An Audit Analytics report on cyber-security breaches at public companies found the sensitivity of customer information stolen—along with length of time it took companies to report breaches—greatly affected the financial damage the breaches caused.
The report, “Trends in Cybersecurity Breach Disclosures,” reviewed 639 cyber-security breaches at public companies since 2011 and found that the average cost of a cyber-breach to a publicly traded company was $116 million.
In 2019, according to the report, the information hackers most often obtained through data breaches was customer names, addresses, and e-mail addresses (48 percent, 29 percent, and 28 percent, respectively). This was a change from 2018, when names and credit card information topped the list of information most compromised.
Further, the report says, the most common methods hackers successfully used to obtain company data from 2011 to 2019 was malware (34 percent), phishing (25 percent), unauthorized access (20 percent), and misconfiguration (12 percent). A significant 43 percent of firms that experienced a data breach, however, did not disclose the type of attack.
Besides enforcement penalties, the Audit Analytics report said the two elements that have the most significant financial impact of a breach to a company are remediation costs and hits to stock market values.
The first factor to impact the overall cost of a breach was the value of the information, with compromised financial information considered the most damaging. The report also noted Social Security Numbers (SSNs) have been stolen at ever increasing rates, with breaches involving SSNs up over 500 percent from 2016 to 2019.
Of public company breaches costing more than $50 million to remediate since 2011, the report found seven breaches compromised financial information and three compromised SSNs. Some of the largest breaches were Equifax in 2017 ($1.7 billion), Home Depot in 2014 ($298 million), Target in 2013 ($292 million), and Marriott in 2018 ($114 million).
“Contributing to high costs of breaches involving payment cards and Social Security numbers are the services offered to consumers, such as credit monitoring, that may extend for years. Since this is sensitive information, it’s also likely that companies will face consumer litigation,” the report said.
Derryck Coleman, a research manager at Audit Analytics and one of the report’s authors, said the average cost for a data breach is skewed by the biggest cases, like the $5 billion Facebook has spent on its breaches or the $2 billion spent by Equifax. (The report lists Equifax’s remediation costs as $1.7 billion, but the company has reported more remediation spending in the first quarter of 2020, he said).
The second factor in how much a data breach cost companies was the amount of time it took for the breach to be reported. The report found it took an average of 108 days before companies discovered a breach and another 49 days, on average, before the breach was disclosed.
A 2018 academic article that drew on Audit Analytics’ research found that the equity value of companies declined about 0.33 percent if firms immediately disclosed a data breach. Values dropped by 0.72 percent if companies waited for a month.
“In comparison, the decline in market values was much larger in cases where firms did not disclose the attack and parties outside the firm later discovered it: 1.47% in the three days after the discovery of the attack, and 3.56% in the month afterward. These findings suggest firms withhold more severe cyber-attacks from investors,” the report said.
The largest gap between discovery of a breach and disclosure was 1,649 days by Yahoo!, which knew its system had been infiltrated by Russian hackers in 2013, a breach that eventually affected over three billion accounts. But Yahoo! failed to disclose the breach until 2016, when it was bought by Verizon. The Securities and Exchange Commission eventually fined Yahoo! $35 million for the lag time in reporting the breach.
The median reporting gap between identification of the breach and notification to authorities was 30 days.
Another case Audit Analytics chose to highlight was the 2019 data breach at Choice Hotels International, which began in June 2015 but was not reported until four years later. In that breach, information from the chain’s online reservation portal was shared with third parties more than 88,000 times, due to a software coding error that was exposed when the customer’s Web browser crashed.
The average time it took between when a company identified a breach and when they reported it actually went up slightly from 2018 to 2019, Coleman said.
“There is increased complexity in data breaches, and sometimes it takes companies time to determine what happened,” he said. Some companies open independent, third-party investigations into the data breaches, which can also delay when they report the breach to authorities.
“Cyber breaches that are not discovered quickly are concerning for both regulators and investors,” the report said, referring to an October 2018 SEC investigative report regarding cyber-related fraud’s effect on public company internal controls. The SEC did not recommend enforcement in the nine cases highlighted in its 2018 report but did recommend that companies reevaluate internal controls in relation to cyber-threats.
“Data breaches that are not discovered quickly raise red flags about a company’s internal controls, suggesting that controls may not have been sufficient enough to detect the issues in a timely manner,” the Audit Analytics report said.
The report also found that 26 percent of companies suffering data breaches, including Facebook, Sony, Amazon, Comcast, and T-Mobile USA, were victimized repeatedly.
“Depending on what information is compromised or lost, multiple breaches can lead to additional costs in the future, such as litigation from consumers and vendors whose financial data was compromised, or internal employees whose information was affected,” the report said.