It seems we have become desensitized to the massive security breaches occurring on a routine basis.
One of the obvious metrics for assessing the impacts of a massive cyber security breach is the company’s stock price. From an economic perspective, subsequent to breach disclosure there are precipitous drops in the company’s stock price, but they soon climb back up the chart to a respectable price per share.
From a personnel perspective, in some cases, there is little accountability and few consequences for the breaches.
This article examines the economic and personnel impacts of two major breaches.
The Equifax hack provides an example of a completely preventable incident that adversely affected millions of people. Headquartered in Atlanta, Georgia, Equifax (EFX) is publicly traded on the New York Stock Exchange (NYSE) and operates with four lines of business: U.S. Information Solutions (USIS), International, Workforce Solutions, and Global Consumer Solutions. A global company, Equifax serves state and federal customers as well as customers in financial service, mortgage, employers, consumer, commercial, telecommunication, retail, automotive, utility, brokerage, healthcare, and insurance industries.
Now that we have set the stage, let’s turn back the clock to August 28, 2017, when EFX’s stock price closed at $141.59. After announcing the security breach on September 7, 2017, EFX stock plummeted and closed on September 11, 2017, at $92.98 – a loss of almost $50.00 per share. As expected, there was finger pointing and general “wailing and gnashing of teeth”.
In a September 15, 2017 press release, Equifax announced that the Chief Information Officer and Chief Security Officer were “retiring”, effective immediately. Equifax came under more criticism when it was discovered that CSO Susan Mauldin’s LinkedIn profile was made private and depersonalized by replacing her last name with “M”. Screen captures of her profile made previous to the “scrubbing” revealed an educational background with undergraduate and graduate degrees in music/fine arts and no industry-recognized cyber security professional certifications.
On September 26, 2017, the Equifax CEO who oversaw the data breach subsequently “retired,” although the departure was enacted with the potential for a $90 million payout. To make matters worse, on March 14, 2018, federal prosecutors charged a former CIO of an Equifax business unit with insider trading when he dumped his shares of EFX prior to the breach being made public.
Getting back to the stock market, approximately one year after the announcement of the breach, EFX clawed its way back to close at nearly $137.00 per share on September 10, 2018. This was down only $9.00 per share off its 5 year high of $146.00 per share at the July 31, 2017 NYSE close and $4.00 from just prior to the breach disclosure. EFX took another precipitous nosedive from September 10, 2018 to December 17, 2018 when it closed at $91.00 per share down a whopping $46.00 per share from the September 10, 2018 close – even lower than after the breach was announced.
The cause for the drop is largely attributable to normal business pressures – EFX stock fell 22.3% in October 2018 due to poor sales and earnings performance. But an early December 2018 report on the breach issued by the U.S. House of Representatives’ Oversight Committee re-opened wounds that had not yet entirely healed. The report indicated that besides the failure of Equifax to patch for an Adobe struts vulnerability, hackers found a file containing unencrypted usernames and passwords, and found that network traffic monitoring systems that may have detected the data exfiltration were inoperable due to an expired security certificate.
As of June 7, 2019, EFX closed at $130.17 per share. And to date, no one has gone to jail!
On November 30, 2018, Marriott International (NYSE - MAR) disclosed a massive security breach of the reservations system for its Starwood Hotels and Resorts brand, a hack it said Friday may have compromised private info on up to 500 million guests. According to Marriott, for around 327 million Starwood guests, the database included personal information such as name, mailing address, phone number, email address, passport number, date of birth, and gender. For some Starwood customers, the hacked database also stored payment card numbers and expiration dates, although Marriott said that information was encrypted. Security researches later discovered that Marriott’s Starwood network had experienced unauthorized access since 2014!
In looking at MAR’s 2-year stock chart, the beginning of 2018 saw a peak stock price of $147.00 at the market’s close on January 22, 2018. MAR stock was already declining due to normal business and market pressures, as displayed during the month of February 2018 where two NYSE sessions reflected 1,000-point drops due to inflation fears. However, MAR’s stock price reflected the market’s reaction to the breach disclosure when the stock price bottomed out at $103.00 per share on December 1, 2018. From this bottom, the stock began a steady incline. It peaked at $140.00 per share on April 29, 2019 and recently closed at $133.00 per share on June 10, 2019.
Marriott was sued hours after announcing the data breach, with one class-action lawsuit seeking $12.5 billion in damages. But in this case, no one has lost their job as a consequence of the breach.
Generally, data breaches incur two cost impacts - direct costs and indirect costs which translate into other breach impact measures such as a company’s:
- Profitability – Negative cash flow impacts due to legal costs and other adverse consequences from customers, investors, business partners, and employees. (Direct costs)
- Indirect costs - Risk factors and a company’s information environment “capture the impact of a security breach on the cost of capital due to new uncertainties with regard to the magnitude and implication of future legal sanction, possible restructuring costs, executive turn over, and changes in the terms with customers and suppliers.
In summary, considering typical market and economic pressures, a victimized company’s stock price usually plummets but then claws and climbs its way back to respectable levels. Following finger pointing and public shaming, often a few company principals are “fired” in some manner (whether it’s spun as retirement or resignation) – but sometimes, nothing happens at all.
The question is, are we being desensitized to security breaches? Do we now consider breaches an inevitable part of “doing business” – merely nuisance events with inconsequential economic effects on victimized firms?
This may be the case. But, perception aside, it’s clear that companies and the public benefit when CISOs strive for better incident response – so let’s keep fighting the good fight, regardless of the market consequences.
Share This Article