In the last two years, Fortune 500 companies from Sony to Target to Anthem have experienced major data breaches. Executives have lost their jobs, tens of millions of consumers have had their credit card and other personal data compromised, and corporations have frantically tried to contain the damage. Just last week, Target agreed to pay $10 million in a proposed settlement of a class-action lawsuit related to a huge 2013 data breach.
But for all the panicky headlines, the boardroom anxiety, and the general cyber security doom-and-gloom, one important—if counterintuitive—question seems to have been overlooked: How much does hacking really cost big companies?
If you dig into the financial performance results of companies hit by some of the world’s most notorious, disclosed data breaches, a disturbing fact will strike you: They don’t seem to cost all that much.
That is the stunning conclusion of an analysis by Benjamin Dean, a fellow at Columbia University’s School of International and Public Affairs. Dean—who also has a background in accounting—pored over 10-K filings for Sony, Home Depot, and Target, after their recent, well-publicized security breaches. Keeping an eye out for breach-related expenses in these companies’ quarterly financial reports, Dean discovered that the actual expenses reported by these companies amounted to less than 1% of each company’s annual revenues.
“After reimbursement from insurance and minus tax deductions, the losses are even less,” Dean writes on The Conversation, where his post initially appeared.
A close look at Sony.
Sony’s November 2014 hacking led to the disclosure of unreleased movies, embarrassing internal emails, and personal data—including Social Security numbers—of 47,000 celebrities and employees. (It was so traumatic and disruptive to the company that it delayed its 10-K filing.)
Still, Sony estimates its breach’s financial impact has been just $15 million to date “in investigation and remediation costs.” That’s barely a blip on the radar.
“To give some scale to these losses,” Dean writes, “they represent from 0.9% to 2% of Sony’s total projected sales for 2014 and a fraction of the initial estimates.”
Dean notes that Sony, in total, anticipates spending $35 million “restoring financial and IT systems” for the full fiscal year. Further writing off the breach’s monetary ramifications, the company forecasts: “Sony believes that the impact of the cyberattack on its consolidated results for the fiscal year ending March 31, 2015 will not be material.” Translation: .
These numbers are likely not small enough to vindicate Sony Pictures’ former executive director of information security. In 2007, he told CIO Magazine that “‘it’s a valid business decision to accept the risk’ of a security breach…I will not invest $10 million to avoid a possible $1 million loss.” But Dean’s analysis does come alarmingly close to making the minimal effort-stance a defensible position.
The Home Depot hacking also barely made a dent.
Last year’s Home Depot hacking led to crooks pocketing an estimated 50 million customers’ credit card numbers and email addresses, but this relevant bit from Home Depot’s most recent earning’s report shows it had a negligible impact:
In the third quarter of fiscal 2014, the Company recorded $43 million of pretax expenses related to the Data Breach, partially offset by a $15 million receivable for costs the Company believes are reimbursable and probable of recovery under its insurance coverage, for pretax net expenses of $28 million.
When you do the math, that $28 million “represents less than 0.01% of Home Depot’s sales for 2014,” Dean points out.
And what about Target?
Target’s hacking in late 2013 resulted in the theft of 40 million payment cards and 70 million other records, including customers’ email addresses and phone numbers. The security breach was considered so severe that the CEO felt compelled to resign.
And yet, Target, in its latest filing, lays out in great detail the tolls of its breach:
The Company incurred breach-related expenses of $4 million in fourth quarter 2014 and full-year net expense of $145 million, which reflects $191 million of gross expense partially offset by the recognition of a $46 million insurance receivable. Fourth quarter and full-year 2013 net expense related to the data breach was $17 million, reflecting $61 million of gross expense partially offset by the recognition of a $44 million insurance receivable.
To sum the math up, Target’s gross expenses totaled $252 million, insurance compensation brought that down to $162 million, and further tax deductions yield a final $105 million. While larger than either Home Depot’s or Sony’s outlay, the final amount is not so wounding in the grand scheme of things.
“This is the equivalent of 0.1% of 2014 sales,” Dean notes.
“To the companies themselves, this seems like a rounding error,” he told Fortune on a call from Australia. “It’s certainly not a huge loss when compared to their annual revenues.”
To invest or not to invest in security.
To be sure, this analysis has generated criticism. Matthew Rosenquist, an information security strategist at Intel, argues Dean’s analysis has several problems. First, he notes Dean uses revenues rather than profits as the key metric. “It can make a lot of difference to management if an attack consumes a big chunk of your profit or worse, pushes you from the green into the red side of the ledger,” he writes on a company blog.
Rosenquist also stresses the hidden costs of a breach: rising insurance premiums, damage to third parties, sinking customer goodwill and trust. Most importantly, he writes, failing to invest in security is strategically myopic; without ensured stability, a business may as well be committing corporate suicide.
Dean acknowledges that over time consumer faith may erode, but he says, for now, “You can’t see losses and effects on the bottom line in terms of reputational damage.”
Actually, Rosenquist and Dean don’t differ greatly in their conclusions. “Regardless of the way we measure it, or whether we look forward or backward, we agree on the central point that companies need to invest in information security,” Dean told Fortune, responding to Rosenquist’s criticisms by email.
Turns out Dean is not an apologist for the willfully, digitally indisposed. He says he believes corporate networks need buttressing—even if data breaches don’t hurt companies’ bottom lines. Moreover, he believes the incentives for buttressing corporate networks need buttressing. And until corporations are held more accountable for these breaches—not with $10 million slaps-on-the-wrist—but with, well, he isn’t quiet sure what yet, companies won’t make the big investments in information security needed.
So, is security worth the investment? Here’s Dean’s take:
We need to get back to what the hard evidence says. What are the verified losses and impact, as opposed to speculation in some cases? It’s not quite fear-mongering. We need to ground our analysis in how big a problem this is. Once we’ve ascertained how big a problem it is, we can figure out what to do about it, and have an open and informed discussion. Right now that’s not happening. I’m not seeing hard evidence used to back up claims. If that discussion is happening, it’s not open.
Consider the conversation started.