Data breaches can be devastating to any business. Whether it’s a high profile attack on a large public company or a smaller scale breach on a private organization, the fallout of this growing threat has rightfully put cyber security at the top of most companies’ lists of priorities.
So it was surprising to read a recent Fortune article headline: “How much do data breaches cost big companies? Shockingly little.” If the title of the article is accurate, does that mean we’ve blown this whole notion of cyber security and the financial impact it may have on companies completely out of proportion?
While the headline is surprising, the article doesn’t minimize the importance of cyber security. It summarizes the work of Benjamin Dean, a Columbia University professor who analyzed the financial records of three companies with arguably the most significant data breaches in history: Target, Home Depot and Sony.
Going through their quarterly financial reports in great detail, Dean tallied the breach-related expenses for each of the companies. What he found was that the Target and Home Depot expenses amounted to less than 1% of each company’s annual revenue. “After reimbursement from insurance and minus tax deductions, the losses are even less,” Dean wrote on The Conversation, where he first published his findings. In the case of Sony, the losses represented from 0.9% to 2% of Sony’s total projected sales for 2014. And, interestingly, the film at the center of the storm seems to have broken even as a result of all the publicity.
But as the author of this article and other critics of Dean’s analysis point out, the analysis has some problems. First, he uses revenues rather than profits as his key metric. One critic says a breach could be the difference between whether a company’s profits are in the green or the red.
Even more notably, Dean never addresses the hidden costs associated with data breaches by Target or Home Depot. After a cyber attack, a retail or financial services company is likely to see an increase in their insurance premiums and a hard hit to their reputation among consumers and other interested parties. All of this can—and likely will—have a significant financial impact over the long term that is not part of the calculation.
To be fair, Dean correctly points out the many of the costs arising from a data breach are not actually incurred by the company that was hacked. Each individual whose information was accessed can be significantly inconvenienced. Debit and credit card providers incur substantial costs in replacing compromised cards, and will pursue claims against companies that fail to adequately protect its customer’s financial information. Last week, Target settled the lawsuit with MasterCard International for $19 million for its claims arising from the December 2013 breach, although that settlement hinges on 90% acceptance by the affected card issuers.
So, while the costs to investigate and remediate a breach tell part of the story, the reality is cyber attacks continue to pose a serious threat to companies and to the individuals whose information is accessed. The immediate financial costs a company incurs after a breach isn’t the end of the story. It’s almost always just the beginning.