A recent academic study by Daniele Bianchi and Onur Kemal Tosun analysed the market reaction to 41 deliberate (ie criminal) security breaches that occurred in large US firms between 2004 and 2016. The authors found that firms experiencing such a security breach experienced a loss in value of between 1 and 1.5% over a period of 2-3 days around the first public announcement of the breach. Given that the firms involved were amongst some of the largest corporations in the US, this equates to losses of billions of dollars to shareholders for each incident. Interestingly, the study also found that security breaches had long-term effects on the companies affected, specifically they observed:
- Reduced spending on Research and Development activity; and
- Reduced dividends to shareholders
Over a five-year period after the breach. Finally, and perhaps surprisingly, the authors also found that:
- The pay of CEOs in affected firms increased after a breach relative to unaffected firms; and
- Security breaches had no effect on the rate of CEO turnover.
This would seem to contradict recent high-profile examples, such as TalkTalk and Equifax; where CEOs left shortly after breaches.
Follow the link to our Downloads section to see more data on “The Cost of Disruptions”.
As usual at this time of year, we like to take a look at the figures for product recalls in the UK over the last 12 months. Last year we reported a quiet year, but this year there seem to be two very different stories in the food and electrical goods sectors, as shown in the graph below.
According to the Electrical Safety First website, the number of electrical product recalls fell again to only 22 (back to the same level as 2009). As we said last year though, we wouldn’t read too much into these fluctuations from year to year. However, the number of food recalls bounced back up to 79 (according to the FSA website), the highest total in the last ten years. As ever, we caution against drawing bold conclusions from limited data but, beyond the sharp fluctuations from year to year, there does appear to be a steady upward trend over the last ten years.
Whatever the (possible) trends, once again we would highlight these figures as a reminder for all organisations to review their BCM arrangements and, in particular, crisis communications plans, management of their supply chains and product recall plans.
It’s that time of year again: bonfire night and the BCI Supply Chain Resilience Report! The survey has now been going for ten years, and the 2018 report very much confirms the patterns seen in previous years:
- 56% of respondent organisations experienced one or more supply chain disruptions in the last 12 months (down slightly from 65% in 2017);
- Financial losses were broadly similar to last year (although there weren’t nearly as many very high impact events (losses greater than €100m) as were reported last year);
- 47% of respondents had no insurance cover for these losses (compared to 51% in 2017).
It is also interesting to look at where in the supply chain the disruption occurred. The 2018 figures were broadly similar to previous years with:
- 52% of disruptions occurring amongst tier 1 suppliers;
- 23% occurring amongst tier 2 suppliers; and
- 11% occurring at tier 3 and beyond.
These figures really speak to the difficulty of managing supply chain risk effectively in modern business: getting visibility of the riskiness of even tier 2 suppliers is a significant challenge, let alone tier 3 and beyond. The implementation of just-in-time methods has certainly enabled firms to reduce inventory; but some interesting academic research finds that much of the capital freed up has not been reinvested in new opportunities, but is actually held in cash primarily to mitigate the risk of supply chain disruptions!
On a more practical level, we are happy to advise on ways that you can assess and manage your supply chain risk.
Regular readers may remember that back in November 2016 we blogged about a cyber attack on Tesco Bank in which money was taken from 20 000 customers and all on-line banking was suspended. At the time, Tesco Bank were seen to have managed some aspects of the incident very well: the fraud was detected promptly and an automated text system was used to alert customers. However, inbound communications were not handled so well with complaints of long delays at call centres and inadequate responses when customer finally got through.
Yesterday the Financial Conduct Authority (FCA) announced that Tesco was being fined £16.4m, stating that “the attack had been largely avoidable and that Tesco had not responded to it with sufficient rigour, skill nor urgency.” Specifically, the FCA highlights that Tesco Bank had been warned about the vulnerability but did not take action until the attack occurred. The size of the fine is much greater than the £500 000 maximum that could be imposed by the Information Commissioner’s Office (ICO) under the legislation that applied at the time but, under GDPR, we can expect to see the ICO also issuing fines of this magnitude.
You can find out more about how to protect your data in the information security section of our website.
The International Standards Organisation (ISO) has recently released its latest annual survey, covering the period up to 31st December 2017. Whilst there has been continued rapid growth in a number of standards; the increase in certifications to the business continuity management standard, ISO 22301, has been a relatively modest 11%. This brings the total number of organisations certified globally to 4281.
The picture is slightly better in the UK with a rise of 22% to 700 certifications by the end of last year. This puts the UK in second place behind India with 1678 organisations certified.
