The headlines in the paper. The hundreds (or thousands, or hundreds of thousands) of angry and betrayed customers. The long and laborious aftermath.
A data breach is every company’s worst nightmare. No matter how large or small a corporation is, the effects of a data breach can be felt in almost every facet of the business. Not only does it deplete your customer’s trust and damage your reputation, but, according to a recent study from Dr. Henry Huang, program director and associate professor of accounting at Yeshiva University’s Sy Syms School of Business, you’ll be met with financial penalties that can stall your company’s ability to grow in the future.
Keep reading for an analysis and conclusion from Dr. Huang’s findings on the financial cost of data breaches, including his valuable lessons for accountants and auditors.
The Rise and Prominence of Data Breaches
The increasing popularity of Big Data is a double-edged sword: as companies gather more information about us to enhance our experiences, the more that can be taken and exploited by cybercriminals. In the past decade, the number of data breaches in the U.S. has skyrocketed from 662 in 2010 to over a thousand in 2020.1 The most common cyber attacks used in data breaches (most of which you probably have experienced) are ransomware, malware, phishing, and Denial of Service (DOS).2
One of the biggest and most well-known data breaches to date was at Yahoo in 2013. While Yahoo initially stated that about 1 billion accounts had been compromised, it later rose to an estimated 3 billion, jeopardizing users’ names, email addresses, birth dates, telephones numbers, and answers to security questions. Other high-profile breaches within the last few years include LinkedIn, Facebook, My Fitness Pal, and Marriott.3
But this isn’t just an issue for the IT and security departments; about 70% of data breaches in 2021 were financially motivated, which means accountants and auditors must be put on high alert as well.4 To repair the damage, financial professionals need to work closely with security teams and leverage their institutional knowledge to support restorative work.
Digging Into the Data (Breach)
As a widely published and deeply experienced accounting professional at Yeshiva University, Dr. Huang has always enjoyed furthering his research inside and outside of the classroom. Recently, he’s been interested in the value relevance of climate risk, data security, and religiosity. While exploring these topics, he saw an intriguing overlap between accounting and cybersecurity risks, specifically in data breaches. Knowing that the real cost of data breaches includes direct (e.g., costs associated with detection, notification, remedial activities, and legal obligations) and indirect costs (e.g., loss of brand image, customer trust, business, and market share), Dr. Huang focused his research on the financial aspects with which he’s familiar.5
“We knew that data breaches were important, but wanted to find a way of quantifying their financial consequences,” says Dr. Huang. “We also wanted to learn which variables come into play. For example, we learned there are things companies can do to mitigate damage after a data breach.”
For the study, Dr. Huang partnered with Dr. Chong Wang, an assistant professor of accounting at Hong Kong Polytechnic University. Their paper, “Do Banks Price Firms’ Data Breaches?”, was published by the American Accounting Association in May 2021 and analyzes the financial effects of a reported data breach for companies seeking bank loans.
Their sample used 139 reported data breach events from 2005 to 2014, and 1,081 bank loans of U.S. public firms from 2003 to 2016. To ensure they were seeing the impact of the breach and not other factors, Dr. Huang and Dr. Wang used a difference-in-difference approach that matched each company that had experienced a breach with a similar company that hadn’t experienced a breach. They also parsed through companies’ previous bank loan trends to ensure they were truly comparable.
In their report, Dr. Huang and Dr. Wang found clear evidence that banks were financially punishing firms that had experienced a data breach. Of the 1,081 loans they analyzed, 587 loans were to companies that had experienced a data breach; 494 loans were to companies that had not. The compromised companies also were given higher interest rates, higher loan spreads, and steeper requirements for collateral and covenants.
In addition, the researchers found that the cost of data breaches and negative effects are more pronounced when they involve criminal activities, affect a large number of people, or the firm belongs to certain “vulnerable” industries: health, personal services, business services, computer, electronic equipment, and transportation. Even a good reputation in IT couldn’t offer protection; these companies were viewed less favorably because banks had to significantly adjust their assessment of the company’s security.
Mitigating Risks & An Accountant’s Role in Recovery
While things may be chaotic in the thick of the crisis, the steps a company takes before and after a breach are crucial to long-term success. In addition to beefing up IT security systems on the front end (especially with third party vendors who specialize in the practice), the study suggests that firms that take more remedial actions following an incident receive less unfavorable loan terms.
“One take-away message is that firms, especially those in vulnerable industries, should invest more in data security in order to avoid costly punishment in capital markets,” Dr. Wang says.
However, as mentioned before, these events aren’t just one department’s problem—especially as it relates to the cost of data breaches. Banks rely heavily on operating and accounting reports, including insider information obtained directly from the financial department, to evaluate health and viability and make loan terms decisions.
“There are valuable lessons here for accountants and auditors,” says Dr. Huang. “It highlights the consequence of different types of data breaches in different industries, the importance of safeguarding confidential information, and the value of remedial actions after a breach.”
How to Learn Under Leaders Like Dr. Huang
As the Program Director and an associate professor for Yeshiva University’s on-campus and Online MS in Accounting program, Dr. Huang uses his ongoing research to inform and improve the curriculum, as well as to identify new career opportunities for students. He, along with the rest of the esteemed accounting faculty, use their real-world experiences to prepare graduates for a higher level of learning and application—one that stands out among other online accounting programs.
- Retrieved on November 30, 2021, from statista.com/statistics/273550/data-breaches-recorded-in-the-united-states-by-number-of-breaches-and-records-exposed/
- Retrieved on November 30, 2021, from ibm.com/security/data-breach
- Retrieved on December 2, 2021, from csoonline.com/article/2130877/the-biggest-data-breaches-of-the-21st-century.html
- Retrieved on December 2, 2021, from verizon.com/business/resources/reports/dbir/2021/results-and-analysis/
- Retrieved on November 30, 2021, from aaahq.org/Portals/0/newsroom/2021/accr-96-03-261-286.pdf?ver=2021-05-28-165048-900