For years, hackers have been targeting the corporate world, stealing customers’ credit and debit card information and causing billions of dollars in losses. NYT report states that “The widespread theft of Target customer data had a significant impact on the company’s profit, which fell more than 40 percent in the fourth quarter. The company said net earnings were $520 million in the quarter, down 46 percent from the same period a year earlier, when earnings were $961 million. Earnings per share were 81 cents, down from $1.47 the year before. Target executives repeatedly called 2013 a “challenging” year”
The rot runs deep for Target. On Dec. 19, Target publicly confirmed the data breach, which compromised personal or payment information for as many as 110 million people. Sales in the company’s fourth quarter, which ended Feb. 1, fell 3.8 percent from the year before, and transactions were down 5.5 percent.
Profit margins also suffered, company executives said, partly because of unanticipated promotions the retailer decided to offer to try to lure back customers, like a 10 percent discount in its stores just after the breach was announced, and clearance sales at the end of the holiday season.
The company reported $61 million of pretax expenses related to the breach in the fourth quarter; it expects $44 million in insurance payments for a net cost of $17 million. Target said it could not estimate the breach’s future costs, which could include litigation, fraud claims and investigative fees, but the company acknowledged that it could have a material adverse effect.
Now, a new research paper titled “The impact of adoption of identity theft countermeasures on firm value “ states that companies that are most Security aware and concerned about installing—and announcing—identity theft countermeasures – ITC can not only cut their losses but also get a bounce from investors.
Security Research has determined that identity theft and data breaches (hacking, the use of a virus, or phishing ) have a significant and negative impact on the market value of the firms affected, especially for e-commerce businesses. A 2011 Federal Reserve study estimated that credit card fraud costs companies and consumers in the United States more than US$50 billion a year. This paper is the first to look at the most important issue: How does the adoption of identity theft countermeasures affect a firm’s market value? The short answer: It pays off significantly; investors immediately reward firms despite the high costs of installing such safeguards and the risks of inconveniencing customers.
The authors of this paper analyzed the impact on the stock price and market capitalization of firms that announced they were adopting countermeasures. The measures include dynamic password generators, one-time passwords sent via text message, personal
digital certification, and electronic signatures. Some companies employ two-factor authentication as an extra layer of security. This measure requires proof of both something the user knows (a personal identification number) and something the user has (an ATM card or token).
Combining several databases, the authors tracked 87 announcements of countermeasures by publicly listed U.S. firms from 1995 to 2012. These announcements were delivered in a period without any other conflicting or offsetting news releases from the company, such as earnings reports or dividend declarations.
The authors then compared the market’s immediate response to these announcements against a regression analysis of a 200-day period leading up to the news release. The analysis showed that adoption of anti-identity-theft tools increased firms’ stock prices by 0.63 percent on average over the two days following the announcement. And that’s a significant boost: Considering the average stock price and number of outstanding shares for the firms in the study, the stock boost is equivalent to a $515 million gain in market capitalization per company.
The spike was even higher for very large firms—those with assets greater than $142.9 billion, the average for all companies in the sample. A subset of 15 big firms gained an average of $1.13 billion within the two-day period following the announcement, about 4.4 times the average gain of the smaller firms in the survey. In further analyses, the authors found that firms with high growth potential and credit ratings also had better market returns after announcing an anti-identity-theft program.
Additionally, timing counts. Firms that adopted countermeasures in or before 2005 were defined as early adopters because that’s when many identity theft laws took effect. These first movers had significantly higher returns and market capitalization after making their announcements, the authors found, suggesting that investors rewarded companies that took early and decisive action against identity thieves.
The analysis also showed that the market reward was tied to the type of the response. Adopters of more complex measures, such as two-factor authentication tools, received a 0.69 percent rise in their stock price, on average, whereas companies that announced less complex measures, such as user monitoring systems or text alerts of identity thefts, received little or no boost.
This analysis is important as it delivers a positive news on security spend that is normally viewed by several Boards as a discretionary budget item. CIOs/CISOs now have research data to justify spending on Identity and Access Management projects and can provide data relating to the positive impact on the stock prices to their Management.
Dr. Jagan Vaman PhD CISA CGEIT C|CISO.
References: The impact of adoption of identity theft countermeasures on firm value –Prof. Indranil Bose IIM C, Alvin Chung Man Leung, Elsevier, NYT, S + B