Remember SolarWinds? All you probably remember – now that I jogged your memory – is that it’s linked to some kind of cyberattack, but you can’t explain exactly what happened, what was hacked or what happened after the attack. It was only a couple of years ago, right? Or was it more recent? Maybe longer? Do you know what actually happened? Were the Russians involved? What did they do? Was Microsoft involved? What did they do? Do you know if the US government still uses SolarWinds software?
I ask these questions to obviously make the point that cyberattacks – even big ones like SolarWinds – are quickly forgotten, and that the consequences are generally small, or at least manageable. Was Russia punished for the attack? How? Were SolarWinds and Microsoft punished? Did they lose all of their customers? Did they pay massive fines? Was everyone involved fired on the spot – or ever?
All everyone talks about is how cyberattacks are increasing and that companies (and government agencies) need to spend more on cybersecurity. Yes, the number and severity of cyberattacks is increasing: nothing new here. SolarWinds reported that it spent about $19M since the attack to fix the problems that enabled the breach. (SolarWinds’ annual revenue is about $740 million.) The insurance industry was also “happy” with the financial impact of the attack:
“While the SolarWinds hack is proving to be a devastating cyberattack from a national security perspective, the attack did not evolve into a cyber catastrophe for the insurance market.”
What about those affected by the breach? What will they spend?
“American businesses and government agencies could be spending upward of $100 billion over many months to contain and fix the damage from the Russian hack against the SolarWinds software used by so many Fortune 500 companies and U.S. government departments.”
Could these companies have prevented the breach? No. But they’re responsible for the clean-up. Will SolarWinds help them pay for the clean-up? What do you think?
The Real Cost of Breaches
The real cost of a breach is comprised of at least five elements, which can all be quantified:
1. The cost to fix what led to the breach
2. The reputational risk to the breached company and subsequent loss of revenue and a decline of valuation
3. Regulatory fines (measured as of % of revenue)
4. The cost to defend and settle class action lawsuits
5. The insurance offset
The costs to fix what led to breaches are all over the place. Some companies spend a few million dollars while others spend tens of millions. As suggested above, SolarWinds reported that it spent about $19M since the attack to fix the problems that enabled the breach against an annual revenue of about $740 million. The average cost of a data breach in 2020 was about $3.8M (according to the Ponemon Institute’s Cost of a Data Breach Report).
Reputational risks are intriguing. Short-term losses – as you would expect – can be significant, but long-term risks are much less so:
“A new study from technology research firm Comparitech analyzed 28 different big-name companies that have experienced a data breach of at least 1 million records leaked, ranging from Apple and Facebook to Capital One and JPMorgan Chase.
“The size of a breach does not directly correlate to bigger drops in stock prices, however; companies that had the most records exposed saw their stock actually recover and outperform the market, while companies with smaller breaches saw their shares struggle in the six months after the fact.
“Increasingly common data breaches in recent years have led to a ‘breach fatigue’ effect – where the market is less shaken by them as time goes on, according to the study.
“Companies that experienced a breach actually performed better in the six months after, with average share price growing by 7.4%, compared to 4.1% growth in the six months before.”
Intriguing for sure.
Home Depot’s annual revenue in 2022 was $150B. The fine for recent breaches was $200M. You’ll find that generally fines represent a “small” percentage of revenue. Fines can also be levied outside the US, But here too the numbers are, well, also intriguing. Still not convinced?
“Marriott International was initially fined £99 million [~$124 million] after payment information, names, addresses, phone numbers, email addresses and passport numbers of up to 500 million customers were compromised. The source of the breach was Marriott’s Starwood subsidiary; attackers were thought to be on the Starwood network for up to four years and some three after it was bought by Marriott in 2015.
“According to the ICO’s statement, Marriott ‘failed to undertake sufficient due diligence when it bought Starwood and should also have done more to secure its systems.’ Marriott CEO Arne Sorenson said the company was ‘disappointed’ with the fine and plans to contest the penalty.
