By: Rebecca L. Rakoski, Esquire
Patrick D. Isbill, Esquire
Profit margins and projected revenue are some of the foremost indicators of a corporation’s long-term sustainability. But fault lines can form down the middle of a company’s financial outlook when certain business issues are not adequately addressed. Issues like regulatory compliance to costly enforcement, customer retention, increasing competition, and maybe the most consequential in this fast-moving global digital information economy – cybersecurity/data privacy breaches. Proactively strengthening a company’s cyber readiness against a breach of its most fundamental asset, i.e., data, can significantly mitigate some of these hits to profitability formulas and revenue projections to ensure continued and sustained long-term growth.
Perhaps few industries feel these pressures quite like the banking industry, which relies on relentless innovation to address rising consumer expectations and the ability to rapidly adapt to changing global outlooks. It is no surprise then that corporate CEOs across the board are putting a cybersecurity breach and all its fallout near, or at the top, of their list of worries. Particularly in the financial sector, nowhere is that profitability model tested and affected in the aftermath of a cyber breach than on a publicly traded stock price. Or is it?
Short v. Long-Term Profitability
To be clear, a cyber incident does have overall far-reaching consequences both legal and financial that seemingly spiderweb for the corporation breached, its clients and consumers, and potentially third-party vendors. Nonetheless, the effect on profitability models depends on whether its central economic viability plan is subject primarily to short-term stock price forecasts or shores up long-term profitability and revenue effects. Actively addressing worries like lost business, reputational damage, investor commitment, and regulatory scrutiny/enforcement can mitigate the total net revenue impact during market fluctuations. As a predictive metric of corporate vulnerability following a cybersecurity breach, negative long-term profitability effects are not as easily quantified as short-term stock market prices. Nevertheless, these effects are arguably the single most important indicators when it comes to strategically determining financial longevity in overcoming a cyber breach.
The Right Team
Forming a measured cybersecurity defense team strategy that accounts for digital threats and proactively sets a practiced plan in motion to address a cyber breach is important. After all, the best defense is a good offense. Such a digitized corporate team for the modern era must include several key components, like responsive legal counsel at the table with the C-suite that is able to surgically navigate the requirements and nuances of the regulatory compliance maze; tech analysts who can rapidly deal with a cybersecurity breach using a high degree of efficiency; and a predictive analytic framework for vetting personnel and/or third-party vendors to protect against cyber threats from an inadequately secured external source.
So two important questions emerge. What can corporations do to protect against the less quantifiable metric of negative long-term profitability effects stemming from a costly cybersecurity breach? And, more importantly, how do these corporations avoid getting lulled into a false sense of security from the short-term fluctuations, and sometimes relatively fast recovery, of their publicly traded stock price following such a highly consequential cyber breach?
2019 Capital One Breach
Capital One Financial Corporation (“COF”) is one example of a banking institution that saw both short-term stock price fluctuations and potential long-term financial effects. On July 29, 2019, COF announced it determined there had been unauthorized access to certain types of personal information relating to individuals who had applied for Capital One credit card products and its credit card customers. On that same day, COF closed at $96.92 per share. The next day COF traded down and closed at $91.21 per share – a decline of nearly 6%. Over the next month, COF would bottom out on August 27th at $83.11 per share, a 14% loss over that same time span, before steadily rebounding to $104.37 per share on December 13th. This represents just over a 7% increase in share price from when COF announced it had been breached over four months earlier.
COF also announced in its press release post-breach that it expected the incident to produce incremental costs that same year of approximately $100-$150 million. Those expected costs would be propelled mostly by customer notifications, credit monitoring, technology costs, and legal support. Notwithstanding, the NY Attorney General stated at the same time that her office would investigate the breach and whether COF fell short of establishing safeguards to protect millions of people’s data.
On August 6, 2020, the U.S. Treasury Department fined COF $80 million for network security practices that facilitated a data breach causing unauthorized access to the personal information of approximately 106 million of the bank’s credit cardholders. The Office of the Comptroller of the Currency (“OCC”) stated in a consent order that COF had failed to establish effective risk assessment processes prior to moving significant information technology operations to the public cloud environment and to correct in a timely manner those deficiencies. The OCC stressed that it had positively considered COF’s customer notification and remediation efforts. As for the effect of this news on the company’s stock price, COF closed at $63.55 per share on August 6th and a week later closed at $67.64 per share, or a roughly 6% increase in stock price.
