Wall Street Doesn’t Care About Breaches
Wendy’s says that only 5% of its stores were hacked. But does it matter?
A funny thing happened this week. Wendy’s Co, the fast food chain that was the victim of a hack on its point of sale systems, announced some good news on the cybersecurity front, and got clobbered by investors.
Specifically, the company said in its most recent earnings call that only 50 of its 5,000 or so franchised restaurants in North America were found to have been compromised in an attack on its point of sale network – a small number. As we wrote last week, Wendy's is facing a class action lawsuit on behalf of customers whose credit card data was stolen following the breach. Nevertheless, Wendy’s stock got pummeled in trading after it released its results. Investors, apparently, weren’t breathing easier after learning the good news.
What’s going on? Well, for one thing, I think the jury is in on whether Wall Street cares about data breaches. The verdict: no.
With the frequency of data breaches at large corporations, its easy to get complacent about them, and to assume that hacks are just another kind of unexpected business disruptions – like inclement weather – that companies soon shrug off.
There’s at least anecdotal evidence to support this idea. After all: breached firms like TJX, Target and Home Depot have all managed to recover from post-breach dips in stock price and earnings. Anthem healthcare, which revealed that it was the victim of a massive breach in February, 2015, went on to announce its plans to buy Cigna Healthcare a little more than six months later – one of the biggest deals ever in the healthcare industry.
So to look at it through the steely eyes of an investor: do data breaches and other adverse cyber incidents even matter in regard to the performance of breached firms? The data is inconclusive.
Certainly, the recent experience of UK telecommunications firm TalkTalk suggests that executives who play down the impact of data breaches and hacks on their bottom line do so at their own risk. As I noted on this blog back in February: TalkTalk has been quite candid with the costs of the October, 2015 breach that saw information on 160,000 customers leaked to hackers, resulting in cases of identity theft and online fraud. The company said it lost more than 90,000 subscribers due to the breach. This week brought more reports that TalkTalk saw its most recent quarterly profits halved, largely due to the data breach.
The company’s CEO, Dido Harding, tried to put a positive spin on the sober financial news. "I am actually very encouraged by the way the business has bounced back so strongly in the last quarter,” she told reporters. "The customer base has really stabilized (sp) and this is testimony to the fact that our customers really appreciated our open and honest approach and how we tried to look after them through the cyber attack."
But the truth is that, while some companies stagger under the effects of breaches, others brush them off. Anthem’s stock, for example, has shown little adverse impact from the breach, despite statements by the company in regulatory filings that it has “incurred expenses to investigate and remediate this matter and expect to continue to incur expenses of this nature in the foreseeable future,” that it is “unable to quantify the ultimate magnitude of such expenses at this time,” but that “they may be significant.” Among the possible risks: governmental inquiries, purported class action lawsuits and other claims relating to the cyber attack. Also: Anthem noted that it believes its insurance “may not be sufficient to cover all claims and liabilities” related to the breach.
One problem is that market minders rarely hold companies to account. There is no federal data breach legislation, just a patchwork of state laws that vary widely. True: publicly traded companies are required by the Securities and Exchange Commission (SEC) to disclose “material” cyber incidents. What counts as “material”? That’s left to companies to decide. And history would show that few breach disclosures come by way of SEC filings.
Instead, the breaches we do know about often come to light not via company disclosure, but through the media. Brian Krebs of the blog Krebsonsecurity.com has made a career of calling out major breaches, from Target and Home Depot to Wendy’s. An exclusive on Krebsonsecurity has become something of a badge of shame for breached firms, who often learn of the breach from Krebs.
From the perspective of the c-suite: the audience that truly matters – Wall Street – has shown itself to be supremely disinterested in data security and “cyber.” Look no further than the transcript of Anthem’s recent first quarter earnings call with Wall Street bankers, which clocks in at 20 pages, and includes not a single question about nor mention of the breach, its costs, the status of Anthem’s internal investigation into the incident or of the company’s efforts to improve information security.
If we want better security, then companies will have to learn to take the risk of hacks more seriously. And that will mean holding companies that experience breaches to account – not just for one, or two or five news cycles, but for years. Beyond that, companies will have to get the message that the audience who really matters – investors, bankers, credit rating agencies, insurers – are paying attention and won’t look kindly on bad news. We’re not there yet. Not even close.