There is a side that seems to be unnoticed everytime there is a big attack that made me write this article – I wanted to do some considerations on how finance securitity and latest Sony attacks (but not only) are linked.
It seems that lately, big, widespread attacks make it on the news more often, and are becoming increasingly aggressive. Although I can make some technical considerations on this (and will do an an article later next week), I saw something strange in how the markets react to security breaches (and will go more into why companies should – and probably will – invest more on security later on).
Let’s start with JP Morgan.
The data of as many as 76 milion households and 7 milion businesses leaked – to an unknown extend (account details?). This will certainly expose those individuals/entities to easy social engineering attacks, which will be extremely hard to relate to the attack. So, what was the answer of the market to the attack?
None. Yes, that spike down later on might have been related to the attack, but as you have seen was soon recovered.
Let’s go a bit back in time to another story that made it on the headlines: Apple data leakage.
The attack involved hundreds of well known individuals in the end of August. Did the market react to this? Well, yes, for a period, but then again, no substantial loss.
Now, moving to Sony. Sony has faced issues with their security sistems since years. From the Playstation Network to Sony attacks, there is never an end.
Watching the Sony chart, it seems that the cause of the drop was not really related to the attack, but certainly that didn’t help for the future outlook. And the latest attack, didn’t seem to affect the market (see pointing up in the last tick).
I can do these examples for a while, but point is, it seems that attacks, at least in the short term, don’t affect the companies considerably. Is this then a good reason to reduce the costs of security?
Well, here are some considerations from my side:
- Stock market seems to react more on the generic feeling of insecurity than a quantitative loss of customers/income given by the attack. This, I assume, is because it is extremely hard to quantitatively define the extent of the loss.
- There are discussions, even driven by Wall Street, to improve cyber security regulations. The process might take a while to consolidate as it is a fairly new concern – the extent of attacks we have seen this year were seldom seen before. Litigations and regulatory fines will help Wall Street to quantify losses and protect investors.
- Last but not least, the actual cost impact should be considered. A generic estimate considers the data leakage cost (including regulatory fines, fees, legal costs and so on) to be somewhere between 90$ to 300$ per user. In the case of JP Morgan, a conservative estimate would be 150$ * 80000000, accounting for an astonishing 12B$ loss.
Companies should be more concerned than ever on security as this is bound to become a huge topic in the future, particularly given the fact that 0 days vulnerabilities are extremely hard to tackle. But as always, only time will tell how the market will evolve in that sense…
…One side note…
JP Morgan announced it will double its spending on security since 2015 moving to 500M/year – good news. But then again, will those money be spent in the right places?