Data breaches harm companies, but not in the way you might think
Rod Smith is a Professor of Accountancy. Below is the summary of his recent research published in Journal of Information Systems.
A data breach, according to the Privacy Rights Clearinghouse, is a “security violation in which sensitive, protected or confidential data is copied, transmitted, viewed stolen or used by an unauthorized [sic] individual.” So far this year, more than a dozen major incidents have occurred. These have put at risk over 30 million records – which included such personal information as computer log-on passwords, credit card numbers, Social Security identification numbers and confidential medical files. Capital One, one of the major U.S. financial institutions, said in July of this year that it had suffered a major data breach involving the records of more than 100 million customers – or roughly one-third of the U.S. population. And this attack did not even reach the top five breaches occurring this year.
Corporations worldwide are worried about data breaches, as well they should be. Having its confidential information compromised can cost a company dearly, through lawsuits, legal fees, fines (at both the federal and state level) and the expense of revamping its data processing systems in the hope of preventing future successful attacks. In addition, such a breach can hurt a company’s efficiency, intellectual property and good name. For example, in 2017 Equifax reported a successful hack that compromised the records of more than 140 million Americans, and the company’s stock plummeted 18.4 percent.
This problem is not limited, of course, to U.S, corporations. Companies throughout the world have suffered similar attacks. And yet many firms fail to invest sufficient resources to safeguard their data. Given the potentially disastrous consequences of a successful cyberattack, why isn’t more money being spent on defensive measures?
In an effort to find answers to this question, we examined the likely costs for a company suffering a successful cyberattack. These were divided into four categories: stock price changes, internal economic indices of performance, the cost of fees (such as audits), and mandatory reporting of internal control material weaknesses.
A considerable body of research exists concerning each of these factors separately, but only a small number of studies have looked at several of these areas together, or have involved a large number of companies. Some scholars have argued that stock price is not a valid measure of a breach’s impact, because stockholders do not fully understand the significance of what has occurred. This study looks at all four of the economic factors, both separately and together.
As it turns out, the impacts of cyber attacks on most companies have proven to be of minimal significance. Stock prices of the affected firms dipped slightly in the period immediately after the announcement that a breach had taken place, but the differences between the stock value of afflicted companies and those that did not suffer a cyberattack disappeared after only a few days. For the other three criteria mentioned above, no significant difference was found between afflicted firms and their counterparts who did not experience cyberattack. The only differences we found involved catastrophic breaches which are, fortunately, quite rare.
This is not to suggests that cyberattacks have no economic impact, since they cost the U.S. economy between 57 and 106 billion dollars in 2016 (according to a 2018 Council of Economic Advisors report). However, the adverse effects mostly involved national economies or individual investors.
The conclusions of our research should be of interest to analysts, auditors, executives and investors, all of whom should be very interested to learn that the consequences of data breaches for individual companies appear to be relatively insignificant. Our research should also help to explain why so few major firms are willing to spend a great deal of money on cyber defense measures. As Jason Spaltro, head of information security at the Sony Corporation recently stated, “It’s a valid business decision to accept the risk of a security breach…I will not invest $10 million to avoid a possible $1 million loss.” Thus, the current concern about data breaches, at least at the corporate level, probably comes down to “Much ado about nothing.”
