[BreachExchange] Data breaches often result in CEO firing

Audrey McNeil audrey at riskbasedsecurity.com
Mon Mar 7 19:58:32 EST 2016


http://www.csoonline.com/article/3040982/security/data-breaches-often-result-in-ceo-firing.html

What are the real world risks of a cyber security breach to CEOs and their
company? We will explore the issues of reputational damage, incident cost,
stock price impact, and increased regulatory attention. We will also
discuss the fate of four CEOs who have faced cybersecurity breaches in the
past three years.

According to Warren Buffet, "It takes 20 years to build a reputation and
five minutes to ruin it. If you think about that, you'll do things
differently." The “2015 Cost of Data Breach Study: Global Analysis” from
the Ponemon Institute shows that companies suffer a higher churn rate,
increased customer acquisition costs, reputation losses and diminished
goodwill due to an information security breach.

The 2015 Information Security Breaches Survey, conducted by PwC states.
“When asked what made a particular incident ‘the worst’, 16 out of the 39
organisations who responded cited that it was the damage to their
reputation which had the greatest impact. This is an increasing trend, up
from 30 percent of respondents in 2014 to 41 percent this year.”

Lastly, from the Global Risk Management Survey 2015, quoting Greg Case, CEO
of Aon, “For the first time since 2007, damage to brand and reputation has
emerged as the top-ranked risk in our survey. Interestingly, cyber risk has
entered the top 10 for the first time this year. The connection between
these two risks has been felt around the world in 2014, as a rash of data
breaches demonstrated the fragile nature of consumer trust in leading
corporations.”

An information security breach will rob a company of its good name,
customers, increase new customer acquisition costs and decrease
opportunities. The damage may also be compounded by individual or class
action lawsuits from former customers. Consumers are now aware of the
negative impact identity theft can have on their lives and are voting with
their pocketbooks in increasing numbers.

Incident cost

According to the Ponemon Institute, the average total cost of a data breach
for the participating companies increased 23 percent over the past two
years to $3.79 million. The PwC 2015 Information Security Breaches Survey,
showed much the same trend, “the survey did find that the total cost of
dealing with incidents continues to increase. Looking at the single worst
breach suffered, the costs to large organisations range from just under
£1.5 million (£1,455,000) to £3.14 million. For small organisations, the
range starts at £75,200 to £310,800. These figures account for activities
such as business disruption, days spent responding to an incident, loss of
business, regulatory fines and loss of assets.”

To put the escalating cost of cyber breaches into perspective, the Center
for Strategic and International Studies estimates the annual cost of
cybercrime and economic espionage to the world economy may be as high as
$445 billion. That is nearly 1 percent of global income.

If there is a bright side to information security breaches, it is that they
usually only affect stock prices for a very short period of time, if at
all. In an article from Harvard Business Review, “Why Data Breaches Don’t
Hurt Stock Prices”, Elena Kvochko and Raijv Pant assert that “Overall,
stock prices during and following the high profile security data breache in
the past several years have decreased slightly or quickly recovered
following the breach.” This has been shown to be true for three of the
highest profile information security breaches; however, we have a more
recent example where that rule not has not held true for the short and near
term.

As you can see from the top three companies, short and near term impact to
the stock price was limited or non-existent. TalkTalk is an outlier
possibly due to the manner in which the company handled the incident,
cultural differences in attitudes towards privacy and the significant
customer churn created by the breach. TalkTalk is a British
telecommunications company which provides Internet access, pay television
and mobile network services to businesses and consumers. In a report on
customer confidence from Kantar Worldpanel, Imran Choudhary, Consumer
Insight Director states:

"Customers have lost faith in TalkTalk as a trustworthy brand. The provider
saw its share of the home services market fall by 4.4 percentage points
quarter on quarter in terms of new customers, only 1.4% of whom gave
reliability as a reason for joining the provider in the last three months –
well below the market average.

"TalkTalk continues to offer some of the most attractive promotions across
the home services market and almost a third of its new customers did choose
it for this reason, but there can be no doubt that it lost potential
customers following the major data hack. If it’s to recover from recent
events TalkTalk will need to offer more than just good value."

At this point, there have been five arrests in relationship to the TalkTalk
breach of October 2015, with suspects ranging in age from 15 to 18 years of
age. Time will tell if the TalkTalk breach continues to negatively impact
the company’s share price and its bottom line.

Regulatory attention

Under HIPPA alone, health information privacy complaints have risen from
6,534 in 2004 to 17,779 in 2014. At end of October 2015 the complaints
received by Health and Human Services totaled 123,065. That is a 592
percent increase without two months of additional data. The UK’s
Information Commissioner reports similar challenges for 2015, “There was a
44% rise in the number of data security incidents in the health sector
compared to the previous quarter (from 193 in the first quarter to 278 in
the second quarter). The health sector continued to account for the most
data security incidents. This was due to the combination of the NHS making
it mandatory to report incidents, the size of the health sector, and the
sensitivity of the data processed.”

Regulatory attention increases the likelihood of fines and an additional
cycle of negative publicity. Even with increased regulatory attention and
negative press, fines are still relatively rare when compared with the
volume of breaches reported. Regulators have been warning that information
security breaches will see increased scrutiny and higher fines. Last year’s
record breaking fines from the US Federal Communications Commission and
recent enforcement action from the US Federal Trade Commission have shown
these warnings to be far from idle.

The CEO’s Fate

Target: On May 8, 2014, Forbes reported that Target CEO, President and
Chairman Gregg Steinhafel resigned from all his positions, “Following The
Massive Data Breach And Canadian Debacle”. In this instance, Steinhafel’s
departure from Target may not be solely attributed to the Target breach but
also to a poor outcome with Target’s failed expansion into the Canadian
market.

Home Depot: Frank Blake announced his retirement as CEO, shortly before the
September 2014 breach came to light. He could have easily dropped the
incident in the lap of the incoming CEO, but he didn’t. He captained Home
Depot through the choppy waters of this incident with great skill. The
company’s share price didn’t skip a beat; however, in February 2015, he
stepped down as chairman of Home Depot as well.

Sony: In a Feb. 12, 2015 article from the Huffington Post, Amy Pascal,
former CEO of Sony, openly admitted that she was fired as a direct result
of the December 2014 breach.

TalkTalk: Dido Harding is currently the CEO of TalkTalk. Recently the
company disclosed the October 2015 cybersecurity incident cost them over
100,000 customers and a financial loss of £60,000,000.00 (US
$83,132,024.00). This comes on the back of the recent announcement of three
Wipro employees arrested for hacking TalkTalk.

Summary

Information security breaches directly affect the reputation of a business,
but it is unclear how detrimental that is to the bottom line. Only TalkTalk
suffered significant reduction in their share price. There is little doubt
that heavily publicized information security breaches will draw the
attention of regulators. There is less certainty that attention will result
in a significant fine. The impact of the cybersecurity breach on the CEOs
of Target, Home Depot and Sony was more severe than the impact on their
company’s. They were no longer in their positions within six months of the
breach. The apparent six-month window is still open for TalkTalk’s CEO. The
long-term risks of an information security breach to companies appear to be
changing, but the near-term risk to corporate CEOs seems clear.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20160307/6b2f6f1c/attachment-0001.html>


More information about the BreachExchange mailing list