Rob Newby writes on PCI Compliance Demystified, writes “PCI in Europe is a case in point for the weight of reputational damage in driving security, but I think it also proves that it IS loss of reputation that drives people to comply.”
Reputational damage is especially slippery to calculate. The closest I have come is through an analysis of market consensus via stock prices. But, that’s in the US.
Would a measurement of the value of a security (stock) tend to yield the same perspective in Europe as in the US? I leave it open for those with more knowledge to answer/comment how reputational damage may be quantified in Europe, Asia and elsewhere.
Popularity: 3%
3 Comments
Hi Kenneth,
That’s a very good paper with some interesting conclusions. There are a couple of issues I’m interested in further.
Firstly, stock markets are not necessarily an indication of profit and loss, merely market confidence. In which case it would be natural to expect a dip after an event and then a slow climb back to stable market levels – in a well established company, like most of the ones you have analysed. The profits of the company may be down, and still it can have a healthy market price if it is expected to rise in value – acquisitions are a prime example of this.
A disclosed event is usually a good excuse for the institution involved to make amends and shout about the steps taken, ref:ChoicePoint. And hence the stock can recover quickly. But whilst one individual event does not cause long term damage, a second or a third could be ruinous. This aids the march of security in the way that fines alone cannot. A hit to the bottom line through fines is often accounted for in advance, a security sale is sadly still not.
On the other hand I don’t want to say that you are incorrect. Fines are easy to calculate, and build into a business plan. The very fact that reputational damage is so hard to calculate the consequences of is exactly why the CEOs and CFOs are so scared of it. Security should capitalise on this.
Rob.
DISCLAIMER: In Europe that is. It may be different in the States.
Hi Rob,
The challenge I have is that if we cannot find causation and a measurable effect that demonstrates significant financial loss (short or long term), why would any CEO or CFO be worried?
People will either forget the incident or the reputation damage will be fixed ad-hoc on a case by case basis.
Granted that due diligence and corporate compliance must still be performed, as mentioned in my paper, but it seems to me that the scare factor that people try to invoke with the reputational damage arguments is greatly diminished.
Hi Kenneth,
Personally I don’t know of anyone who’s been hit more than once, so I can’t really test out the hypothesis of fixing on a case by case basis. The problem with NOT having a disclosure law over here (Europe) is that these things are no longer newsworthy after the first breach, so they aren’t reported as widely. Each subsequent breach would have to be bigger and more spectacular in some way.
I think what you are saying about recovery just proves how strong brands can be. The fact that people will go back to them even after a breach is great for them. It cuts both ways though, this is still what the C-level guys want to avoid hurting, all the same. Your name will be mud eventually, if you don’t do anything. Just because there’s little proof, do they want to be the first one to prove it?
I do see your point however, how do you prove it once they’ve asked the question and shown you the figures?
If the CEOs were that well informed about breaches in the first place, they should know that PCI is in their favour. I wish I had the chance to even get to that stage.