As data breaches become increasingly more common, it’s not a matter of ‘if’ an organisation is going to be attacked but ‘when’. 2018 was a landmark year for data breaches but according to a Risk Based Security research report, the first six months of 2019 have already seen more than 3,800 publicly disclosed breaches exposing more than 4.1 billion compromised records.
There appears to be no let-up in the continual stream of data breaches, and if anything, they are increasing in frequency and severity. The attacks have become more complex as cybercriminals use sophisticated techniques to circumvent security defences and gain access to valuable corporate data.
The consequences of a data breach have become all too real, and many organisations are now acutely aware of the damage that could result from a costly data breach. The recent fines imposed on British Airways and Marriot have served as a timely reminder of just how seriously the ICO intends to take GDPR violations.
A data breach can cause irreparable damage and the effects can be long-lasting. In addition to the large fines that can be imposed as a result of non-compliance, organisations may face further costs from operational downtime, implementing new security measures and compensating affected customers.
A breach may also significantly impact consumer trust and damage brand reputation. The unfortunate reality is that many consumers will simply lose confidence in a business if they believe their data is not being properly protected.
All these factors can significantly affect a company’s valuation. A prime example of this was the 2013 Yahoo data breach. Over 3 billion user accounts were compromised exposing sensitive customer information including email addresses, passwords, telephone numbers and birth dates.
The breach came to light in 2016 when the company was about to be bought over by US telecoms company Verizon. The acquisition went ahead with the company buying Yahoo for a discounted rate of $4.48 billion, around $350 million less than the original asking price.
A recent report by professional body (ISC)2 also highlighted the impact that a data breach can have on a company’s valuation. The research revealed that companies can significantly drive down their value by the mismanagement of data breaches.
250 US-based mergers and acquisitions experts were surveyed in the report, and 49% of those experts had seen a merger or acquisition agreement fall through as a result of a data breach. In addition, 86% of respondents said that if a company publicly reported a breach in its past, it would detract from the allocated acquisition price.
However, 77% said that they had previously recommended one company to be acquired over another because of the strength of its Cyber Security program, and 96% said that Cyber Security readiness factors into the calculation when they are assessing the overall monetary value of a potential acquisition target.
The study shows that while most companies would rather not experience a breach, if they have taken steps to handle it well, adjusted policies and processes, and improved their overall security posture, they will be looked at more favourably by financiers and business leaders.
A robust Cyber Security awareness program is key in mitigating risk and preparing for the inevitable. If organisations invest in Cyber Security and can demonstrate they have taken all the necessary steps to protect their data, they are unlikely to face the full wrath of the regulators and their company valuation may not be as adversely impacted compared to those companies that have done nothing.