Researcher: Few Financial Incentives to Invest on Cybersecurity
You may have noticed that big retailers like Target, the target of a massive security breach, have finally gotten around to installing new "point of sales" terminals. Moreover, your bank may have at last started distributing more secure EMV chip cards. (EMV stands for Europay, Mastercard and Visa, the global standard for credit cards equipped with chips used to authenticate transactions.)
Despite high-profile and—one would think—expensive security breaches at Target, Home Depot and Sony, many U.S. retailers and credit card companies have responded slowly to major cyber attacks. One reason for the foot-dragging, according to a researcher, is that there is little financial incentive for retailers to invest in cyber security once the bad publicity fades.
Benjamin Dean, an Internet governance and cyber-security specialist at Columbia University's School of International and Public Affairs, examined the impact of data breaches on retailers' bottom line. Dean found that the actual expenses from major hacks that affected millions of consumers amounted to less than 1 percent of annual revenue at Home Depot, Sony and Target. The losses were further reduced by insurance coverage and tax deductions.
Hence, Dean concluded in a report published on the web site The Conversation that "financial incentives for companies to invest in greater information security are low and suggests that government intervention might be needed."
Dean's conclusions are based on his examination of each company's financial statements. In the case of Target, the retailer reported that gross expenses for the massive 2013 holiday season data breach totaled $252 million. Insurance reimbursements reduced the total to $162 million.
Dean also reported that expenses related to corporate security breaches are tax deductible, further reducing Target's net loss to $105 million. That total amounted to an estimated 0.1 percent of the retailer's 2014 sales.
The researcher concluded that the combination of insurance payouts, tax deductions that allow companies claim breach-related incentives and the larger issue of "moral hazard" have eroded financial incentives for companies to invest in information security.
The concept of moral hazard arises when an enterprise takes greater risks because others end up paying the cost of those risks.
For example, in the case of the Home Depot breach, Dean reported that credit unions claimed to have spent $60 million replacing compromised credit and debit cards with more secure chip cards. "It therefore does not make economic sense for companies like Home Depot to make large investments in information security. As a result, they do not," Dean asserted.
Banks, credits unions and other financial institutions are among the biggest investors in information security. The researcher cited estimates that JP Morgan invests about $250 million annually on cyber-security, or about 0.35 percent of annual expenses.
Dean argued that the presence of "moral hazard creates a role for government in providing incentives for companies to invest in information security." The problem, he added, is that current proposals do not address the moral hazard issue and nearly all involve sharing more information with intelligence agencies.
In the long run, Dean said such proposals could create more problems than solutions to the growing cyber-security problem.