We discussed about the Target Breach in a previous article - Life after Target and other titbits
In this article we would discuss how to arrive at a number which help us arrive at the "Cost of a Breach". In one article by Forbes, available here, Target lost the following:-
- 46 % reduction of income of last quarter in 2013 at $520 Mn as compared to similar time period in 2012.
- 3.8 % reduction in revenue at $21.5 Bn from similar time period in 2012.
- A net $17 Mn expenses directly caused by the data breach, a figure caused by $61 Mn expenses offset by $44 Mn receivables from cyber risk insurance.
- Further losses or expenses in 2014 have not been estimated as of now. However in another article, available here, it is estimated that the number of transactions have reduced by 5.5%. The monetary value of this trend however has not been estimated.
Based on the another news article, available here, the share value of Target the second-largest U.S. discount retailer, rose 7 percent to $60.49. That marked the biggest one-day gain since 2009. The stock has declined 4.4 percent this year, compared with a 5 percent drop for its larger rival Wal-Mart Stores Inc. and a 0.2 percent decrease for the Standard & PoorÔö£├ÂÔö£├éÔö¼├║├ö├Â┬úÔö£├®Ôö£├ÂÔö£├éÔö¼├║├ö├Â┬úÔö¼ÔòæÔö£├ÂÔö£├éÔö¼├║├ö├Â┬ú├ö├▓├╣s 500 Index.
This gives credence to the fact that if an incident is handled properly the long term impact of the incident can be limited. So going forward, it may be safe to assume that:-
- For a security system to make sense to Target it must not cost more than $17 Mn
- Target may offset its security budget by an increased spending on getting more cyber risk insurance cover.
Can some financial wizard help convert these numbers to some 'rule of thumb' to estimate the 'cost of a breach' for a generic enterprise?