Costs and consequences of data breaches - expert comment
Dr Jonathan Cave from Warwick Economics comments on the costs and market consequences of large data breaches in the wake of the Virgin Media incident:-
- Cybersecurity breaches have imposed costs in excess of $5.2 trillion over the last five years.
- 43% of these attacks are aimed at small businesses and only 14% of these businesses had not had defences in place.
- In the past couple of decades, there have been many studies of how breach disclosure has affected market capitalisation and returns
- the impact is generally negative (at least in the short run) – if the firm reacts ‘well’ it can benefit from a ‘bounce’
- market penalty depends a great deal on the type of breach, the sensitivity of the information, the number of records lost, the extent to which the firm ‘holds itself out’ as a safe guardian of data and the delay between breach and disclosure.
- Generic penalties may be about 2-3% of value; loss of confidential information may double or triple this
-
Returns can turn negative and (often) volumes and bid-ask spreads can increase – but mainly short-run effects
-
Regulatory environment: This potentially opens Virgin Media to regulatory liability and penalties under DPA 2018/GDPR; on the other hand, the breach is not large (see visualisation here for a sense of the scales involved in current breaches).
-
The data have been exposed for almost a year, which may be seen as a sign of complacency. However there does not seem to have been a serious theft or abuse of the data, and the firm apparently acted promptly to shut it down – it would be useful to know a bit more about how and when it came to light.
-
The data themselves are not highly sensitive, and probably only of commercial interest. Recent social media breaches like OxyData (LinkedIn) and Facebook are several orders of magnitude bigger and potentially more sensitive.
8 March 2020