We have assisted a number of organisations to achieve certification to ISO 22301, this case study provides an illustrative example.
Millions of users of on-line banking services have been hit this week by disruptions at three different banks. Cashplus was the first bank to experience difficulties, the impact on customers was particularly severe as it is an on-line bank so people were unable to access their accounts, make cash withdrawals, or make or receive payments. Then, over the last two days there have been disruptions to on-line banking at two traditional banks, Barclays and RBS.
All the problems appear to have been resolved now but clearly this is a growing problem as more and more people rely on on-line banking. Moreover, it seems to be only part of a wider issue with IT resilience in the financial services sector. Already this year we have seen two separate disruptions to HSBC on-line banking in January; massive IT problems at TSB from April onwards; disruption to the Lloyds Bank website in May and disruption to the UK Faster Payments System in July.
Building on her previous studies over the last twenty years, Deborah Pretty of Pentland Analytics has recently published new research looking at “Reputational Risk in the Cyber Age”. The study analyses a sample of 125 reputational risk events over the last ten years including:
- The Samsung Galaxy Note7 recall;
- The Volkswagen emissions scandal; and
- Cyber-attacks on TalkTalk and Home Depot.
The overall findings are consistent with Pretty’s previous studies:
- The share prices of all firms fall immediately after an event becomes public;
- Within days, investors make a judgement about how well the company is responding and this determines the trajectory of share price thereafter; and
- After a year, there are two distinct groups – “winners” and “losers”.
In addition the 2018 study finds that:
- The gap between “winner” and “loser” firms has increased with the average winner experiencing a 20% increase in share price whilst the average loser’s share price falls by nearly 30% in the year after the event; and
- Contrary to some claims that cyber-attacks have no long-term effect on share price, analysis of the 23 cyber-attacks in this sample shows almost exactly the same pattern of winners and losers as the sample as a whole.
Once again, Pretty highlights the importance of prior planning; responding promptly and transparently; and communicating effectively across all regions as keys to success.
The Information Commissioner’s Office (ICO) published its report for the year 2017/18 last month, containing a useful update on the prevalence of information security issues.
Firstly, the ICO reported that the number of data protection concerns raised had risen to 21019 (up 15% from last year). In a similar pattern to last year, 32% of the investigations conducted into these concerns resulted in no action being taken and 35% were resolved purely through issuing advice on good practice to the organisation concerned. The concerns appear to have been broadly distributed across all industry sectors.
Secondly, the ICO announced that self-reported data breaches by organisations had also risen to 3165 (up 29% from last year). Of course it is not clear how much of this increase may be driven by better awareness of the need to report data breaches stemming from the publicity surrounding GDPR. As before, the top sectors for self-reported breaches are:
- Healthcare – 37%
- Education – 11%
- Local Government – 9%
Once again though, it is impossible to day if this is due to a greater frequency of breaches in these sectors or better awareness of the need to report.
Finally the ICO stated that they had issued fines totalling nearly £1.3m for breaches of the Data Protection Act, including the £400 000 fine issued to Carphone Warehouse in January.
Follow the link for more information on how to improve your information security.
The Business Continuity Institute (BCI) recently published its 2018 Cyber Resilience Report. In many ways this year’s report confirms the findings of the previous reports in 2016 and 2017:
- 66% of organisations experienced at least one “cyber security incident” in the last 12 months (64% in 2017);
- 11% of organisations experienced more than 20 incidents in the last 12 months (10% in 2017); and
- The impact of the majority of incidents was estimated at less than €50 000, but a very small number cost over €1m.
The figures on the response time to an incident were also consistent with previous years, with 38% estimating that they responded within an hour of detection and 79% within 3 hours. Taken at face value this seems quite encouraging; however, for the first time, the 2018 survey also asked about the time taken to detect an incident. Only 28% of respondents estimated that they detected incidents within an hour and 34% estimated that it took over 4 hours. Clearly one cannot respond to an incident until it has been detected, so reducing detection times would appear to be the key challenge going forward.
The inability of BP stations to handle card payments for a period on Sunday evening has been widely reported. There have been no reports of further problems since then so it appears that the glitch has been successfully resolved. Meanwhile, the fault in the UK’s Faster Payments system, which occurred a few hours earlier, has been much less widely talked about; but, as of this morning, work is still underway to clear the backlog of payments. Then, this morning, numerous accounts appeared on social media of problems with the TSB banking app.
Taken in isolation, each of these incidents is relatively minor. However, taken together with the massive disruption to Visa payments in May/June and the IT meltdown at TSB in April; it points to a systemic problem with this vital part of our national infrastructure.