Financial effect of a Cyber Breach - What Target tells us

Learning to cope with Cyber Risk Learning from Targets experience 

In the run up to Christmas the US retailer Target (TGT) found itself victim of a data theft with some 70 million customers credit details involved and once the news was out the effect on the business was immediate. 

High profile negative media coverage on Target filled news pages just as it needed customers to open wallets and spend. 

The Retail sector has been under considerable pressure and nearly all in the sector have had to work hard in the tougher markets of today.  However, the effect of the Data Breach, one of the largest in history undermined all this effort and investment and in one stroke hit the confidence of customers and investors. 

The chart below illustrates the immediate effect by showing a very significant drop in customer activity just as the news became public which then continued as the seriousness of the breach became clearer. 

Customer transaction volumes at Target - Data Breach Cyber Attack

In a matter of hours Target saw the scale of the serious challenge it had in addressing lower customer volumes nearly treble.  

Now Target has filed its results for the period and reports sales lower by 5.3% and a slump in profits of 46%. Target CEO Gregg Steinhafel said “results softened meaningfully following our December announcement of a data breach. As we plan for the new fiscal year, we will continue to work tirelessly to win back the confidence of our guests”  

However, there was a bit of sting in tail of his rather upbeat statements as he revealed that the Company is not able to estimate future expenses related to the data breach.  Currently the unknown expenses may include payments associated with potential claims by the payment card networks for alleged counterfeit fraud losses and additional operating expenses. In addition there’s a raft of other potential liabilities covering fraud and card re-issuance expense, payments associated with civil litigation, governmental investigations and enforcement proceedings, expenses for legal, investigative and consulting fees, and incremental expenses and capital investments for remediation activities. 

Against this backdrop Steinhafel conceded that “These costs may have a material adverse effect on Target’s results of operations in first quarter and full-year 2014 and future periods.” 

It’s clear to see that recovering from the cyber breach is going to be a long and potentially very expensive process in a sector that needs squeeze every penny of value from operations. 

Below is a chart to further illustrate one of the effects observed. This time we’re comparing the share value of Walmart to Target.

Target vs Walmart Share price

This paints a pretty stark picture of investor confidence and it might be said that Walmart and its investors gained some real value. While both lines trace the difficulties in the retail sector the separation observed illustrates just how damaging a cyber event can be. 

In research undertaken well over 20 years ago, well before business was so dependent on technology, Knight & Pretty examined in “The impact of catastrophes on Shareholder Value” analysing the performance of companies following major events. In this report the importance of BOTH positive Risk Management and Insurance was strongly made. The paper specifically recommended the unbundling of insurance products to enable a better risk management focus.  

In the time that has passed since the original report, I’d argue that a major IT or Cyber Failure now very firmly falls into the category of a potentially catastrophic event and I think many looking at Target would agree. 

In a further study “Risks that Matter” from Oxford Metrica (sponsored by Ernst & Young) Dr Knight builds on the foundations laid and one of the critical points made in this report was that:

“The majority of sudden negative value shifts were driven by a failure to adapt to changes in the business environment, customer mismanagement and poor investor relations”

What is clear to me is that Target is a victim (and not the only one), they undoubtedly were taking steps to protect the business.  The issue is that there has been a major change in the business environment that affects every one of us and the solution needs us all to be more active and transparent. 

The information we all now store and use digitally is changing the 'rules' so much.  Our financial affairs, business and personal information and even our memories are nearly all stored digitally somewhere. The benefits are clear and we are in the midst of a digital revolution that is changing the way the world works, but with all these benefits must come realisation of just what is being increasingly shared ‘online’ and what the effects are when its stolen or just not working. Organisations must appreciate that the benefits of having access to data and process comes with real responsibilities. People now expect business to take this responsibility seriously and will react very negatively it doesn't.  

What has happened to Target is just one of the biggest, most reported data thefts What their experience tells us is it can happen to anyone even those with big IT budgets and it costs a fortune. Ted Schlein, a leading cybersecurity expert and a venture capitalist, describes the challenge as follows: 

“There are two types of companies: those that have been breached and know it and those that have been breached and don’t”            

A way forward 
Business has to fully realise that the threat is real, very serious and needs urgent action.  Securing the interests of your business and stakeholders isn’t an afterthought it is a clear board level responsibility and this must apply to all IT and Cyber activities too.  Here are 6 things you can start doing now:
Transparency is key - Don't just assume your situation is ok - It the classic mistake!  Boards and senior managers across the business should be asking tough questions of the IT guys on just how well the processes in place are working and what can be done to improve and extend them. 

Make sure you ask all your key suppliers what they are doing and ask them to prove it too!

Be active, embed the right controls for your operations and regularly review and update them.

Look for external verification, impartial assessments are a great way of getting access to the experience and knowledge you may not have in the same degree.   

Possibly most important - think! Take a long hard look at your business and stakeholders and conduct a proper risk assessment, including developing meaningful numbers that you can use to steer your planning and investment in protection measures.   

Finally, check your insurance position. Do you even have cover? Is it enough and are you doing the things needed too get the best cover and value possible?  

These actions all directly contribute to making you not only less likely to be directly affected, but also are proven to be KEY PERFORMANCE FACTORS in managing the risk and enhancing the recovery from the event itself. They will directly add to organisations resilience and demonstrate to customers and the markets that trust and confidence is merited. 

Russell Price is a Founding Member of the Cyber Risk and Insurance Forum and Chairman of the Continuity Forum. He is one of the worlds leading Risk, Security and Continuity experts with over 25 years experience of helping create positive change and building resilience internationally.