How Data Breaches Affect Reputation & Share Value: A Study of U.S. Marketers, IT Practitioners and Consumers, conducted by Ponemon Institute and sponsored by Centrify, examines from the perspective of IT practitioners and marketers how a company’s reputation and share value can be affected by a data breach. As part of this research, we surveyed consumers to learn their expectations about steps companies should take to safeguard their personal information and prevent data loss.
This study is unique because it presents the views of three diverse groups who have in common the ability to influence share value and reputation. Ponemon Institute surveyed 448 individuals in IT operations and information security (hereafter referred to as IT practitioners) and 334 senior level marketers and corporate communication professionals (hereafter referred to as CMOs).
Forty-three percent of IT practitioner respondents and 31 percent of CMOs in this study say their organization had a data breach involving the loss or theft of more than 1,000 records containing sensitive or confidential customer or business information in the past two years. We also surveyed 549 consumers. Sixty-two percent of these respondents say in the past two years they have been notified by a company or government agency that their personal information was lost or stolen as a result of one or more data breaches.
The results of this study show how data loss affects shareholder value and customer loyalty. To protect brand and reputation, it is critical the C-suite and boards of directors address consumers’ expectations about how their personal information is used and secured. On a positive note, the study reveals the majority of both IT practitioners and CMOs believe their companies’ senior management understands the importance of brand management.
The affect of data breaches on stock price and customer losses
For the economic analysis of the stock price, we selected 113 publicly traded benchmarked companies that experienced a data breach involving the loss of customer or consumer data. We created a portfolio composed of the stock prices of these companies. We tracked the index value for 30 days prior to the announcement of the data breach and 90 days following the data breach.
The key takeaway from the analysis is that companies that achieve a strong security posture through investments in people, process and technologies are less likely to see a decline in their stock prices, especially over the long term. Because of their strong security posture, these companies are better able to quickly respond to the data breach. Following are conclusions from this analysis.
- Following the data breach, companies’ share price declined soon after the incident was disclosed.
- Companies that self-reported their security posture as superior and quickly responded to the breach event recovered their stock value after an average of 7 days.
- In contrast, companies that had a poor security posture at the time of the data breach and did not respond quickly to the incident experienced a stock price decline that on average lasted more than 90 days.
- The difference in the loss of share price between companies with a low security posture and a high security posture averaged 4 percent.
- Organizations with a poor security posture were more likely to lose customers. In contrast, a strong security posture supports customer loyalty and trust.
- The 113 companies in our sample that experienced a low customer loss rate (less than 2 percent) had an average revenue loss of $2.67 million. Organizations that lost more than 5 percent of their customers experienced an average revenue loss of $3.94 million.
Other key takeaways
The loss of stock price is not the top concern of CMOs and IT practitioners. Reputation loss due to a data breach is the biggest concern to both IT practitioners and CMOs. Only 20 percent of CMOs and 5 percent of IT practitioners say they would be concerned about a decline in their companies’ stock price. In fact, in organizations that had a data breach, only 5 percent of CMOs and 6 percent of IT professionals say a negative consequence of the breach was a decline in their companies’ stock price.
Thirty-one percent of consumers surveyed say they discontinued their relationship with the company that had a data breach. Of those consumers affected by one or more breaches, 65 percent say they lost trust in the breached organization and more than 31 percent say they discontinued their relationship
IT practitioners and CMOs both believe a data breach is a top threat to their companies’ reputation and brand value. A data breach is considered by participants in this research to be a top threat to their companies’ reputation and brand value. On a positive note, the majority of IT practitioners (55 percent) and 58 percent of CMOs do believe their companies’ senior-level executives take brand protection seriously.
More CMOs have confidence than IT practitioners in the resilience of their organizations to recover from a data breach involving high value assets. Only 44 percent of IT practitioners believe their organizations are highly resilient to the consequences of a data breach involving high value assets. However, 63 percent of CMOs are confident their company would be resilient to a data breach that results in the loss or theft of high value assets.
More CMOs believe the biggest cost of a security incident is the loss of brand value. Seventy-one percent of CMOs in this study believe the biggest cost of a security incident is the loss of reputation and brand value. In contrast, less than half of IT practitioners (49 percent) see brand diminishment as the biggest cost of a security incident.
Following a data breach, the IT function comes under greater scrutiny. IT practitioners in organizations that had a data breach (43 percent) consider the following the most negative consequences of a breach: greater scrutiny of the capabilities of the IT function, significant financial harm and a loss of productivity (56 percent, 44 percent and 40 percent, respectively).
IT practitioners do not believe that brand protection is their responsibility. Sixty-six percent of IT respondents do not believe protecting their company’s brand is their responsibility. However, 50 percent of these respondents do believe a material cybersecurity incident or data breach would diminish the brand value of their company.
CMOs allocate more money in their budgets to brand protection than IT does. Thirty-seven percent of CMOs surveyed say a portion of their marketing and communications budget is allocated to brand preservation and 65 percent of these respondents say their department collaborates with other functions in maintaining its brand. Whereas, only 21 percent of IT practitioners say they allocate a portion of the IT security budget to brand preservation and only19 percent collaborate with other functions on brand protection. This response is understandable because so many IT practitioners do not believe brand protection is the IT function’s responsibility.
Consumers’ expectation for the security of personal information they share with companies is much higher than CMOs and IT practitioners’ expectations. Eighty percent of consumers believe organizations have an obligation to take reasonable steps to secure their personal information. However, only 49 percent of CMOs and 48 percent IT practitioners agree. The research reveals differences in perceptions between IT practitioners and CMOs on issues regarding reputation and brand management practices. However, more serious differences are the gaps between consumers’ expectations and the perceptions of IT practitioners and CMOs about how their personal information should be safeguarded
CMOs and IT practitioners are less likely to believe their organizations have a responsibility to control access to consumers’ information. While 71 percent of consumers surveyed believe organizations have an obligation to control access to their information, 47 percent of CMOs and 46 percent of IT security practitioners believe this is an obligation.
Consumer trust in certain industries may be misplaced. Eighty percent of consumers say they trust healthcare providers to preserve their privacy and to protect personal information. In contrast, only 26 percent of consumers trust credit card companies. Yet, healthcare organizations account for 34 percent of all data breaches while banking, credit and financial organizations account for only 4.8 percent. Banking, credit and financial industries also spend two-to-three times more on cybersecurity than healthcare organizations.
IT practitioners and CMOs share the same concern about the loss of reputation as the biggest impact after a breach, but after that, the concerns are specific to their function. For CMOs, the impact to reputation is followed by a concern over loss of customers and decline in revenue (76 percent, 55 percent and 46 percent of respondents, respectively). For IT, the two biggest concerns are the loss of their jobs (56 percent of IT respondents and time to recover decreases productivity (45 percent).