Forbes states firms spend $36 billion collecting, storing, and analyzing large amounts of customer data annually. These voluminous, valuable datasets give companies an insightful edge, but can also cause costly headaches when “big data” is breached.
Ponemon Institute’s comprehensive Cost of a Data Breach Report for IBM quantifies these headaches. In 2020:
- $3.86 million was global average total cost of a data breach
- $8.64 million was US average total cost of a data breach
- Healthcare, education and pharma industries experience the costliest breaches
- Average time to identify and contain a data breach was 280 days
- Speed of containment significantly impacted breach cost
Corporate response to data breaches vary. In the wake of a data breach, direct costs for organizations include legal fees related to complying with privacy and security breach notification laws. Ransoms paid when a breach involves ransomware are part of the direct cost of a data beach. Reputational cost can also be quantified in the cost of a data breach as it is reflected in diminished stock price and loss of business after a breach.
Loss of reputation due to a breach hurts an organizations’ bottom line as well. A recent study published by the American Accounting Association titled “Do Banks Price Firms’ Data Breaches?” reports firms that report data breaches are penalized financially by banks when applying for loans. Companies that have experienced data breaches face higher loan spreads (difference between interest rate a bank charges a borrower and interest rate a bank pays a depositor). These loans are likely to require collateral (assets lender accepts as security for a loan) and demand more covenants (terms and conditions between borrower and lender).
Shared Assessments’ Senior Advisor Bob Jones, who is deeply committed to contributing to the well-being of the financial services community, reflects on the American Accounting report: “I don’t find the researchers’ results surprising. Banks rely on the three C’s when evaluating potential borrowers: Collateral, Capacity and Character. A firm’s demonstration of its inability to protect its customers’ personal information certainly plays into the bank’s evaluation of its collateral and capacity when pricing the credit.”
The American Accounting Association reports that when a data breach involved criminal activity, resulted in the loss of a large amount of data or when the breached firm has a high IT reputation, the effect on a bank loan is more profound. As state security breach notification laws have become widespread, the impact that breaches have on bank loan terms has also become more significant. When breached firms take appropriate remedial actions following a breach, they see less unfavorable loan terms.
Tom Garrubba, Shared Assessments’ Vice President with 20+ years of experience in IT security and privacy controls, describes the downside to bank treatment of loans to organizations who have experienced a data breach:
“The downside to such a tactic, is that organizations who become breached may be reticent in reaching out to authorities and organizations who can potentially guide them with next steps thinking that it’s best to keep such breaches quiet so they won’t get hit with such a penalty from their bank.”
Reticence to do the right thing is never a good thing. Hopefully, the evidence from the Ponemon Institute/IBM and the American Accounting Association referenced in this post sufficiently prove that the direct cost and reputation cost of a data breach are reduced by a timely response (the right thing!). Earlier this spring, we provided a framework for communications during crises such as data breaches. This guidance should also help organizations navigate doing the right thing.