“However … the final penalty was far smaller. The hotel chain was actually only made to pay £18.4million [~$23.7 million] after over a year’s delay. While the regulator said Marriott had failed to put appropriate technical or organizational measures in place to protect the personal data being processed on its systems, it also acknowledged the steps the company took to mitigate the effects of the incident on its customers and the economic impact of COVID-19 as reasons behind the reduction. In a statement Marriott said it acknowledged the decision and will not appeal, but while it deeply regrets the incident it makes no admission of liability.
“The hotel chain was also fined 1.5 million Lira (~$265,000) by the Turkish data protection authority — not under the GDPR legislation — for the beach, highlighting how one breach can result in multiple fines globally.”
Marriot International’s revenue in 2021 was almost $14B.
The cost to defend and settle class action lawsuits is highly variable but can easily run into the tens of millions – or not, depending on the number and validity of the suits.
“Given the enormous potential cost of a data breach, most businesses should consider investing in a cyber insurance policy with a data breach inclusion. The right cyber insurance policy will allow you to transfer all data breach-related risks and costs to your insurer in return for a monthly fee or premium.”
The Counterintuitive Play
So, how bad are breaches, really? Do you think that part of the reason why cybersecurity is underfunded is because of liability? Do breaches have manageable consequences? Is a breach a game-changer for a company?
Look what happens when a company’s data base is breached. The company must reveal the breach in a designated period of time. Millions of records, including addresses, phone numbers and credit card numbers, are sold to the highest bidder. Customers are billed for things they never bought. But they don’t have to pay for them. While the company’s reputation suffers somewhat and likely not long-term – because breaches are so commonplace – impact to their reputation is minimal and short-lived. The auditors then arrive to inspect everything and declare that the company did its best (or not) to prevent the breach. Sometimes there’s a fine, even a large one, but often there’s not, and the fines are generally a tiny percentage of annual revenue.
You can decide, but if I’m at the helm and I know that I’ll have to pay a fine of less than 1% of my revenue for a major breach, that my customers will return and the price of my stock will recover, how much should I really care when I know that the hit to my public image will be temporary? If I also know that no matter how much I spend I’m still vulnerable to attack, how much should I spend?
Is underspending an acknowledgement that this is an unsolvable problem with manageable consequences? If you do what you must to satisfy the auditors, the Board and the executive team, but swim upstream when everyone calls for massive new spending, is that “enough”?
Listen to this:
“Deloitte recently issued a report that offers some insight into what companies spend on cybersecurity in one of the more sophisticated industries (in cyber terms) and what level of maturity they get for that spending.
“The most striking conclusion in Deloitte’s report is that ‘money alone is probably not the answer, as higher cybersecurity spending did not necessarily translate into a higher maturity level.’ Measured on a per FTE basis, as a percentage of the IT budget, or as a share of revenue, the surveyed companies spent a wide range of their budgets on cybersecurity. But there was not a strong correlation between those that spent a lot and the maturity ratings achieved.
“If there isn’t a correlation between higher spending and more mature programs, how should a company approach its cybersecurity program?”
Respect the threat, adopt every auditor-approved best practice, but don’t overspend on cybersecurity. Is that the “best practice? Crazy, I know. But you will be breached. You will be hacked. You will be blamed. So what? Spend “just enough” to keep everyone happy? Are the consequences of “just enough” spending too great or too manageable to define spending?
I realize this is an unconventional approach to cybersecurity, to put it mildly. Yes, the number and severity of cyberattacks is growing – they’re actually exploding. But can you guarantee you’ll never be a victim? No. The best you can do is reduce their number and severity. In other words, you can manage them – which is where you should focus your efforts. But given the consequences of poor or even mediocre cybersecurity investments – remember the Deloitte study – you should spend what you need to spend to be compliant. The worst thing you can do is adopt a never-happen-to-us policy and fund it massively and endlessly. There just isn’t enough money on the planet to eliminate cyberattacks. But there are people watching you. Make sure they’re happy, fix post-breach problems, be patient, pay the fines, settle the lawsuits, buy insurance and move on.