The Hidden Costs to Business of Overlooking Data Privacy, Cybersecurity and ESG

Melissa Chase

Editorial Manager, ESG and Sustainable Finance

Data privacy and cybersecurity are gaining recognition as environmental, social and governance (ESG) issues. These issues are significant drivers of business risk and are a growing concern among investors and CEOs.¹ The public costs of poor corporate cybersecurity management are increasingly viewed as market failures. And as more sectors become digitized, data driven, and reliant on personal data, companies’ exposure to data privacy and security risks is heightened.

Cyberattacks, data leaks or perceived misuse of data exposes companies to countless operational and remediation costs, financial penalties, regulatory action, and reputational damage. In this blog post, we share some of the challenges and risks companies will likely face, should they fail to effectively manage and adequately fund cybersecurity and data privacy measures within their organizations.

Data Privacy and Security Regulatory Compliance

Jurisdictions across the globe are enacting laws and introducing regulations to protect the data privacy of their citizens and to mitigate potential cybersecurity risks to the economy and critical infrastructure. It is predicted that by the end of 2023, modern privacy laws will apply to the personal information of three-quarters of the world’s population.² However, keeping track of, and preparing for, the continually evolving regulations and legislation around privacy and cybersecurity is proving to be daunting for many companies.

Failure to align with these data privacy and cybersecurity regulations could result in substantial fines and loss of consumer confidence. In 2021, for example, Amazon was fined EUR746 million (US$744 million) for breaching European data privacy laws. In 2019, Facebook reached a US$5 billion settlement with the Federal Trade Commission over its poor data privacy practices. 

Some of the data privacy and cybersecurity regulations organizations should be aware of include:

General Data Protection Regulation (GDPR): This regulation applies to any organization collecting or processing the personal data of individuals inside the European Union. Firms found in violation of GDPR rules can be fined up to EUR20 million (US$19.95 million) or 4% of their worldwide annual review from the preceding year, whichever amount is higher.³
California Privacy Rights Act (CPRA): Coming into force on January 1, 2023, CPRA is an amendment and expansion of the California Consumer Privacy Act which was closely modeled on Europe’s GDPR. Violations under CPRA may result in an administrative fine of up to US$2,500 for each violation, or up to US$7,500 for each intentional violation and each violation involving the personal information of minor consumers.⁴ Additionally, the CPRA allows consumers to sue violating companies for certain types of breaches.
Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA): Signed into law in March 2022, this Act requires companies in critical infrastructure sectors to report cybersecurity incidents to the Cybersecurity and Infrastructure Security Agency.
Amendments proposed by the U.S Securities and Exchange Commission will require publicly listed companies to report on, among other things, material cybersecurity incidents and to provide updates on previous incidents.

Cyber Incidents Can Lead to Operational Disruptions

Cyber incidents can disrupt business operations and critical services. According to a survey, 68% of respondents have experienced downtime because of IT security incidents.⁵ On average, the financial impact of downtime is US$59,000 – with departments that rely heavily on IT, such as ecommerce, experiencing higher losses. Incidents like the Colonial Pipeline cyberattack — which forced the pipeline supplying about 45% of all fuel consumed on the U.S. East Coast to shut down for several days — demonstrate the impact that prolonged disruptions and downtime caused by cyber incidents can have on the economy and communities.

Loss of Company Value Due to Cyber Incidents

In addition to the immediate losses companies can suffer due to the disruptions caused by cyber incidents, companies that experience a cyberattack can also suffer a reduction in their overall value. Cyber incidents can result in the loss of customer relationships or potential future contract revenues, and the devaluation of intangible assets such as corporate trade name and intellectual property. A soon to be published study from Morningstar Sustainalytics shows that not only do companies’ stock prices fall immediately following a cyber breach, but one year later these companies continue to underperform compared to the benchmark. This underperformance may persist for years, as was the case for Equifax which continued to underperform the market nearly two years after its data breach in 2017.

Numerical table - Portfolio values before and after cyberattack incidences

^{Source: Morningstar Sustainalytics. For informational purposes only.}

Rising Cyber Insurance Rates

As more sectors become digitized, cyberattacks have become more pervasive. Companies are offsetting recovery costs after a cyber-related security breach by obtaining cyber liability insurance coverage. However, the cost of cyber insurance coverage in the U.S. more than doubled in the fourth quarter of 2021.⁶ The increasing frequency, scale and impact of cyber-related incidents has led insurance providers to flag their concerns with high-risk profiles, and is leading to higher premiums, decreasing coverage, and the exclusion of entire industries. Cyber insurance providers are examining companies’ cybersecurity readiness and closely tying coverage availability to implementing strong cybersecurity safeguards.

