The High Price of “Reputational” Risk

by Tim Critchley 0

According to IBM, the average cost of a data breach in 2016 was $3.8 million, a 23 percent increase since 2013. This figure encompasses everything from breach mitigation, to crisis team management costs, business losses and many more direct, measurable consequences of a modern data breach. Most importantly, it takes another, slightly more intangible consequence into account – damages to brand and executive reputation.

This study acknowledges the severe financial impact that a data breach can have on a company’s reputation. As an example, when Target was breached in 2013, it was criticized heavily across the industry for its poor handling of the breach. Target’s corporate reputation was left severely tarnished. It ultimately cost the company $252 million and Target’s CEO, Gregg Steinhafel was forced to resign.

In contrast, when another US retailer, Home Depot, fell victim under incredibly similar circumstances, it only cost the company $33 million. Why the difference? Home Depot’s handling of the breach was seen as proactive, responsible and just. The company’s audit committee, CIO and management took quick and efficient action that prevented the breach from causing nearly as much damage to customer sentiment and subsequent sales figures. Home Depot’s reputation remained intact and the financial impact on the company was minor, compared to what it could have been.

In today’s world, consumers have all the power. With social media they can instantly take to the web to voice an opinion or make a complaint. A company’s reputation can spiral out of control quickly if a data breach is not handled effectively and efficiently.

Additionally, the risk of data breaches in the retail industry is only increasing. The United States is in the process of adopting EMV chip technology in payment cards. When this occurred in the UK, card not present (CNP) fraud spiked and call centers became the low-hanging fruit for fraudsters who shifted their attention from point of sale terminals to telephone and online channels. In fact, every country that has adopted EMV chip cards has experienced a surge in CNP fraud after implementation, and I expect that the U.S. will be no different. Some analysts are predicting losses from CNP fraud will grow to more than $6.5 billion in the U.S. by 2018. If companies do not prepare for this surge in advance by strengthening security measures and having smart reaction and mitigation plans ready now, their reputations will be on the line.

Fortunately, steps are being taken to remediate reputational risk for companies. Businesses can no longer hide behind data breaches. In the U.S., 47 states have enacted legislation requiring private, governmental or educational entities to notify individuals of breaches that involve personally identifiable information (PII). Businesses are being pushed to have complete transparency with their customers about data security and breaches, and this could be incredibly powerful in helping to save their reputation in the wake of a breach.

Even with the regulations designed to ensure that businesses better protect PII and payment card data, one of the most effective ways companies can protect themselves against data breaches is to simply not possess the sensitive data in the first place. You absolutely cannot hack data that you can’t hold. Retailers and other businesses that accept card not present payments through online, mobile or telephone channels can use technologies designed to keep the data out of their enterprise systems and securely channel the data directly to the payment processor. In doing so, businesses are able to reduce the card data environment, achieving easy compliance with Payment Card Industry data security standards (PCI DSS) while at the same time making their call centers and online channels less of a target to criminals.

Securing payments and protecting customer data will always be a cat-and-mouse game between businesses and the criminals who are targeting them. While maintaining PCI DSS compliance, investing in new technologies and creating proactive response and mitigation plans may seem expensive or time-consuming, it’s a small price to pay when compared to the average cost of a data breach. After all, you can’t put a price on your reputation.