Customer Loss After a Breach Is Real, But Don’t Lose Focus

- February 6, 2017

Historically it has been difficult to peg the fiscal impact and customer loss due to a security breach. Each company is different, serves its customers differently, has a different market with various influential factors, which makes prediction difficult. Cisco’s Annual Cybersecurity Report includes data that sheds light on the losses companies may face, but experts stress that companies to not lose focus on preparation.

The years 2014 through 2016 brought some of largest breaches in history, affecting far more than a billion customer records, and some of the largest brands on the NASDAQ. The Yahoo breach alone, revealed just before the end of 2016 was more than a billion records.

In the wake of some of the largest megabreaches from those years, it was beginning to look as though customers did not take data breaches to heart. Or at least did not see them as a reason to abandon a brand. In fact, according to research from the Harvard Business Review breaches have had consistently very little, if any, affect on the stock price of public companies that experienced one.

One reason for this might be that customer retention may be higher than one might expect. A report from Ponemon found 67 percent of customers who were notified of a data breach did not abandon the company. The fine points on these responses are: one, it may be too hard to find another company with comparable products and services; two, most companies experience breaches at one time or another; and three, data breaches are basically “unavoidable.” The same report noted companies that did lose customers as a result of a data breach likely could not have retained them, regardless of the company’s response. More than half (51 percent) would have left anyway.

Rajiv Pant and Elena Kvochko, the authors of the Harvard Business Review article, write that the actual amount a company stands to lose is a difficult figure to track. There just isn’t great data to cite.

Shareholders still don’t have good metrics, tools, and approaches to measure the impact of cyber attacks on businesses and translate that into a dollar value. In most cases, at the time a security breach is disclosed, it is almost impossible for shareholders to assess its full implications. Shareholders should look beyond short-term effects and examine the impact on other factors, such as overall security plans, profitability, cash flow, cost of capital, legal fees associated with the breach, and potential changes in management.

There is evidence that customers will indeed leave a company if it experiences a crippling attack. TalkTalk and Dyn are two examples, but reports of the number of actual customers or revenue lost can be conflicting and unverified.

Cisco’s 2017 Annual Cybersecurity Report, released just this week, reinforces portions of this narrative while also building on others. The cost of breaches often gets reported in terms of clean up efforts, brand identity protection, identity services for customers, consulting fees and others. But rarely do we get insight into what a company goes through in terms of lost revenue.

A benchmark study included in the annual report that surveyed 2,900 respondents from 13 different countries suggests that a fair amount of companies feel the effects in the pocketbook. When asked about the effects resulting from a breach, nearly a quarter of companies stated they lost potential income from business opportunities. Nearly 40 percent of those said the losses were “substantial.” Respondents also reported losing current customers (22 percent). Of those that did lose customers, 39 percent of them stated that they lost 20 percent of their customers or more.

According to John Stewart, Senior Vice President and Chief Security and Trust Officer at Cisco, worrying about how much your company could lose in the aftermath of a breach might not be the right focus.

“The thing that I think we will see change is that more customers will talk about security in business terms and will be measuring efficacy rather than just how much they spend,” Stewart told eWeek. “Candidly, asking how much money is spent on IT security is the wrong question.”

Sean Mason, director of threat management for Cisco security advisory services, agrees. “Customers expect companies to protect their data,” he said in an interview. “It’s just table stakes at this point.”

But the time to prepare is, obviously, before a breach. “Everybody is going to get breached at some point. My first advice is ‘get your house in order’ before something happens.” Making sure an incident response plan, a communications plan, legal counsel and a PR firm all in place can help reduce the costs after an event by a tremendous amount.

“You don’t want to invent process during a crisis,” Mason said.