value after 148 million customers’ personal information was stolen. There might not be an efficient way to predict a breach, and often times it might be costly to try. But ignoring cybersecurity can potentially have dire consequences.
Gambling with Breaches: What Should Your Business Do with Cybersecurity
Generally, any business deals with sensitive information; even a non-sales company without credit card records likely has personal information of its employees stored somewhere. So, most companies, in some way, are susceptible to security breaches. What, then, should these businesses do? “Companies are unlikely to change their investment patterns unless the cost of breaches increases dramatically or regulatory bodies enforce changes.” The problem is by the time your business decides the breach will be “dramatically expensive,” more than likely, it’s too late to save the business.
Deciding how much to invest in cybersecurity is kind of like playing business Russian Roulette: most of the time, the consequences of a breach are minimal, but, once in a blue moon, the results are detrimental. The answer, unfortunately, is not very clear, and it’s mostly in the hands of the business. Maybe your company invests significantly in cybersecurity because the risks are too great; maybe your business takes after the Sony executive who refused to invest significantly in cybersecurity. Either way, the decision is up to the business.
However, the researchers posit another way to advocate for cybersecurity: new business regulations. “While the rate of breaches is increasing, many breaches are not detected or disclosed,” they write. “One potential way to help enforce that companies be held accountable for data breaches is to require breaches to be reported in an 8-K filing.” Or perhaps advocate for expanding SOX 404 requirements to annually evaluate their financial reporting controls.
Breaches are growing costlier and costlier, and they’re increasing year after year. The facts of cybersecurity today may change significantly in two, or five, or ten years. Your business can prevent mistakes in the future by investing in cybersecurity today.