The Other Costs of a Data Breach

It is an understatement to point out that companies that suffer a data breach face substantial financial costs. Direct costs include the expense associated with breach detection, notification, and remediation, while indirect costs focus primarily on damage to brand image, customer trust, and implications to business and market share. As The Ponemon Institute calculated in a 2017 assessment of breach-associated costs, the costs associated with the average breach are substantial: $1.07 million for detection and escalation (forensic auditing, for example), $690,000 for notification and compliance, and $1.56 million for post-breach costs (legal expenditures and additional protection services, for example).  In a case like Equifax’s breach in 2017, these costs rise exponentially; the Equifax case has been estimated to have cost the company over $700 million.   

But as a recent study published in The Accounting Review, breached companies also face some significant long-term financial costs that are likely to keep CFOs awake a night, most notably some potentially crippling increases to the cost of capital. As the researchers note, this pressure is often an unseen and under-discussed cost of a data breach that “can be substantial for a firm and may dwarf the known direct costs.” Most of this damage comes through damage to default risk and information risk. As the study explains:

First, direct and indirect costs (e.g., reputation loss) lead to lower and more volatile earnings, increasing default risk. Second, increased information risk also leads to unfavorable bank loan terms. Banks, as creditors, rely on information generated by borrowers’ internal information systems to assess their health and viability. Data breaches could indicate weak operational control risk and a flawed internal information system.

More specifically, breached companies face, on average, a 22 percent higher loan spread and a 40 basis-point increase in borrowing costs as well as a 25 percent increase in loan covenants.  

The Deciding Factors

Based on a study of 1,081 bank loans to publicly traded companies over a dozen years, the study shows that though higher lending costs applied to breached companies across industry sectors, the impact is felt hardest by those companies that are often considered high vulnerability for a cyberattack: healthcare, business and financial services, and transportation. Because these industries are so tightly regulated, and their customers are potentially more sensitive to the breach of personal information, these companies incur higher direct costs after a breach occurs and face a higher default risk when approaching lenders.

Other factors that factor into impact assessments include:

• The number of customers impacted. The more data files that are negatively impacted, the higher the direct and reputational costs. When more records are comprised, lenders are concerned that the company might have internal control issues that trend, in turn, towards greater increases in the loan spread and a likely increase in collateral requirements.
• Whether the breach stemmed from hacking or employee error. Criminal breaches (credit card hacking or malware) are more difficult to detect and contain and have a higher cost per capita than other types of breaches. Accordingly, criminal violations are most associated with higher default and information risks.
• Lenders undertake a deep reassessment of previous risk audits if the company has a reputation for strong internal controls. According to the study, “for firms with a high IT reputation, a data breach presents disconfirmatory evidence on their IT capability, which can lead to greater disappointment for banks and a significant erosion of trust in the firms,” especially when compared with breaches in companies that have a weaker reputation for IT security. Not surprisingly, lenders are more concerned when a data breach challenges reputation than with it confirms it. Loan rates and conditions reflect this reputational damage.

Conclusion

Data breaches are increasingly at the forefront of CFO concerns regardless of business size or sector. Not only do breached firms experience losses of major customers and market share, but they also see significant decreases in operational performance and corresponding increases in the probability of bankruptcy and deterioration of lending costs and terms. 

The good news: the same study shows that breached firms that take immediate and strategic remedial actions receive less unfavorable loan terms, which places a clear emphasis on the role of CFO to lead and steward best practices in data security and protocols. This leadership includes:

• Taking a leadership role in the purchase, installation, and maintenance of a cybersecurity detection platform.
• Drafting business continuity plans.
• Determining the total cost of a data breach to the company.
• Presenting data security efforts to investors and the Board of Directors.
• Ensuring that compliance procedures and training are developed and followed.
• Help create a cyber-secure culture.

As Jim Deloach noted in a recent Forbes article: 

Finance teams play a vital role in bolstering organizational data security and privacy capabilities. Leading CFOs are developing innovative methods for assessing, quantifying, articulating, and optimizing cybersecurity investments. In addition, CFOs also must recognize their own “skin” in the cybersecurity game, as it’s essential to stay attuned to the potential for attacks targeting them personally.