2014 JPMorgan Chase Breach
In early October 2014, JPMorgan Chase & Co. (“JPM”) announced in an SEC filing that its security system had been compromised by hackers, affecting 76 million households and 7 million small businesses. Following this news, JPM’s stock price remained relatively stable before rising the following month. JPM’s stock price closed on October 2, 2014 at $58.84 per share before trading down to $55.08 per share just two weeks following the announcement, or roughly a 6% decrease in value, before rebounding to $61.93 per share less than six weeks later. A roughly 5% gain in stock price following its announcement. At the time, JPM reportedly spent $250 million on cybersecurity but that figure jumped roughly five years later with JPM reportedly spending approximately two and a half times that amount.
So what gives when it comes to rebounding stock prices even after a highly publicized and far-reaching cyber breach? Is Wall Street really becoming accustomed to more frequent data breaches or turning a blind eye? Considering an article published in the Harvard Business Review (“HBR”) as far back as 2015 pertaining to the not so obvious conclusion that the impact of data breaches on a company’s publicly traded share price should seemingly diminish over time, it suggested shareholders likely did not have either sufficient information about security incidents or mechanisms adequate enough to determine its full effect on the share price.
A possible explanation may be that shareholders react to breach news in a vacuum and when it impinges business operations straightaway. The HBR noted that long to mid-term effects on things like lost intellectual property, disclosure of sensitive data, and loss of customer confidence could lead to a loss of market share but that such impacts are hard to quantify. Even so, the HBR acknowledged then which may be true now. Evolving investor knowledge and savviness, especially in the digital information age and increased presence of social media, about the fallout from cyber breaches is rapidly catching up. And so are regulatory compliance laws and weighty enforcement fines largely seen in Europe. States like California, Nevada, and now Virginia all have passed state data privacy laws. Swells of other states have privacy on the brain with talk growing louder too for a federal privacy law.
Such a conclusion then leads back to the beginning. A corporation built without adequate cyber readiness or an advanced business awareness over how to get there is built on an unstable fault line. The slightest shift, like lower revenue projections, a decrease in shareholder dividends, and/or restrictive regulatory enforcement, can potentially begin a slow march toward increasing instability and stagnant growth. There is, after all, no better indicator in business of a corporation’s viability than long-term indicators related to its profitability, e.g., net profit margins, control over operating costs, retention of top-level executives, cash flow, and return on investments to name a few. Poor cyber readiness and even a moderately publicized breach can leave a corporation reeling for years, having to budget for increased insurance costs and legal fees to lost business, reputational damage, loss of investor commitment, and grappling with regulators.
So the bottom line on the stability of the corporate metric concerning predictive profitability is how well the corporation’s decision-makers address any and all fault lines. In fact, the Wall Street Journal reported last year that cybersecurity is an issue that experts say is “now front-and-center” and causing loss of sleep in terms of liability for the highest executives in the corporate chain. A strong corporate privacy and security program is a good example, proper employee training is another, of a first step that can potentially save millions in litigation and for some significantly mitigate stock value loss. Being proactive is key though. Strengthening corporate cyber readiness now will preserve profit margins and potentially avoid crippling regulatory compliance/enforcement later.
A corporation’s outwardly fast rally and rebounding stock price does not foretell, for either investors or industry observers, what pitfalls may lie ahead. While stock market data may initially suggest the impact on a publicly traded corporation’s share price may seemingly lessen as news of the breach fades, there are still key shifting factors, not easily quantified or packaged in a convenient metric, that need to be addressed in the short-term in order to avoid serious long-term consequences. These factors cannot be taken for granted. Each corporation’s infrastructural blueprint is unique and so are its stress points. Long-term effects may be difficult to quantify in the margins but addressing those margins with creative, predictive strategies using a responsive and strategically-minded cyber legal team working with the C-suite will allow corporations to safeguard its own innovative objectives. This will go a long way to securing its survivability, as well as profitability, from the inevitable cyber event going forward.
Reprinted with permission from the June 24, 2021, issue of the New Jersey Law Journal. Further duplication without permission is prohibited. All rights reserved. © 2021 ALM Media Properties, LLC.
This article does not constitute legal advice or create an attorney-client relationship. The information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.