Return to site

Cyber Risk Disclosure - Who Cares?

· cyber governance,Disclosure,Materiality

Is the lack of cyber breach disclosure by a Company material?

Dr. Gilles Hilary, Chaired Professor of Accounting and Control at Georgetown, has now published his latest research with Fordham University's Benjamin Segal, and May Zhang focused on a qualitative analysis of five major cases: Sony, Target, Home Depot, Anthem, and Yahoo.

With the explosion of Cybercrime and the reputation risk impacts on stakeholder trust and license to operate from related breaches, the topic of the importance of disclosure is gaining momentum in both the media and across the public.

The latest Yahoo breach has resulted in Verizon's push for a $USD1 billion discount on the price, on top of a $USD1 billion reserve that Verizon may set aside to fund possible liabilities associated with the Yahoo email hack. One might argue that this tells a strong story for the materiality of disclosure given its revenues of only $USD4.9B. But does it really?

While we see regulators across the world now focused on addressing corporate disclosure related to these risks, cyber risk disclosures by listed firms still remains limited. Few companies come forward with information on losses. When Google was hacked in 2010, another 34 Fortune 500 companies in sectors as diverse as information technology and chemicals also lost intellectual property. Only one other company reported the breach at the time without stating what was lost or the financial / customer impact of the loss. It’s only through Wikileaks that that information has become public.

As part of their research, Hilary and his team also complete a systematic analysis of security price reactions upon the announcement of breaches. Their findings illustrate that the effect of a breach on stock prices is very limited.

The median (mean) three-day period market-adjusted abnormal return is approximately -0.5% (-0.7%). In comparison, the average reaction when a firm announces asset impairment is approximately -1.3% (Segal and Segal, 2016).

Their qualitative analysis also revealed no significant and persistent negative market reaction when the recent major data breaches at Sony, Target, Home Depot, Anthem and Yahoo were revealed. Consistent with this lack of market reaction,estimates of the costs associated with these breaches to the targeted firms are not material. (*Yahoo was clearly assessed before the Verizon discount to its acquisition).

What was interesting is that when they considered the distribution of short window returns, they identified only 3 cases of return below -10% in the ten-year period that encompassed their sample. A cross-sectional analysis indicated that returns upon announcement of a breach are more substantial for more severe breaches and for high book-to-market firms.

They did not find that a discussion of cyber-issues in the annual report is associated with the size of the market reaction. Other variables such as a time trend, firm size or being in the financial sector were also not statistically associated with short-term abnormal returns.

Although they did find an increase in disclosure after a breach, they find no statistically significant difference between breached firms and a matched sample of firms not affected by a breach. In other words, the increase in disclosure for breached firms cannot be distinguished from a secular trend of a modest increase in disclosure for all firms.

They then considered long term returns a 6- and 12-month periods after the breach announcement. The objective was to evaluate the hypothesis that the market initially under-reacts to the news. Using the methodology proposed by Stafford and Mitchell (2000), they also did not find that long-term abnormal returns statistically differ from zero. In addition, they could also not identify any variable that is statistically associated with these long-term returns. In particular, they found that discussions of cyber-issues in the annual 10-K report were not significantly associated with post-announcement returns. Thus, the evidence does not indicate that the markets over- or under-react to cyber-breach announcements.

They also failed to observe significant changes in operational performance measured by the return on assets (ROA).

Similarly, they found no significant changes in shareholder clientele. In fact, they found that the proportions of transient, dedicated and quasi-indexer investors remained stable after a breach announcement.

But will these results change following the Yahoo breach?

We know that the wheels of justice often move more slowly. The Hill reports a class action suit was filed in California against Yahoo. USA Today reports two more. The Home Depot settlement, (50M users) was $19.5M, (less than forty cents per user) for a company of revenues of $81.18B (2015). Target's settlement was $39M for 40M users against revenues of $73.78 B (2015). CNBC also references a suit claiming gross negligence. The researcher's point is that these settlements are negligible when you consider their revenues.

What is clear from the 2016 IBM/Ponemon Institute report is that the cost of a breach is increasing.

Hilary and his team state this lack of market reaction is inconsistent with a market or regulatory failure associated with the poor disclosure on cyber-risk.

This then begs the question, Why is it, if the regulatory risk for a firm of a breach is increasing, that Hilary and his researchers find no evidence of systematic effect on executive employment?

Firms that have been breached are similar in terms of propensity of CEO or executive departure before and after the breach, the breach does not increase the probability of a departure, and the difference in differences between the two groups is not significant.

These findings have significant implications for regulators and investors who are focused on the materiality of the risks associated with cyber attacks.

