The cost of a data breach
By Matthew Tyler, CEO, Blackfoot
The first ever stock on the NYSE to suffer a long-term downgrade with the cause named as a cyber-attack.
Previously, cyber-attacks wouldn’t move the needle past a day or so where the stock takes a hit, on average of around 7%, before recovering quickly. But little to no medium or long-term impact. Hence agencies didn’t deem them a risk big enough to affect future earnings.
However, a few weeks ago Moodys downgraded Equifax from stable to negative. A recent bankInfosecurity.com article explores the cost of the data breach.
Last year Equifax’s revenue was $3.4b.
To date they have said data breach costs are running at $1.3b and NONE of the 1000+ law suits are settled yet. A couple of numbers in their report jumped out at me. Out of the current $1.3b post breach costs, $690m on legal advice wow. Still 1000x anything is going to hurt. $82.8m on technology and data security.
Although the $690m initially stands out (and there will be a lot of very happy senior partners out there) it’s under $500k per lawsuit. In my mind it’s the $82.8m spent to date on bringing them up to ‘adequate’ security which is fit for purpose, will appease external auditors and the many regulators they need to regularly report to for up to 6 years.
$82.8m is just under 3% of their 2018 annual revenue. This shows the scale of the under investment over what must been a sustained period of time.
Over the last 10 years we’ve helped many different organisations in ..but a common metric comes up everywhere. Leaving outliers aside most organisations spend between 1-3% of their revenue on IT and between 5-15% of that on GRC, data protection and cybersecurity.
If we use the highest numbers of 3 and 15%. $82.8m still takes over 5 years to spend. So it’s either zero investment for 5 years or half of what they should have invested for 10 years.
So every year for a long time under the minimum was done, the basics were ignored and either budgets were getting turned down or weren’t being put forward with the risk based evidence required as to why the board should be spending significantly more.
We will probably never actually find out as their CISO, CIO and CEO were all sacked as a result of the 2017 data breach.
However, If you want to know if your organisation is spending the right amounts on the right things. Let me know and I will send you a report on how effective your current cyber spend is.