The cost of data breaches is going up and they’re becoming more frequent.
The average cost of a breach in the U.S. has just hit $7.4 million, a 12% increase just since 2016. That puts the cost of each record lost at $225. And the U.S. is the target du jour—costs remain at $3.6 million internationally and have decreased by 10% so far this year. That’s according to a global analysis by the Ponemon Institute, an independent research firm that examines privacy, data protection and information security.
A panel of experts at the 2017 Fagre Baker Daniels M&A Conference discussed those staggering costs, some safety measures and how it could affect a M&A transaction. Moderator and Faegre partner Paul Luehr, the leader of the firm’s global privacy and cyber security practice, said being secure isn’t just for the IT guys in the basement anymore.
"It’s now the duty of all of us to deal with cyber security—all the way up to the highest levels, to the board of directors," said Luehr.
He said the first thing for companies playing catch up is to create a risk committee with stakeholders from legal, marketing or PR, outside counsel and top executives. The CTO or whoever fits that role should obviously be there, too. For the many companies that seem to have that one person who actually knows what’s going on in the server room, he or she needs to be there, too.
"This notion of risk assessment cannot be overstated, basically look at your hotspots, am I worried about my IP, do I have sensitive data, things like that," said Luehr. "Put that in your equation and say, ‘How are we going to protect that and do we have a plan to protect that?’"
The plan is really just identifying those risks, plugging the holes and backing everything up. If the company has data access on mobile devices, make sure there is a loss plan for those and that they are encrypted. If a restaurant POS system can be accessed from the cloud, make sure nobody is using "1234" as a password—and make sure there is a log of access attempts that someone is watching.
And once those risks are identified and a plan is created, remember that the best-laid plans often go awry—the mitigation plan comes next.
"You can’t do this alone. It’s a lot easier to hire them ahead of time than when your hair is on fire, and it’s going to be much easier to negotiate a contract," said Luehr.
Mitigation means having a hotlist of who to call. A forensic security firm should be on there, outside counsel, crisis communications and the insurance provider. Luehr advises having the FBI and law enforcement on that list as well.
"I’d add that you need to practice the plan and make sure you have them on board," said Mitchell Granberg, chief privacy officer and deputy general counsel at Optum.
In the recent Sonic and Wendy’s breaches, experts believe hackers got into the POS system remotely, reported cyber security writer Brian Krebs at KrebsOnSecurity.com. The hackers then uploaded malicious software that reached out to the web of locations across the country to collect credit data as it came through the system, and then sold the card numbers on the black market. Both companies were reportedly notified by their credit card processors that something fishy was happening.
But it’s not just loss of data, there’s IP concerns and all sorts of competitive data that companies don’t want leaking all over the internet. Then there’s the operational impact of a new breed of attacks.
"We’re seeing operational impacts because of malware that can take data or shut you down completely," said Granberg. "They’re simply locking up computers, so ask yourself what it’s worth to be shut down for two days while we get back up off our backup or recovery system."
The laws around notification vary wildly from state to state. But it’s something to be cognizant of as restaurants expand markets. In Idaho, for instance, a company has 24 hours from discovery to notify the attorney general. In California, companies are required to keep a very visible notification online for 30 days (find all the state rules here). International companies have a whole slew of other laws to watch for—those intricacies need to be part of a plan because the moment of discovery starts the clock and big fines are at stake.
The market didn’t exactly crush Sonic after it’s latest breach, and Wendy’s rebounded fine after its incident. Security breaches are generally well understood by investors at this point. A recent report from cyber security firm Centrify showed that there’s a 5% average stock dip, a 7% loss of customers immediately. And many never return.
"Some two thirds of those costs are incidental costs and that is the customer walking away," said Luehr.
While the traffic loss in this restaurant climate is distressing, a 5% dip on the bulls’ march to a 30,000 Dow isn’t that bad. But for all those companies salivating at the market multiples, it could mean slashing a transaction if something nasty is found during due diligence.
"Most people will be familiar with the Verizon acquisition of Yahoo," said Melanie Wadsworth, a partner in the Faegre baker Daniels M&A practice. "Importance of the, they were able to shave $300 million off the price."
As multiples keep rising, acquirers and are pulling any lever to get a better deal. William Shortt, a director within the due diligence and strategic research practice in Stroz Friedberg’s Los Angeles office, said he’ll hire his own hackers.
"I go to the hackers, and I say, ‘If I were to hack this company, what are the low hanging fruit?’" said Shortt. "Almost everyone has dropped the ball, but how far they’ve dropped it differs."
He compiles a report on the vulnerabilities and brings it along to negotiations.
"It is really a frontier market the M&A due diligence," said Shortt, and one that is sure to catch sellers in the headlights.
For any companies thinking, "Oh, we’re too small to be a target," think again. The bulk of breaches were what research firm NetDiligence dubbed "Nano" incidents in a 2017 Cyber Claims Study. In that study, 28% of claims were at companies with revenues of below $50 million.
That makes small-cap buyers even more cautious and there are more and more pre-closing covenants around breaches. That’s because on average, it takes 191 days to discover a breach and 60 days to investigate it. So neither party might not know they picked up a bad asset for many months, and they don’t want to pay for it twice.
"Those working with smaller companies, you’re going to pay for a breach twice, once when it hits, but also a discount on the sale price because they think your tech is not worth the sale price given such an issue," said Luehr.