Cyberattacks, data leaks or perceived misuse of data exposes companies to countless operational and remediation costs, financial penalties, regulatory action, and reputational damage. In this blog post, we share some of the challenges and risks companies will likely face, should they fail to effectively manage and adequately fund cybersecurity and data privacy measures within their organizations.
Data Privacy and Security Regulatory Compliance
Some of the data privacy and cybersecurity regulations organizations should be aware of include:
- General Data Protection Regulation (GDPR): This regulation applies to any organization collecting or processing the personal data of individuals inside the European Union. Firms found in violation of GDPR rules can be fined up to EUR20 million (US$19.95 million) or 4% of their worldwide annual review from the preceding year, whichever amount is higher.3
- California Privacy Rights Act (CPRA): Coming into force on January 1, 2023, CPRA is an amendment and expansion of the California Consumer Privacy Act which was closely modeled on Europe’s GDPR. Violations under CPRA may result in an administrative fine of up to US$2,500 for each violation, or up to US$7,500 for each intentional violation and each violation involving the personal information of minor consumers.4 Additionally, the CPRA allows consumers to sue violating companies for certain types of breaches.
- Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA): Signed into law in March 2022, this Act requires companies in critical infrastructure sectors to report cybersecurity incidents to the Cybersecurity and Infrastructure Security Agency.
- Amendments proposed by the U.S Securities and Exchange Commission will require publicly listed companies to report on, among other things, material cybersecurity incidents and to provide updates on previous incidents.
Cyber Incidents Can Lead to Operational Disruptions
Loss of Company Value Due to Cyber Incidents
In addition to the immediate losses companies can suffer due to the disruptions caused by cyber incidents, companies that experience a cyberattack can also suffer a reduction in their overall value. Cyber incidents can result in the loss of customer relationships or potential future contract revenues, and the devaluation of intangible assets such as corporate trade name and intellectual property. A soon to be published study from Morningstar Sustainalytics shows that not only do companies’ stock prices fall immediately following a cyber breach, but one year later these companies continue to underperform compared to the benchmark. This underperformance may persist for years, as was the case for Equifax which continued to underperform the market nearly two years after its data breach in 2017.
Rising Cyber Insurance Rates
Loss of Consumer Confidence Due to Data Privacy and Cybersecurity Failures
Data privacy or security incidents can damage a company’s reputation, and repeated incidents will erode the value of the company’s brand. Lost sales and the cost incurred to rehabilitate the brand, such as working with forensic and crisis management firms, can negatively impact bottom lines. Even without a breach, the perception that a company has poor data privacy practices could be damaging. Consumers surveyed said they won’t do business with a company if they have concerns about its data security practices, with 70% saying they will stop doing business with a company if it gives away data without permission.7
Data Privacy and Security Issues Should Not Be Ignored
Organizations need to consider the consequences of poor data privacy and cybersecurity management on their operations. Given the increasing frequency and impact of cyber incidents globally, data privacy and security should be taken seriously, no matter the industry. Data privacy and security issues have become significant drivers of business risk, having a detrimental impact on a company’s value, operations, and finances. As such, these risks are a growing concern among investors and CEOs alike. Taking even the most basic steps to manage these increasingly important issues, like assessing and addressing organizational weaknesses, focusing on awareness and training among employees, and ensuring the company has effective policies and board oversight, can help mitigate risks and minimize the negative impacts of cyber incidents.
Download our recent ebook to learn more about the ESG-related risks facing companies as a result of increasingly frequent and sophisticated cyber threats and the management practices companies can use to address data privacy and cybersecurity risks.
1 Sarnek, A., Dolan, C. 2022. “Cybersecurity is an environmental, social and governance issue. Here's why.” World Economic Forum. March 1, 2022. https://www.weforum.org/agenda/2022/03/three-reasons-why-cybersecurity-is-a-critical-component-of-esg/.
2 Panetta, K. 2021. “The Top 8 Cybersecurity Predictions for 2021-2022." Gartner. October 20, 2021. https://www.gartner.com/en/articles/the-top-8-cybersecurity-predictions-for-2021-2022.
3 European Commission. 2022. “Data Protection Under GDPR.” https://europa.eu/youreurope/business/dealing-with-customers/data-protection/data-protection-gdpr/.
4 California Legislative Information. 2018. “California Consumer Privacy Act of 2018. https://leginfo.legislature.ca.gov/faces/codes_displayText.xhtml?division=3.&part=4.&lawCode=CIV&title=1.81.5.
5 Malekos Smith, Z., Lostri, E. 2020. “The Hidden Cost of Cybercrime.” McAfee. December 9, 2020. https://www.mcafee.com/enterprise/en-us/assets/reports/rp-hidden-costs-of-cybercrime.pdf.
6 Ralph, O. 2022. “Companies Face Soaring Prices for Cyber Insurance.” Financial Times. February 13, 2022. https://www.ft.com/content/60ddc050-a846-461a-aa10-5aaabf6b35a5.7 Anant, V., Donchak, L., Kaplan, J., and Soller, H. 2020. “The consumer-data opportunity and the privacy imperative.” McKinsey & Company. April 2020. https://www.mckinsey.com/~/media/McKinsey/Business%20Functions/Risk/Our%20 Insights/The%20consumer%20data%20opportunity%20and%20the%20privacy%20imperative/The-consumer-data-opportunity-and-the-privacy-imperative.pdf.
Risk and Opportunity in Biodiversity: How Sustainable Finance Can Help
This article outlines how biodiversity loss poses material risks to business and how it connects to many other issues that companies can’t ignore. In addition, it covers how biodiversity conservation presents substantial economic opportunities, and how businesses can address and access these opportunities by issuing linked instruments that integrate biodiversity considerations.
Today’s Sustainable Bond Market: Boosting Confidence in Sustainable Bond Issuances
In this article, we examine the kinds of sustainable bonds offered in the market, some of the key regulations being developed in different markets and the current initiatives to improve the quality and credibility of issuances.
Webinar Recap: How Integrating ESG Can Drive Opportunity for Private Companies
Recently, Morningstar Sustainalytics hosted a webinar – ESG in the Lifecycle of a Private Company: How Stakeholder Demands Drive Sustainability in Private Markets – to address some of the questions private companies might have surrounding ESG and how it could impact their business.