NEW YORK—A new report indicates that high-profile breaches at Sony, Target and Home Depot amount to less than 1% of each company’s annual revenues, and that following insurance reimbursements and tax deductions the losses have even smaller effects on the companies’ bottom lines.
Benjamin Dean, fellow for Internet governance and cyber-security at the School of International and Public Affairs at Columbia University, shared that analysis in a report in The Conversation.
Analyzing the 2014 financial statements of these major retailers, Dean said the findings indicate that the financial incentives for companies to invest in greater information security are low, suggesting government intervention might be needed.
“To date, though, few of the policy proposals aimed at improving information security are directed towards the root cause of this problem,” noted Dean. “Rather than creating incentives for companies to invest in better information security, the Australian, U.K. and U.S. government proposals are for more information sharing than securing. In all cases, this sharing is to be done with intelligence agencies. Why is this and what does it tell us about what the real cyber-threat to our information is?”
Dean’s examination of Target’s financials indicated that its gross expenses from the 2013 data breach were $252 million. “When we subtract insurance reimbursement, the losses fall to $162 million. If we subtract tax deductions (yes, breach-related expenses are deductible), the net losses tally $105 million. This is the equivalent of 0.1% of 2014 sales.”
Dean’s analysis shows that Home Depot’s net expenses for its 2014 data breach were $28 million following an insurance reimbursement of $15 million. “This represents less than 0.01% of Home Depot’s sales for 2014.”
While the SONY breach from last year drew initial loss estimates of more than $100 million, “In the end, the breach did not actually cost Sony very much at all,” Dean said.
He explained that the company’s Q3 2014 financial statements reported that the breach resulted in $15 million in investigation and remediation costs and that Sony does not expect to suffer any long-term consequences. A senior general manager at Sony later said the figure would be closer to $35 million for the fiscal year ending March 31, Dean added.
“To give some scale to these losses, they represent from 0.9% to 2% of Sony’s total projected sales for 2014 and a fraction of the initial estimates,” said Dean.
CUNA has set CU costs for the Home Depot breach alone at $60 million. NAFCU, CUNA, NCUA and credit unions have stated that retailers—the root cause of many of the breaches—need to be held to the same cybersecurity standards as the financial services industry.
Dean concluded that the numbers in his analysis suggest that “we have a market failure relating to asymmetric information, which results in the problem of ‘moral hazard’ for private companies in the area of information security. Moral hazard occurs when one person or organization takes greater risks because others bear the burden or costs of those risks.”