During cyber risk assessments, it is commonly assumed that cyber breaches can have an adverse reputational impact. The assumption is that customers are more likely to ignore a company after a data breach because they have a less positive attitude toward the brand. In the worst case, it is assumed that customers may even mistrust the products or services provided by the company because of the data breach. Therefore, in cyber risk assessments, protective security measures are often justified by the belief that reputational damage should be prevented. But how certain is it that data breaches always lead to reputational damage?
Most definitions of corporate reputation consider it as a multidimensional construct. It involves beliefs, impressions, knowledge, and perceptions of the organization. A commonly cited definition of corporate reputation is provided by Fombrun (2012): "A corporate reputation is a collective assessment of a company's attractiveness to a specific group of stakeholders relative to a reference group of companies with which the company competes for resources." Key elements in this definition are that corporate reputation is a perception, involves various stakeholder groups, and should be seen compared to its rivals.
Do data breaches damage reputation? Not necessarily, research shows
Recent research from Arizona State University shows that data breaches can have a mixed impact on the reputation of businesses. Based on data between 2002 and 2018, the study finds that data breaches could have a positive or a negative effect on the reputation of companies. Only for the largest data breaches in the consumer-facing industries, the research reports a small decline of 5-9% of the perceived reputation of the companies involved. However, for average-sized data breaches in all industries, the research finds that companies experience a 26-29% increase of their reputation.
Increased media attention after a data breach is an opportunity for businesses
The mixed impact of data breaches on the reputation of businesses is consistent with evidence from consumer psychology and marketing. As noted in the study:
A smaller company with a data breach might benefit from additional media attention, whereas a larger company might experience a decline in reputation because their brand is already salient and that the company “should know better.”
The study suggests that the increased media attention after a data breach offers opportunities for businesses to regain trust by showing that they feel responsible for the situation, understand the consequences for the impacted customers and take appropriate action to prevent the situation from happening again.
Should reputation risk be taken into account during risk assessments?
Yes, but the upside (positive) dimension of data breaches should also be considered when conducting a risk assessment. Based on the study, small and medium-sized enterprises can be advised to invest in cyber crisis management since data breaches provide opportunities to increase brand familiarity. For larger organizations, having an effective cyber crisis management capability in place is key to keeping reputation damage at a minimum.
We also recommend our article on the impact of cyber events on stock prices.