Centrify teamed up with security researcher Ponemon Institute to survey a large group of IT, information security, senior marketing and communication professionals as well as a healthy number of consumers. A key objective of the study was to get a handle on the financial impact of a cyber security breach on a typical organization.
The bottom line (no pun intended) is that, the day the breach makes headlines:
- Your stock price will drop between an average of 3% to 7% when breach is announced
- You stand to lose a significant number of your customers
- You will see a corresponding loss in revenue averaging over $3 million.
Not surprisingly, a data breach will result in a stock price decline. A recent example had Chipotle losing more than $400M in market value after announcing a breach. Investors run for the exits when they hear of a security breach partly due to investors fearing the situation may be worse than what was originally reported when all is said and done.
Company’s tend to announce these things quickly – before full investigations are complete – and that can lead to deteriorating numbers as more information surfaces. Investors don’t like this type of uncertainty, and rightly so. If you look back in recent history, breaches are frequently upgraded in terms of overall impact. But I can’t think of time when a company issued a press release that said, “Oh, never mind, it wasn’t as bad as we’d first thought.”
The skittishness of investors aside, there is something else worth noting here. While the average decline in stock price was five percent, there was a significant difference between those that lost three percent and those that lost seven percent. That four percent difference may seem small, but it can mean millions of dollars in market cap.
Now, you might guess that the difference would be due to strong versus weak brands, or red hot markets versus cooler ones, or perhaps that some companies were already dealing with intense stock price fluctuations.
But the core reason seems simply to be security posture. Companies with a poor security posture lost an average of seven percent of their valuation, while companies with a strong security posture — earned through investments in people, process and technologies — experienced a decline of only three percent. Poor security posture is defined by lack of incident response plans, frequent turnover of IT security personnel and inadequate funding for staffing and investment in enabling security technologies, especially identity and access management.
Moreover, those companies that lost seven percent took far longer to recover. In fact, 120 days after the breach, most had yet to regain the price before the incident. On the other hand, those with a strong security posture had recouped their losses just seven days after the incident. And not only that, they had earned an additional three percentage points 120 days later.
That’s not all. The security-focused companies experienced a relatively low customer churn rate of less than two percent, which led to an average revenue loss of $2.67 million. Security laggards lost more than five percent of their customers and experienced an average revenue loss of nearly $4 million.
That is significant. Organizations with a poor security posture were shown to lose more customers, more revenue and more stock price valuation, and the time to recover was far longer. In contrast, companies that have spent time, effort and resources building a strong security posture were better able to quickly respond to the breach and maintain customer loyalty and trust, resulting in fewer lost customers, smaller revenue losses and less downward pressure on the stock price for a shorter duration.
There certainly is an argument to be made that, even if your best efforts are circumvented by hackers, building a strong security posture still pays off. In the end, a word of advice for finance professionals:
If your company suffers a significant breach, you may lose a percentage of your customer base. And there will be a corresponding a loss of revenue. But if you have a strong security posture with a dedicated CISO overseeing a comprehensive security program, hold tight. You may have some rough seas ahead, but you’ll probably recover relatively well.
If, however, you look around and find that your company lacks an effective incident response plan and has a revolving door for IT security professionals, it might be a good time for a long vacation.
Learn more about the “Impact of Data Breaches on Reputation & Share Value” report here.
This article by Tim first published in Financial Executives International Daily.