I'm not sure that I agree with their notion:

Although it is probably prudent to monitor this issue for a change in the environment, our results do not support the notion that regulators with limited resources should focus on this topic for the time being.

While the SEC 2011 rules on disclosure are regarded as vague (Reuters) and failure to enforce them is drawing attention from both consumers, policymakers and investors, incidences and the cost of cybercrime and corporate cyber espionage are on the rise.

Intellectual property worth billions of dollars has been stolen by cyber criminals, and investors have been kept completely in the dark. This (SEC 2011) guidance changes everything, […] It will allow the market to evaluate companies in part based on their ability to keep their networks secure. We want an informed market and informed consumers, and this is how we do it”. Senator John Rockefeller

Governments need to begin serious, systematic effort to collect and publish data on cybercrime to help countries and companies make better choices about cybersecurity risk management and policy. It is very difficult for a CIO or CRO to adequately estimate the risk when there is incomplete data.

The new privacy regulations are driving the transparency of customer personally identifiable information losses from large companies. The new EU Global Data and Privacy Regulations that will be enforced in 2017 alongside its threat of hefty regulatory fines, may just be the regulatory tool that can move the needle on disclosure.

These types of regulatory and compliance pressures at least ensure a minimum level of transparency and disclosure from listed companies.

While Hilary and his team's research suggests today that a cyber breach is currently not materially significant, the question of its impact on the reputation risk profile of a Company and loss of stakeholder trust just may be.

Dr. Charles Fombrun, Chairman of the Reputation Institute, suggests that a monolithic brand like Sony’s requires vigilant and forceful leadership and internal systems to defend the company’s market capital against reputation risks. This is because the parent brand endorses all of the company’s products, and so a threat to one is a threat to all. This brand architecture is paramount to why even an iconic corporate brand like Sony is bound to experience deep reputation damage from events in a subsidiary that accounts for only 10% of the company’s revenues.

Based on their research few are aware of the difference between the U.S. subsidiary and the diversified Japanese corporate parent. He stated that any perceptions that the company had ‘given in’ to the demands of rogue hackers is also likely to weaken perceptions of the entire company’s management strength, technological leadership, and innovativeness.

Research conducted by Reputation Institute since 2000 on Sony, suggests that these 3 attributes of management strength, technological leadership and innovativeness are in fact fundamental drivers of Sony’s reputation. In their public perception research, Sony averaged a reputation score of 76 (out of 100) over 15 years, a rating that puts it consistently among the world’s top 10 best-regarded companies. Fombrun predicts, that these events will, not only damage the company’s reputation in the short term, but also cast a long shadow over the entire company’s product portfolio for years to come.

But has it? This year Sony topped the RepTrak Technology companies rankings at #1 position. This, in fact, supports Hilary's findings.

If Hilary's research stands testimony and breaches continue to be largely immaterial to company performance, this is a topic of great interest to regulators, Company Directors, and their stakeholders.

---

For a copy of this excellent research, please see https://papers.ssrn.com/sol3/papers.cfm?abstract_id=2852519

 

I appreciate that you are reading my post. Here, and on LinkedIn, I write about board related issues - corporate strategy, human capital, reputation risk, technology and innovation, corporate governance and risk management trends.

If Hilary's research stands testimony and breaches continue to be largely immaterial to company performance, this is a topic of great interest to regulators, Company Directors, and their stakeholders.

---

For a copy of this excellent research, please see https://papers.ssrn.com/sol3/papers.cfm?abstract_id=2852519

I appreciate that you are reading my post. Here, and on LinkedIn, I write about board related issues - corporate strategy, human capital, reputation risk, technology and innovation, corporate governance and risk management trends.

If you learned something from reading this post, please click the thumbs up icon above and let me know. If you would like to read my regular posts then please click 'Follow' (at the top of the page). If we have met, do send me a LinkedIN invite. And, of course, feel free to also connect via Twitter.

If you are interested in more effective reputation risk management, improving corporate governance, using the Reputation Institute's RepTrak model to benchmark your company's reputation, or developing your digital, communications, responsible investment or sustainability strategies, do connect with us at RL Expert Group.

As a serial en/intrepreneur, Leesa has worked for 20 years on the cutting edge of strategy, communications, technology, cyber security and risk consulting. She has advised more than 400+ multinationals and their start-ups in 19 sectors across Europe, Asia Pacific and the Americas. She has led companies with turnovers from $4M to $14B USD into new markets and has shared the exhilaration of one IPO, numerous exits and the hard knocks of lessons learned.

Connect: Leesa Soulodre, Managing Partner, RL Expert Group.

All Posts
×

Almost done…

We just sent you an email. Please click the link in the email to confirm your subscription!

OKSubscriptions powered by Strikingly