Attacks/Breaches

11/10/2017
01:00 PM
Connect Directly
Twitter
Twitter
RSS
E-Mail
100%
0%

Customers Punish Breached Companies

Equifax's 25% reduction in share value and other industry-wide stats show that consumers aren't so apathetic about cybersecurity after all.

Many executives don't take secondary breach costs very seriously: the numbers have long been tricky to pin down and many within the C-suite believe that consumer breach fatigue and apathy about cybersecurity buffer their brand in the wake of a breach.

But growing evidence is showing that customers really do care, and they'll put a wallop on the brand when the circumstances are egregious enough.

This is coming crisply into focus in the wake of the Equifax breach. Yesterday the firm released its third quarter earnings results, along with estimates of primary breach costs like forensic investigation, remediation, and consumer credit reporting. The contrast between the two sets of numbers should act as an example to CEOs and board directors as to the true risk that big breaches can pose to income and business health. 

According to Equifax, breach costs are currently measuring up to approximately $87.5 million. More troubling, though, is the precipitous drop in revenue Equifax experienced in the wake of the breach.

In 2017 the credit reporting agency was flying high with huge quarterly increases in net income. First quarter saw a 25% quarter-to-quarter gain and a whopping 50% gain in revenue compared to first quarter of 2016. Second quarter saw an 8% quarterly gain and a 26% rise in net income compared to second quarter of 2016, up to $165.4 million.

Then the breach made the engines fall off - after the early September announcement, revenue plummeted to $96.3. That is an incredible 42% quarterly drop in net revenue, and a 27% drop compared to the same time period last year. And that's just net revenue: Share value has been similarly ravaged. Since the September 7th breach announcement, the firm has lost just over a quarter of its stock valuation.

The circumstances with Equifax are different compared to mega breaches of the past, where company stock valuations have bounced back fairly quickly. The TJXs and Targets of the world primarily deal in goods and services, but Equifax's core business is in information. Protecting it should be a core competency and customers and shareholders are ticked.

Nevertheless, this event may be still be a global bellwether that shows that consumers and shareholders have had it with all breached companies. Their antennae are up with regard to how companies deal with their private data, and they'll change their behavior if they have evidence that companies aren't doing what they need to protect that data.

Just this week a Gallup poll showed that two-thirds of consumers today worry about hackers stealing their financial information - nearly double the amount of those worried about having their car broken into, being burglarized, or being the victim of terrorism.

Meantime, other market data has bubbled up this year that translates that concern into real brand value impacts for companies that aren't doing their security due diligence. A study in September by YouGov BrandIndex tracked brand scoring of a number of major brands following a mega breach in recent years. Equifax saw the most precipitous drop in brand scoring, but other companies like Anthem Blue Cross, Home Depot, and Ebay all saw attrition to their scores in the wake of a breach.

Meanwhile, earlier this year Ponemon Institute concluded that in a study of 113 companies they suffered an average 5% drop in stock value following the disclosure of their breach. The firm showed that nearly a third of consumers report terminating relationships with breached companies in the wake of the incident.

It's a worry that CMOs and marketing directors at least recognize. Within this audience almost three-quarters say that the biggest cost of a security incident is loss of reputation and brand value. That's way more than the fewer than half of IT leaders who would agree with that sentiment.

"Consumers and shareholders are tangibly holding companies responsible for consumer personally identifiable information (PII), and for data leaks and breaches," says Lisa Baergen, marketing director for NuData Security, a Mastercard company. "Companies need to break past outdated notions. While internal departments debate responsibility, consumers and shareholders are holding the brand responsible – making it everyone’s problem. The tangible economic impacts of breaches will only grow."

 

 

Join Dark Reading LIVE for two days of practical cyber defense discussions. Learn from the industry’s most knowledgeable IT security experts. Check out the INsecurity agenda here.

Ericka Chickowski specializes in coverage of information technology and business innovation. She has focused on information security for the better part of a decade and regularly writes about the security industry as a contributor to Dark Reading.  View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
vasukivasudav
50%
50%
vasukivasudav,
User Rank: Apprentice
11/13/2017 | 6:45:45 AM
Good
Nice post thanks for sharing
New Free Tool Scans for Chrome Extension Safety
Dark Reading Staff 2/21/2019
Making the Case for a Cybersecurity Moon Shot
Adam Shostack, Consultant, Entrepreneur, Technologist, Game Designer,  2/19/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
5 Emerging Cyber Threats to Watch for in 2019
Online attackers are constantly developing new, innovative ways to break into the enterprise. This Dark Reading Tech Digest gives an in-depth look at five emerging attack trends and exploits your security team should look out for, along with helpful recommendations on how you can prevent your organization from falling victim.
Flash Poll
How Enterprises Are Attacking the Cybersecurity Problem
How Enterprises Are Attacking the Cybersecurity Problem
Data breach fears and the need to comply with regulations such as GDPR are two major drivers increased spending on security products and technologies. But other factors are contributing to the trend as well. Find out more about how enterprises are attacking the cybersecurity problem by reading our report today.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-6485
PUBLISHED: 2019-02-22
Citrix NetScaler Gateway 12.1 before build 50.31, 12.0 before build 60.9, 11.1 before build 60.14, 11.0 before build 72.17, and 10.5 before build 69.5 and Application Delivery Controller (ADC) 12.1 before build 50.31, 12.0 before build 60.9, 11.1 before build 60.14, 11.0 before build 72.17, and 10.5...
CVE-2019-9020
PUBLISHED: 2019-02-22
An issue was discovered in PHP before 5.6.40, 7.x before 7.1.26, 7.2.x before 7.2.14, and 7.3.x before 7.3.1. Invalid input to the function xmlrpc_decode() can lead to an invalid memory access (heap out of bounds read or read after free). This is related to xml_elem_parse_buf in ext/xmlrpc/libxmlrpc...
CVE-2019-9021
PUBLISHED: 2019-02-22
An issue was discovered in PHP before 5.6.40, 7.x before 7.1.26, 7.2.x before 7.2.14, and 7.3.x before 7.3.1. A heap-based buffer over-read in PHAR reading functions in the PHAR extension may allow an attacker to read allocated or unallocated memory past the actual data when trying to parse the file...
CVE-2019-9022
PUBLISHED: 2019-02-22
An issue was discovered in PHP 7.x before 7.1.26, 7.2.x before 7.2.14, and 7.3.x before 7.3.2. dns_get_record misparses a DNS response, which can allow a hostile DNS server to cause PHP to misuse memcpy, leading to read operations going past the buffer allocated for DNS data. This affects php_parser...
CVE-2019-9023
PUBLISHED: 2019-02-22
An issue was discovered in PHP before 5.6.40, 7.x before 7.1.26, 7.2.x before 7.2.14, and 7.3.x before 7.3.1. A number of heap-based buffer over-read instances are present in mbstring regular expression functions when supplied with invalid multibyte data. These occur in ext/mbstring/oniguruma/regcom...