Loss of Consumer Confidence Due to Data Privacy and Cybersecurity Failures

Data privacy or security incidents can damage a company’s reputation, and repeated incidents will erode the value of the company’s brand. Lost sales and the cost incurred to rehabilitate the brand, such as working with forensic and crisis management firms, can negatively impact bottom lines. Even without a breach, the perception that a company has poor data privacy practices could be damaging. Consumers surveyed said they won’t do business with a company if they have concerns about its data security practices, with 70% saying they will stop doing business with a company if it gives away data without permission.⁷

Data Privacy and Security Issues Should Not Be Ignored

Organizations need to consider the consequences of poor data privacy and cybersecurity management on their operations. Given the increasing frequency and impact of cyber incidents globally, data privacy and security should be taken seriously, no matter the industry. Data privacy and security issues have become significant drivers of business risk, having a detrimental impact on a company’s value, operations, and finances. As such, these risks are a growing concern among investors and CEOs alike. Taking even the most basic steps to manage these increasingly important issues, like assessing and addressing organizational weaknesses, focusing on awareness and training among employees, and ensuring the company has effective policies and board oversight, can help mitigate risks and minimize the negative impacts of cyber incidents.

Download our recent ebook to learn more about the ESG-related risks facing companies as a result of increasingly frequent and sophisticated cyber threats and the management practices companies can use to address data privacy and cybersecurity risks.

References

^{1 Sarnek, A., Dolan, C. 2022. “Cybersecurity is an environmental, social and governance issue. Here's why.” World Economic Forum. March 1, 2022. https://www.weforum.org/agenda/2022/03/three-reasons-why-cybersecurity-is-a-critical-component-of-esg/.}

^{2 Panetta, K. 2021. “The Top 8 Cybersecurity Predictions for 2021-2022." Gartner. October 20, 2021. https://www.gartner.com/en/articles/the-top-8-cybersecurity-predictions-for-2021-2022.}

^{3 European Commission. 2022. “Data Protection Under GDPR.” https://europa.eu/youreurope/business/dealing-with-customers/data-protection/data-protection-gdpr/.}

^{4 California Legislative Information. 2018. “California Consumer Privacy Act of 2018. https://leginfo.legislature.ca.gov/faces/codes_displayText.xhtml?division=3.&part=4.&lawCode=CIV&title=1.81.5.}

^{5 Malekos Smith, Z., Lostri, E. 2020. “The Hidden Cost of Cybercrime.” McAfee. December 9, 2020. https://www.mcafee.com/enterprise/en-us/assets/reports/rp-hidden-costs-of-cybercrime.pdf.}

^{6 Ralph, O. 2022. “Companies Face Soaring Prices for Cyber Insurance.” Financial Times. February 13, 2022. https://www.ft.com/content/60ddc050-a846-461a-aa10-5aaabf6b35a5.}

^{7 Anant, V., Donchak, L., Kaplan, J., and Soller, H. 2020. “The consumer-data opportunity and the privacy imperative.” McKinsey & Company. April 2020. https://www.mckinsey.com/~/media/McKinsey/Business%20Functions/Risk/Our%20 Insights/The%20consumer%20data%20opportunity%20and%20the%20privacy%20imperative/The-consumer-data-opportunity-and-the-privacy-imperative.pdf.}

Recent Content

Biodiversity is the foundation of our natural capital and at risk from business activities. However, while there is regulatory and market momentum to mitigate biodiversity loss, businesses are generally not acknowledging or addressing the risks.

Risk and Opportunity in Biodiversity: How Sustainable Finance Can Help

This article outlines how biodiversity loss poses material risks to business and how it connects to many other issues that companies can’t ignore. In addition, it covers how biodiversity conservation presents substantial economic opportunities, and how businesses can address and access these opportunities by issuing linked instruments that integrate biodiversity considerations.

Today’s Sustainable Bond Market: Boosting Confidence in Sustainable Bond Issuances

In this article, we examine the kinds of sustainable bonds offered in the market, some of the key regulations being developed in different markets and the current initiatives to improve the quality and credibility of issuances.

Morningstar Sustainalytics’ 2nd Annual Global Survey of CSR and Sustainability Professionals

We invite corporate social responsibility and sustainability professionals around the world to participate in the second edition of the Morningstar Sustainalytics Corporate ESG Survey.

Webinar Recap: How Integrating ESG Can Drive Opportunity for Private Companies

Recently, Morningstar Sustainalytics hosted a webinar – ESG in the Lifecycle of a Private Company: How Stakeholder Demands Drive Sustainability in Private Markets – to address some of the questions private companies might have surrounding ESG and how it could impact their business.