Perspectives: Tallying the true cost of the Equifax breach
Article, Business Insurance – September 2017
Cyber risk has a way of dominating the news — with the Equifax Inc. headlines over the past month being just the latest in this trend. Simon Oddy and Matt Morris look at the true costs of a cyber event in Business Insurance.
As appeared in Business Insurance, September 26, 2017.
By: Simon Oddy and Matt Morris
Cyber risk has a way of dominating the news — with the Equifax Inc. headlines over the past month being just the latest in this trend.
By now, there should be no doubt as to the value of a smart cyber security program and, in turn, the value of cyber insurance. While reports indicate the amount of insurance coverage obtained by Equifax may not cover all its costs, it will likely enable the Atlanta-based credit bureau to respond and recover some of the direct costs associated with handling the breach investigation.
The effect has been huge - the scale of the Equifax breach is well beyond previous incidents reported for others holding large levels of personally identifiable information. While the investigation of what happened continues, the effect on Equifax’s share price was immediate. Current indications are the breach has cost the company nearly $6 billion of market capitalization.
But what does that $6 billion represent? Can the insurance industry be expected to provide risk management products to protect against valuation losses of such magnitude? How does that compare with the eventual actual losses faced by the company? And how does this figure relate to a Bloomberg report that Equifax has $150 million in cyber insurance?
That’s a $6 billion estimate of the damage the breach has done to Equifax’s market capitalization, with $150m of insurance. So how does one reconcile this apparent disconnect? But when we read these headlines, should we even be comparing the two numbers?
Let’s look briefly at what each of these numbers represents:
$6 billion loss in stock market value
The share price fall of $6 billion is a sexy, easy, publicly available benchmark reflecting the market view on the severity of the breach. However, it’s not really a direct loss to Equifax but to its shareholders. That fall in share price is an immediate reflection of the market’s perception of the breach’s cumulative, anticipated financial impact. It reflects the market’s view of Equifax’s ability to recover — or not — from the business consequences of the breach. But it is a loss suffered by the shareholders, not Equifax itself, and, even to shareholders, the loss crystalizes only if they choose to sell their holdings. Thought it does make for a great headline.
Equifax’s share price will change daily over the coming weeks, and some of that initial loss in shareholder value may be recovered. In the next few weeks, a new post-event share price may be established. With the right response and post-breach efforts, market confidence may return to Equifax, and its share price may begin to move back toward the pre-loss levels. This may reduce, or even eliminate, the loss of shareholder value.
$150 million of cyber insurance cover
The reported $150 million of insurance coverage would likely allow Equifax to respond to the direct loss it will suffer — not the losses of the shareholders. In theory, this should allow Equifax access to capital and resources to mitigate the long-term damage. The hope is that this will, in turn, rebuild market confidence and reduce shareholders’ cumulative losses.
Equifax’s direct loss as covered by the insurance program could relate to actual revenue loss, consultant costs, investigation expenses, legal assistance and various other response and remediation costs. It will also likely provide some liability cover.
It is worth noting that, while the immediate headlines alluding to financial damages relate to loss in market capitalization, in prior losses — Target Corp., Home Depot Inc., J.P. Morgan Chase & Co. and Sony Corp. for example — this was much the same. What followed in each was a rebuilding of market confidence in the companies and recoveries in shareholder value. The direct losses in those cases ended up being a fraction of the initial share price devaluation. That pattern will almost certainly repeat in Equifax’s case as well.
For some context, publicly available information indicates that Equifax’s most recent reported profit after tax was $489 million. A share price decline of $6 billion could suggest Equifax will see diminished profits for a long period. Other large cyber-breach losses suggest that this may not happen. As a result, the loss in shareholder value is likely a signal of the market’s lower confidence — and higher risk assessment — of Equifax than it is a signal the company will take a large hit to profits in future periods.
An immediate diminution in equity value is not what the insurance industry seeks to address through cyber insurance. Rather, the insurance policy is focused on the direct and consequential, quantifiable losses suffered by the company. These will take some time to evaluate and may well exceed the policy limit. But when these losses do become clear, this information will inform a ‘new normal’ share price for Equifax. The short-run share price changes are merely a sideshow — a sexy sideshow — but a sideshow nonetheless.
Therefore, while a tumbling share price is evidence of the market’s reduced confidence following a major setback, it shouldn’t be confused with the measure of the direct actual damages suffered as a result of a cyber-breach. The cyber insurance programs available to assist in loss mitigation and cover the direct, measurable, actual damages enable business continuity and recovery. They provide access to cash and specialists who are ready to assist in the breach response process. This is intended to allow companies like Equifax to take appropriate steps to rebuild shareholder value.
While share price and shareholder value are intertwined with the insurance protections available to a company like Equifax, they are different. A solid insurance program allows an affected company to respond and mitigate the damage caused by a cyber breach. Consequently, it’s important not to judge the adequacy of a cyber policy until the results of the breach response can be seen in a normalized stock price. Also, how a company responds to a breach is likely as important as the amount of cyber coverage it has in place. Finally, because shareholders are affected through declines in the stock price, it’s important to recognize that a cyber breach can also affect other forms of insurance, particularly director and officers liability programs.
Simon Oddy is a partner at RGL Forensics in New York. He quantifies large, complex losses in cyber. crisis management, recall, liability and fraud claims cases and be reached at 646-737-1782 and email@example.com.
Matthew Morris is a partner at RGL Forensics in Dallas. He provides valuations of securities and assets, including brands, to clients for corporate planning purposes and in legal controversies. He can be reached at 972-505-3833 and firstname.lastname@example.org.