It seems as if network security breaches have come in droves. Recently, Honda‘s Canada operations reported a data breach. Lockheed Martin (NYSE: LMT ) said it fended off an attack on its systems. In April, Alliance Data‘s (NYSE: ADS ) Epsilon faced a similar attack that affected some of its clients such as Citigroup‘s (NYSE: C ) Citibank unit and Target. Last week, Citi revealed hackers had obtained information on about 200,000 cardholders.
Attacks such as these are a dime a dozen these days. Recently, Google (Nasdaq: GOOG ) accused China-based users of hacking into Gmail accounts of government officials from the U.S. and some Asian countries. These hacking attempts, common in the tech trade, have become so prominent and common that they’re starting to take a serious toll on companies’ bottom lines. Time for Fools to take notice.
The mother lode
The most prominent attack of the lot belongs to Sony (NYSE: SNE ) . A few weeks ago, the company was the victim of a malicious, large-scale attack. The attack took the PlayStation Network and the company’s Qriocity service offline, disabling services to 77 million Sony customers and stealing private data of these customers.
Recently, Sony also faced a third attack from hacker group LulzSec, which broke into the Sony network and allegedly stole private data of several Sony customers. This is the same group that recently posted fake news items on the PBS website.
The estimated financial impact of the last attack was estimated by Sony at $170 million. While that is not really a jaw-dropping amount as far as Sony is concerned, the company might have incurred some additional losses than just the quantifiable ones.
Hack attack balance sheet
Each attack that cripples a network or breaches it to expose sensitive data comes with a range of costs including ones that cannot be directly quantified. In order to examine the true economic impact of malicious network attacks, these costs might play an important role.
Costs can be deduced based on the type of attack. For the one at Sony, the most important cost incurred is the cost of business lost because of denial of service or disabled services. Some of the customers might prefer to take their business to other service providers who they deem safer. So there might be loss of business in that direction. In cases where the system infrastructure has been affected because of an attack, there are costs associated with reduced productivity. Added to these are costs from ensuing legal proceedings, investigation, loss of goodwill, and PR.
Among the intangible costs is the loss of investor confidence resulting from bad press and loss of crucial advantage to competitors. What all these costs add up to for each company is dependant upon the type and degree of the attack and on the size of the company.
When Sony was hit, the initial reaction was that it was a simple snag. But the true financial impact was eventually revealed. The $170 million loss that Sony reported wouldn’t have been as much if there wasn’t a possibility of stolen user accounts. But with further reports of possible identity thefts on the PSN, the costs escalated.
In February 2000, a Canadian teenager attacked Yahoo!, eBay, Amazon, and E*TRADE Financial. Estimates at the time placed the total cost of the denial of service attack at $1.2 billion for a few hours of outage. In other words, while hard to imagine, these costs are very real.
The Ponemon Institute, which carries out independent research on network security, conducted a study on the average cost of data breaches in the U.S. in 2010 and reported a figure of $214 per compromised record, taking into account the various factors involved in an attack. Therefore, in order to work out the exact cost that the company faces because of the attack would essentially be a function of how much of the data has been breached or for how long the system stayed down.
Market reactions to data breaches are based on how bad the attacks are perceived. The first thing to do in case of a report of a malicious attack is to wait for reports on what the attack is all about. The extent of the injury can only be judged by further information regarding what the company stands to lose. If the data that has been breached will not have any bearing on the revenues of the company, then an initial drop in share prices is perhaps mere market apprehension.
Before you respond to a malicious attack on one of your investments in your portfolios, measure the impact that such an attack can have on the company. Try to think about the various possible costs that I have mentioned to get a rough picture of what could come next.