How Data Breaches Impact Company Valuations

October 14, 2019 10:52 am Geraldine Strawbridge How data breaches impact company valuations

As data breaches become increasingly more common, it’s not a matter of ‘if’ an organisation is going to be attacked but ‘when’. 2018 was a landmark year for data breaches but according to a Risk Based Security research report, the first six months of 2019 have already seen more than 3,800 publicly disclosed breaches exposing more than 4.1 billion compromised records.

There appears to be no let-up in the continual stream of data breaches, and if anything, they are increasing in frequency and severity. The attacks have become more complex as cybercriminals use sophisticated techniques to circumvent security defences and gain access to valuable corporate data.

The consequences of a data breach have become all too real, and many organisations are now acutely aware of the damage that could result from a costly data breach. The recent fines imposed on British Airways and Marriot have served as a timely reminder of just how seriously the ICO intends to take GDPR violations.

How are breached organisations affected?

How are breached organisations affected?

data breach can cause irreparable damage and the effects can be long-lasting. In addition to the large fines that can be imposed as a result of non-compliance, organisations may face further costs from operational downtime, implementing new security measures and compensating affected customers.

A breach may also significantly impact consumer trust and damage brand reputation. The unfortunate reality is that many consumers will simply lose confidence in a business if they believe their data is not being properly protected.

All these factors can significantly affect a company’s valuation. A prime example of this was the 2013 Yahoo data breach. Over 3 billion user accounts were compromised exposing sensitive customer information including email addresses, passwords, telephone numbers and birth dates.

The breach came to light in 2016 when the company was about to be bought over by US telecoms company Verizon. The acquisition went ahead with the company buying Yahoo for a discounted rate of $4.48 billion, around $350 million less than the original asking price.

recent report by professional body (ISC)2 also highlighted the impact that a data breach can have on a company’s valuation. The research revealed that companies can significantly drive down their value by the mismanagement of data breaches.

250 US-based mergers and acquisitions experts were surveyed in the report, and 49% of those experts had seen a merger or acquisition agreement fall through as a result of a data breach. In addition, 86% of respondents said that if a company publicly reported a breach in its past, it would detract from the allocated acquisition price.

However, 77% said that they had previously recommended one company to be acquired over another because of the strength of its Cyber Security program, and 96% said that Cyber Security readiness factors into the calculation when they are assessing the overall monetary value of a potential acquisition target.

The study shows that while most companies would rather not experience a breach, if they have taken steps to handle it well, adjusted policies and processes, and improved their overall security posture, they will be looked at more favourably by financiers and business leaders.

A robust Cyber Security awareness program is key in mitigating risk and preparing for the inevitable. If organisations invest in Cyber Security and can demonstrate they have taken all the necessary steps to protect their data, they are unlikely to face the full wrath of the regulators and their company valuation may not be as adversely impacted compared to those companies that have done nothing.

Best Practices to Avoid a Data Breach

Best Practices to Avoid a Data Breach
  1. Staff Training – Instilling good Cyber Security habits in your staff is the best way to defend your organisation from attack. 60% of the 4856 personal data breaches reported to the ICO in the first half of 2019 were as a result of human error. Organisations can tend to focus on external threats but often it’s their own employees that pose the biggest security risk. A comprehensive security awareness campaign that utilises a range of tools and techniques is the best way to engage staff and educate them on the evolving threat landscape.
  2. Update Security Software – Security software should be regularly updated to prevent hackers from gaining access to networks through vulnerabilities in older and outdated systems. This is exactly how hackers were able to access the data of over 143 million Americans in the infamous Equifax Data Breach in 2017. A fix for this vulnerability was made available two months before the breach, but the company failed to update its software.
  3. Regular Audits and Risk Assessments – The GDPR specifies that organisations must conduct regular audits of data processing activities and comply with a set of data protection principles that will help safeguard data. This will ensure that a suitable framework is in place that will keep personally identifiable information of customers secure and mitigate any risks. The implementation of an effective policy management system will enable organisations to demonstrate compliance with legislative requirements and effectively target the areas that present the highest risk to data security.
  4. Password Safety – One of the easiest ways for hackers to gain access to sensitive company systems is to guess passwords. For extra security, users should create a passphrase which is a password composed of a sentence or combination of words. The first letter of each word will form the basis of the password and letters can be substituted with numbers and symbols to add a further line of defence. Two-factor authentication (2FA) will also provide an additional layer of security to accounts. In addition to a password, 2FA requires a second piece of information to confirm the user’s identity. This could be a security question, fingerprint or a one-off code.