According to the reputation risk gurus, corporate reputation matters. It is taken for granted that consumers care that companies take the right positions on subject of sensitive public interest, sell the right products the right way, and do the right thing in times of crisis. A variety of studies have proven this to be true. Yet, an examination of stock performance for some of the highest profile cases of corporate cyber attacks appears to indicate that, in the end, stockholders do not seem to care all that much whether or when a cyber attack was “revealed” to the general public, or what organisational management did or did not do in response. This begs the question, has the “business” of revealing cyber attacks become little more than a short-term stock speculation play?
Consider the cases of Target, Yahoo and Linkedin. Although approximately 40 million Target credit and debit card accounts were believed to have been hacked between 27 November and 15 December 2013, the company did not reveal that fact until 19 December of that year. Within a week of the announcement the stock had dropped less than 2%. A year later it was up 28%.
Yahoo claimed to have been attacked late in 2014, but did not publicly reveal that hackers had stolen data from what was believed to have been approximately 500 million customer accounts until 22 September 2016 (by December of that year the number was revised upward to in excess of 1 billion users—making it the largest breach in history at the time). Within a week of the announcement, the stock had dropped approximately 4%, but a year later, it was up 50%.
Following its 2012 cyber attack, LinkedIn revealed on 18 May 2016 that an additional 100 million member email and password combinations had been stolen by the same apparent cyber thief. Within a week of the announcement the stock was actually up fractionally, and six months later it had risen 49%.
There certainly seems to be a pattern of stockholders either not caring that a breach had occurred, or presuming that the problem had been (or would in due course be) resolved, or believing that simply seeing an “acknowledgement” of the problem by the company in question implied that there was an opportunity to make money in the process. This makes little sense, of course, especially because it is often the case that cyber attacks are the result of a failure on the part of senior corporate management to ensure that their organisations had become cyber resilient.
This was especially true in the case of Equifax, in which highly sensitive information about 145 million Americans was exposed, and an announcement of the breach was purposely delayed. After it was announced, the company’s stock price fell 35% in the first week following its revelation. But three months later, a company that should have collapsed because of the severity and implications of its failure to prevent such a security breach found that its stock price was already up 20% from the low.
Cyber attacks can be a matter of bad luck, but organisations that are cyber resilient generally have fewer cyber-related problems, so why would shareholders ignore that fact? This raises other legitimate questions, such as, is the pursuit of a steel-hardened reputation a pseudo-science, and, if a company shows the public that it cares about the environment, has a zero-tolerance policy against corruption, or demonstrates that it believes fervently in transparency, does that mean it is likelier to perform well?
An examination of the 2015 UK TalkTalk cyber breach concluded that the size of a breach, nature of the dissemination of information about it, number and type of stakeholders involved, and how quickly and effectively the impacted company acted to correct the breach, were all contributory factors in how damaged an organisation’s reputation may become. It also concluded that a single breach may be forgivable, a second was likely to cause concern, and a third will often lead to investors examining the nature of their relationship with the company.
However, many of the most significant corporate cyber security breaches to date impacted huge numbers of people (some with potentially severe consequences for the individuals impacted) and were either repetitive or ongoing for a long period of time, yet the corporate response was almost always wholly inadequate and these organisations continue to thrive.
The conclusion to be drawn from these examples is that despite the increasing number and severity of cyber security breaches, the ongoing failure of corporate C-Suites to effectively and transparently manage them, and the hundreds of millions of people who become victims of cyber breaches each year, incidents of hacking, and the botched responses to them, have become so commonplace that the general public has become numb to their occurrence and impact.
We have all come to expect that yet another high profile, high impact breach will occur at any time, and that we are powerless to prevent them or do anything meaningful about them. Furthermore, so many such breaches have already occurred that many people no doubt presume that their most sensitive information has already been breached—whether from a health care provider, financial services institution, third party service provider, or government agency—that there is little sensitive information left to take from them.
That being the case, reputation risk does not appear to matter vis-à-vis cyber security risk, and perhaps it never did. Who is to blame for that? The senior executives who wilfully mislead the public and their shareholders, or the shareholders who let them get away with it?
Daniel Wagner is CEO of Country Risk Solutions and author of the new book Virtual Terror.