Data security breaches have long since left the domain of the IT department and now sit firmly at the boardroom table: In 2018, British Airways suffered a cyber security breach that resulted in the theft of personal and financial details of customers. The result was far-reaching. As well as a £20 million fine from the UK’s Information Commissioner’s Office (ICO) a class action could end up costing the company billions of pounds. This level of financial cost sits squarely at the board level.
But it isn’t just financial losses that data breaches cause. The company’s customers, employees, operations, and suppliers are all potentially affected. The state of security is such that it has now risen to the top of the company as a critical business consideration. Board members need to be aware of the implications of a security breach and to be ready to take positive action.
What a board needs to know about the impact of a data security breach
Board members have a duty of care to the company and its shareholders. This extends to ensuring that the company protects itself against threats, be they malicious or accidental. In the UK, the fiduciary duties of board directors are set out in the Companies Act 2006, which details a duty to “promote the success of the company” and to “exercise reasonable care, skill and diligence in the conduct of their role”; cyber risks and the response to such threats fit neatly under this duty of care. The types of impact that a cyber-attack can have are detailed below, each can have far-reaching effects on the continued success of a company:
Employee morale
Companies run better with happy and efficient people. If morale is low, productivity drops. A Carbonite report, exploring how a data breach affects employees, clearly shows that staff morale takes a hit after a breach:
- 25% of employees experience an impact on their work/life balance
- 24% of employees experienced a drop in office morale
- 15% of companies fired employees or laid them off, post-breach
- 11% of companies saw employees quit after a breach
Share price
Board directors are under pressure to ensure that share pieces remain high to retain shareholder confidence. However, there is evidence that data breaches impact share pieces negatively. One of the starkest demonstrations of this was the tumble that Equifax stock took in the aftermath of the company’s data breach of 2017 – dropping over 30% in total before recovering.
Research by Comparitech, carried out over several years, shows that share price impacts are common. The research used companies listed on the New York Stock Exchange and found that share prices fell by -3.5% on average and underperform on the NASDAQ by -3.5%.
Compliance and fines
Regulations around data privacy and protection often come with heavy fines for non-compliance. Two examples of UK companies that have been fined under the EU’s General Data Protection Regulation (GDPR), demonstrate the costs of non-compliance:
Company: Ticketmaster
Fine: 1.4 million euros (£1.2 million)
Why: Insufficient technical and organisational measures to ensure information security
Company Marriott International, Inc
Fine: 20.5 million euros (£17.8 million)
Why: Insufficient technical and organisational measures to ensure information security
In 2020 alone, GDPR fines increased by 19% with a total of $332.4 million worth of fines issued since the law’s enactment in 2018.
Reputation and customer losses
A report from Lloyds and KPMG into intangible asset protection found that in the last 10-15 years 80% of corporate assets can be described as intangible – this includes brand, intellectual property artefacts, and technology driven services. However, one of the more difficult to quantify outcomes of a data leak or breach is reputation impact and customer loss. Putting this into some context, a survey by PwC found that 87% of consumers said they’d take their business elsewhere if a company suffered a data breach.
Employee and C-Suite sackings
Ultimately, a breach can result in lost skills and knowledge. A Radware State of Web Application Security report shows that 23% of companies sacked executives after a breach happened. An example is, again, from the Equifax data breach of 2017. The then CIO was fined $55,000 and received a 4-month prison sentence for carrying out insider trading before the public was notified of the breach.
Downtime costs
Data security breaches have a far-reaching impact across the entirety of a business. The above noted impacts of a breach, do not include other affected areas such as downtime and loss of intellectual property/sensitive company information: Datto explored the costs of downtime after a cyber security breach and found them to have increased by 486% between 2018 and 2020.
How a data breach can impact a board
A security culture promoted by a tone at the top: Cyber security is the responsibility of the entire organisation from board to employee to third-party consultant and beyond. No one individual, not an IT team or security analyst can take on cyber security threats alone, it is vital to get the Board on-board with security. A robust and sound security posture board takes its tone from the top. When a board takes cyber security seriously, a culture of security is formed that permeates throughout the organisation. This culture is the foundation stone to build cyber security awareness across the entire company network.
Data is valuable: Data and the potential for data exposure is a critical aspect of board oversight. Data breaches are costly affairs: the average cost of a data breach in the UK being £2.8 million ($3.9 million)
Lack of cyber security training at board level: Cyber security knowledge may be an issue for a board. Board directors are rarely from a security background. However, board members should have Security Awareness Training along with the rest of the organisation’s staff. Training should be relevant and tailored for their role as board members, rather than a ‘one size fits all’ approach. Company employees who have cyber security skills and have excellent communication skills can be employed to help train board members.
Share price impacts of data breaches: As shown, cyber security breaches affect shareholders as share prices are impacted after a breach, therefore board members have a duty of care to understand the implications of data breaches on shareholder value.
Policy sign-off: Cyber security policies, some of which may touch upon sensitive company information, are a fundamental part of a company-wide security strategy that should be acknowledged by, and potentially signed off by, the board or a board member.
A collective sense of responsibility: The leadership team must lead the charge against cyber-attacks. The C-Suite and the board can encourage and promote a shared sense of responsibility that also extends to being aware of accidental data exposure and simple security mistakes that can put an organisation at increased risk.
All in for accountability: The organisation and the individuals that make up that organisation are accountable and responsible for cyber security hygiene. The culture cyber security awareness, promoted by the board, helps shape the training needed to ensure that security hygiene is adhered to by all.
Getting on-board with data breach prevention
A report from Grant Thornton found that 73% of companies reported losses of around 25% of revenue after experiencing a cyber breach. This alone is a major reason why cyber security sits squarely in the boardroom. A cyber-attack has major repercussions across all aspects of an organisation. The board plays a pivotal role in helping to create a robust security posture, as well as ensuring that budget is available to provide the right security measures and awareness training.
The aftermath of a data breach can have crippling consequences for organisations and there is inevitably a blame game that follows any cyber incident. Our upcoming webcast titled ‘The Data Breach Blame Game: Employees or Employers?’, May 27th at 3pm BST, discusses the increasingly complex topic of liability and who is responsible when a lapse occurs.
