Data security breaches can negatively impact an entire organization – including sales, marketing and IT – and have a significant negative impact on company finances and shareholder value, according to a new Ponemon research study.
Specifically, the study found that the stock value index of 113 companies declined an average of five percent the day the breach was disclosed and experienced up to a seven percent customer churn. What’s more, thirty-one percent of consumers impacted by a breach stated they discontinued their relationship with an organization that experienced a data breach.
While the study found a data breach has a significant impact on brand reputation, a surprising 66 percent of IT practitioners don’t believe their company’s brand is their responsibility.
“Data breaches are very real business and bottom line concerns. This reality was recently seen when a popular fast food chain’s stock rose as much as 6.8% after reporting better than expected Q1 earnings, but then saw its gains chopped in half when it revealed it had a breach. The fallout can be significant and may even be a reason to relieve the C-Suite of its duties,” said Tom Kemp, CEO of Centrify.
Miscalculation of security risk on shareholder value
The Ponemon study found a direct correlation between a data breach and stock decline, customer churn and revenue loss and the organization’s security posture. The following findings are based on a sample of 113 companies that experienced a material data breach.
On the day a breach was disclosed, the share value index dropped an average of five percent:
- Companies with a poor security posture, were found to drop as high as seven percent and, 120 days following a breach, the company did not fully recover the share price it enjoyed immediately prior to the breach.
- Companies with a high security posture saw a decline of no more than three percent. And, 120 days following the breach, the company was found to successfully rebound, showing a three percent gain in the stock price prior to the attack.
Organizations with a poor security posture experienced an increase of up to seven percent customer churn, which can amount to millions in lost revenue.
Thirty-one percent of consumers impacted by a breach stated they discontinued their relationship with an organization that had been breached, and 65 percent lost trust in that organization.
Blind spots in the C-suite with costly consequences
The study showed a data breach has a significant impact on brand reputation, but the internal disconnects illustrate vulnerabilities across the organization.
- More than half (56%) of IT practitioners are not confident they have the ability to prevent, detect and resolve the consequences of a data breach and more than half fear a breach will cost them their job. By contrast, 63 percent of CMOs are far more optimistic their company would quickly recover from a serious breach.
- Eighty percent of CMOs and IT Practitioners have a blind spot on the impact of a breach on a company’s stock price. Only 20 percent of CMOs and 5 percent of IT practitioners say they would be concerned about a decline in their companies’ stock price. In organizations that had a data breach, only 5 percent of CMOs and 6 percent of IT practitioners say a negative consequence of the breach was a decline in their companies’ stock price.
- A data breach out-ranks a scandal involving the CEO. Breaches rank in the top-three most negative impacts to brand reputation following terrible customer service and environmental disaster.
- 45 percent of IT practitioners and 42 percent of CMOs don’t believe that brand protection is taken seriously in the C-suite.
Alarming reality for consumers
There is a disconcerting gap between consumer expectations and corporate perspective when it comes to the protection of customers’ personal information.
- Eighty percent of consumers believe organizations have an obligation to take reasonable steps to secure their personal information. However, only 65 percent of CMOs and 64 percent IT professionals agree.
- Seventy percent of consumers believe organizations have an obligation to control access to their information, but less than half of CMOs and IT security practitioners believe this is an obligation.