All corporations, regardless of their size or industry, inherently manage varying levels of risk. Successful organizations are adept at managing supply chain, market, legal, operational and financial risk using various management tools and models. Many organizations, however, overlook the need to manage reputation risk, which can prove just as – or even more – costly to rectify if compromised.

Business reputations are vulnerable to unsavory business practices, discriminatory hiring and identity/data breaches that weaken customers’ trust in an organization or brand. A damaged reputation can cost an organization in terms of decreased brand value; low share price; lost customers, partners and strategic relationships; and difficulty recruiting and keeping top-notch employees. Simply put, losing your reputation translates into huge economic losses. Recovery can take years; some businesses never recover e.g. Arthur Anderson.

Reputational risk as it pertains to security breaches, whether from mishandling of sensitive customer information, phishing and pharming attacks or non-compliance with regulations is a growing concern for corporate boards and their investors. Corporations, and their financial institutions, need to understand that they can and must manage reputational risk in much the same way that they manage other types of risk – through sound strategies, modeling, business intelligence and technology.

The Value of Reputation
In a Financial Times article titled “The Challenge of Protecting Reputation,” Professor Paul A. Argenti of the Tuck School of Business at Dartmouth College asks, “Why is it so easy for executives to think about and plan for financial risks, but still so hard for them to understand that intangible risks to an organization’s reputation are far more likely to destroy shareholder value?”

Reputation is all about perception. A reputation is tenuous. Reputation is also thought to be difficult to quantify. However, organizations that have seen their good reputations dissolve, and have worked to repair them, can attest to the high cost of restoring a reputation…or, at the very least, restoring the business lost as the result of a single data breach.

The Ponemon Institute, an organization that studies privacy and information management, recently reported that the cost of recovering from a single data breach now averages $6.3 million. That figure represents an increase of 31% since 2006 and a nearly 90% increase since 2005. Two-thirds of that cost is spent recovering business that’s lost after a breach, a cost that has risen 30% since last year. There is no question that it’s getting more expensive to replace customers lost as a result of security breaches.

Breaches by third parties-outsourcers – or members of a company’s supply chain – were the second biggest cause of security compromises and are more expensive, according to the report. Companies spent an average of $231 per lost record on third-party breaches compared to $171 per lost record in 2006.

Tales of the following companies represent nightmare scenarios that would keep any C-level executive up at night:

• Retailer TJX Cos. announced that it will spend $256 million responding to the company’s data breach that compromised up to 100 million accounts. The payments, announced in 2007, include financial settlements to Visa International Inc., banks and customers – as well as costs associated with upgrading the company’s information protection processes and technologies.



• American International Group (AIG) received a backlash from the financial community amid reports of suspect accounting and business practices. “AIG, one of the largest insurers in the world, has been rocked…by multiple investigations into its accounting. The company’s shares are down more than 16% since it disclosed inquiries by New York Attorney General Elliot Spitzer and the Securities and Exchange Commission on February 14,” Reported CBS MarketWatch on July 8, 2005.
  


• ChoicePoint, Inc.’s market cap dropped by $720 million following news that identity thieves had gained access to personal consumer information. As a result of the security breach, the identification and credential verification services provider was ordered to pay a $10 million federal fine, contribute $5 million to a fund to compensate consumers who suffered from the breach and submit to external security audits for 20 years. Analysts estimate that ChoicePoint will spend more than $30 million in direct costs associated with the security breach.
  


• CardSystems Solutions, Inc. was a billion dollar company before its security breach that compromised 40 million consumer accounts. After the breach, the company was acquired by Pay By Touch™ Payment Solutions, LLC. for a fire sale price of $47 million.