How much do data breaches cost big companies? Shockingly little

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://fortune.com/2015/03/27/how-much-do-data-breaches-actually-cost-big-companies-shockingly-little/?xid=timehp-category

In the last two years, Fortune 500 companies from Sony to Target to Anthem
have experienced major data breaches. Executives have lost their jobs, tens
of millions of consumers have had their credit card and other personal data
compromised, and corporations have frantically tried to contain the damage.
Just last week, Target agreed to pay $10 million in a proposed settlement
of a class-action lawsuit related to a huge 2013 data breach.

But for all the panicky headlines, the boardroom anxiety, and the general
cyber security doom-and-gloom, one important—if counterintuitive—question
seems to have been overlooked: How much does hacking really cost big
companies?

If you dig into the financial performance results of companies hit by some
of the world’s most notorious, disclosed data breaches, a disturbing fact
will strike you: They don’t seem to cost all that much.

That is the stunning conclusion of an analysis by Benjamin Dean, a fellow
at Columbia University’s School of International and Public Affairs.
Dean—who also has a background in accounting—pored over 10-K filings for
Sony  SNE 0.68% , Home Depot  HD 1.21% , and Target  TGT 0.93% , after
their recent, well-publicized security breaches. Keeping an eye out for
breach-related expenses in these companies’ quarterly financial reports,
Dean discovered that the actual expenses reported by these companies
amounted to less than 1% of each company’s annual revenues.

“After reimbursement from insurance and minus tax deductions, the losses
are even less,” Dean writes on The Conversation, where his post initially
appeared.

A close look at Sony

Sony’s November 2014 hacking led to the disclosure of unreleased movies,
embarrassing internal emails, and personal data—including Social Security
numbers—of 47,000 celebrities and employees. (It was so traumatic and
disruptive to the company that it delayed its 10-K filing.)

Still, Sony estimates its breach’s financial impact has been just $15
million to date “in investigation and remediation costs.” That’s barely a
blip on the radar.

“To give some scale to these losses,” Dean writes, “they represent from
0.9% to 2% of Sony’s total projected sales for 2014 and a fraction of the
initial estimates.”

Dean notes that Sony, in total, anticipates spending $35 million “restoring
financial and IT systems” for the full fiscal year. Further writing off the
breach’s monetary ramifications, the company forecasts: “Sony believes that
the impact of the cyberattack on its consolidated results for the fiscal
year ending March 31, 2015 will not be material.” Translation: <Shrug>.

These numbers are likely not small enough to vindicate Sony Pictures’
former executive director of information security. In 2007, he told CIO
Magazine that “‘it’s a valid business decision to accept the risk’ of a
security breach…I will not invest $10 million to avoid a possible $1
million loss.” But Dean’s analysis does come alarmingly close to making the
minimal effort-stance a defensible position.

The Home Depot hacking also barely made a dent.

Last year’s Home Depot hacking led to crooks pocketing an estimated 50
million customers’ credit card numbers and email addresses, but this
relevant bit from Home Depot’s most recent earning’s report shows it had a
negligible impact:

In the third quarter of fiscal 2014, the Company recorded $43 million of
pretax expenses related to the Data Breach, partially offset by a $15
million receivable for costs the Company believes are reimbursable and
probable of recovery under its insurance coverage, for pretax net expenses
of $28 million.

When you do the math, that $28 million “represents less than 0.01% of Home
Depot’s sales for 2014,” Dean points out.

And what about Target?

Target’s hacking in late 2013 resulted in the theft of 40 million payment
cards and 70 million other records, including customers’ email addresses
and phone numbers. The security breach was considered so severe that the
CEO felt compelled to resign.

And yet, Target, in its latest filing, lays out in great detail the tolls
of its breach:

The Company incurred breach-related expenses of $4 million in fourth
quarter 2014 and full-year net expense of $145 million, which reflects $191
million of gross expense partially offset by the recognition of a $46
million insurance receivable. Fourth quarter and full-year 2013 net expense
related to the data breach was $17 million, reflecting $61 million of gross
expense partially offset by the recognition of a $44 million insurance
receivable.

To sum the math up, Target’s gross expenses totaled $252 million, insurance
compensation brought that down to $162 million, and further tax deductions
yield a final $105 million. While larger than either Home Depot’s or Sony’s
outlay, the final amount is not so wounding in the grand scheme of things.

“This is the equivalent of 0.1% of 2014 sales,” Dean notes.

“To the companies themselves, this seems like a rounding error,” he told
Fortune on a call from Australia. “It’s certainly not a huge loss when
compared to their annual revenues.”

To invest or not to invest in security

To be sure, this analysis has generated criticism. Matthew Rosenquist, an
information security strategist at Intel  INTC -0.27% , argues Dean’s
analysis has several problems. First, he notes Dean uses revenues rather
than profits as the key metric. “It can make a lot of difference to
management if an attack consumes a big chunk of your profit or worse,
pushes you from the green into the red side of the ledger,” he writes on a
company blog.

Rosenquist also stresses the hidden costs of a breach: rising insurance
premiums, damage to third parties, sinking customer goodwill and trust.
Most importantly, he writes, failing to invest in security is strategically
myopic; without ensured stability, a business may as well be committing
corporate suicide.

Dean acknowledges that over time consumer faith may erode, but he says, for
now, “You can’t see losses and effects on the bottom line in terms of
reputational damage.”

Actually, Rosenquist and Dean don’t differ greatly in their conclusions.
“Regardless of the way we measure it, or whether we look forward or
backward, we agree on the central point that companies need to invest in
information security,” Dean told Fortune, responding to Rosenquist’s
criticisms by email.

Turns out Dean is not an apologist for the willfully, digitally indisposed.
He says he believes corporate networks need buttressing—even if data
breaches don’t hurt companies’ bottom lines. Moreover, he believes the
incentives for buttressing corporate networks need buttressing. And until
corporations are held more accountable for these breaches—not with $10
million slaps-on-the-wrist—but with, well, he isn’t quiet sure what yet,
companies won’t make the big investments in information security needed.

So, is security worth the investment? Here’s Dean’s take:

"We need to get back to what the hard evidence says. What are the verified
losses and impact, as opposed to speculation in some cases? It’s not quite
fear-mongering. We need to ground our analysis in how big a problem this
is. Once we’ve ascertained how big a problem it is, we can figure out what
to do about it, and have an open and informed discussion. Right now that’s
not happening. I’m not seeing hard evidence used to back up claims. If that
discussion is happening, it’s not open."

Consider the conversation started.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!