Data security breaches can negatively impact an entire organization -- including sales, marketing and IT -- and have a significant negative impact on company finances and shareholder value, according to a new Ponemon study.

Specifically, the study, which was commissioned by Centrify, found that the stock value index of 113 companies declined an average of five percent the day the breach was disclosed. What’s more, 31 percent of consumers surveyed say they actually terminated their relationship with an organization that experienced a data breach.  And while the study found a data breach has a significant impact on brand reputation, 66 percent of IT practitioners don’t believe their company’s brand is their responsibility.

“Data breaches are very real business and bottom line concerns. This reality was recently seen when a popular fast food chain’s stock rose as much as 6.8% after reporting better than expected Q1 earnings, but then saw its gains chopped in half when it revealed it had a breach. The fallout can be significant and may even be a reason to relieve the C-Suite of its duties,” said Tom Kemp, CEO of Centrify. “This new report serves as a wake-up call to every organization that security isn’t just about protecting data, it’s about protecting the business. It is no longer just an IT problem -- it must be elevated to the C-suite and boardroom because it requires a holistic and strategic approach to protecting the whole organization.”

The Impact of a Data Breach on Reputation and Share Value study presents the views of three diverse groups who have in common the ability to influence share value and reputation. Ponemon Institute surveyed 448 individuals in IT operations and information security, 334 senior level marketers and corporate communication professionals and 549 consumers.

Miscalculation of Security Risk on Shareholder Value

The study found a direct correlation between a data breach and stock decline, customer churn and revenue loss and the organization’s security posture. The following findings are based on a sample of 113 companies that experienced a material data breach

  • On the day a breach was disclosed, the share value index dropped an average of five percent.

o   Companies with a poor security posture, were found to drop as high as seven percent and, 120 days following a breach, the company did not fully recover the share price it enjoyed immediately prior to the breach.

o   Companies with a high security posture saw a decline of no more than three percent. And, 120 days following the breach, the company was found to successfully rebound, showing a three percent gain in the stock price prior to the attack. 

  • Organizations with a poor security posture experienced up to a 7 percent loss of customers, which can amount to millions in lost revenue
  • Thirty-one percent of consumers state they would discontinue their relationship with a breached organization, and 65 percent lost trust in that organization.

Blind Spots in the C-Suite with Costly Consequences

The study showed a data breach has a significant impact on brand reputation, but the internal disconnects illustrate vulnerabilities across the organization.

  • A data breach out-ranks a scandal involving the CEO.  Breaches rank in the top-three most negative impacts to brand reputation following terrible customer service and environmental disaster.
  • 45 percent of IT practitioners and 42 percent of CMOs don’t believe that brand protection is taken seriously in the C-suite.
  • More than half (56%) of IT practitioners are not confident they have the ability to prevent, detect and resolve the consequences of a data breach and more than half fear a breach will cost them their job.  By contrast, 63 percent of CMOs are far more optimistic their company would quickly recover from a serious breach.
  • The impact of a breach on a company’s stock price is a blind spot for CMOs and IT practitioners. Only 20 percent of CMOs and 5 percent of IT practitioners say they would be concerned about a decline in their companies’ stock price. In organizations that had a data breach, only 5 percent of CMOs and 6 percent of IT practitioners say a negative consequence of the breach was a decline in their companies’ stock price.

Alarming Reality for Consumers

There is a disconcerting gap between consumer expectations and corporate perspective when it comes to the protection of customers’ personal information.

  • Eighty percent of consumers believe organizations have an obligation to take reasonable steps to secure their personal information. However, only 65 percent of CMOs and 64 percent IT professionals agree.
  • Seventy percent of consumers believe organizations have an obligation to control access to their information, but less than half of CMOs and IT security practitioners believe this is an obligation.