“It takes 20 years to build a reputation and five minutes to ruin it,” stated Warren Buffett.
While I don’t dispute Mr. Buffett’s business wisdom overall, I wonder — does this still hold true for business reputation in the era of the mega breach?
It’s logical to assume that a breach — of both customer trust and records — will correlate directly with a damaged reputation, but is that still the case? Is corporate reputation overrated? That certainly seems to be the case when a new data breach hits the headlines every other day.
When Target, Sony, and Anthem hit news headlines with massive data breaches, reputation was one of the first things on the chopping block. The reasonable fear is that consumers would see this as a breach of trust and move away from those brands. While that is true from a micro view into the event, nearly five years later it is but a blimp on the radar for these companies. Take the Target breach in 2013: by the end of 2014 the amount of breach-related costs totaled around [$105 million], which represents about 0.1% of 2014 sales. Now in 2017, Target is still dealing with the fallout of the breach, with total costs after credit provider and state litigation settlements nearing _)_ [$300 million].
As data breaches are sadly becoming a “cost of doing business,” they are beginning to have little to no effect on the long-term reputation of larger companies.
The Haymaker . . .
Let’s step back to the macro view. How is Target’s reputation in relation to its customers?
I’d argue it equates to a “shrug;” I know I still do my shopping at Target and I have not found any Target goer that has switched to Walmart because they no longer trust Target with their data. I just don’t think consumers care past the short-term outrage. The question becomes: is perceived reputational damage the real concern?
Reputational costs can include some or all of the below:
◦ income loss
◦ Lost business
◦ Customer churn
◦ Reduction in stock price
◦ Reduction in valuation
◦ Free or discounted services to victims
◦ Increased transaction fees, mainly associated with the Payment Card Industry Data Security Standard (PCI DSS)
◦ Lost business
◦ Customer churn
◦ Reduction in stock price
◦ Reduction in valuation
◦ Free or discounted services to victims
◦ Increased transaction fees, mainly associated with the Payment Card Industry Data Security Standard (PCI DSS)
If we continue to single out the Target breach and apply some simple math, I believe we can get an approximation of reputational damage for the breach. The 2016 Ponemon Cost of Data Breach Study report shows reputational damage amounts to about 48.6 percent of the cost of a compromised record. Currently, according to the Ponemon report a compromised PCI record in the U.S. costs $189. To make this simpler, let’s use PCI record cost for the 40 million customer records compromised in the Target breach. Taking Ponemon’s percent-of-record cost associated with reputation puts us at $91.85 for a compromised PCI record is associated with reputational damage.
The Side Step . . .
Giving Target the benefit of good control implementation and moderate residual risk and modeling costs over 40 million records gives us . . . (cue drumroll) a total in reputational cost for the Target breach of approximately $60 million. This is less than 1 percent of 1 percent of Target’s $69 billion annual revenue recorded in Target’s 2016 Annual Report. Target can legitimately consider that a rounding error in terms of total impact.
A caveat:reputational damage most likely has significantly more impact on small- to medium-size businesses than it does to a company like Target who has market striation and the wherewithal to absorb reputational breach damage.
Damaged reputation from a data breach sounds logical.
From a consumer standpoint, I think most people would like to feel that companies who neglect to properly protect our information feel the sting of the consumer outcry. However, despite reports and “the protection of reputation” being bandied about to justify security, the argument just doesn’t hold water when analyzing the actual cost associated with reputational damage.
I would say more accurately it is the actions and the behavior of a company during and after a breach that makes or breaks consumers’ perceived loyalty, not the actual hard cost associated with reputation.
Don’t misunderstand me: measuring reputation risk is an essential component to overall cyber risk but the truth is in the data.
As data breaches are sadly becoming a “cost of doing business,” they are beginning to have little to no effect on the long-term reputation of larger companies.
If data breaches don’t tarnish corporate reputation, what does? An oldie but goodie — service interruption. From a pure cost perceptive, service interruption can quickly outpace data breach impacts. Additionally, the reputational damage can be more long-term as the potential for loss of market share to competition is very real.
This is uniquely true in specific industries where access to services, customers, and efficiency through automation are what your reputation (and business) is built upon. Though perhaps not as flashy as data breaches, I believe business interruption is where big business will feel it in the future.