This article is part of the series "[Podcast] Varonis CFO & COO Guy Melamed: Preventing Data Breaches and Reducing Risk". Check out the rest:
Leave a review for our podcast & we'll send you a pack of infosec cards.
Get the Free Pen Testing Active Directory Environments EBook
In part two of my interview with Varonis CFO & COO Guy Melamed, we get into the specifics with data breaches, breach notification and the stock price.
What’s clear from our conversation is that you can no longer ignore the risks of a potential breach. There are many ways you can reduce risk. However, if you choose not to take action, minimally, at least have a conversation about it.
Also, around 5:11, I asked a question about IT pros who might need some help getting budget. There’s a story that might help.
Do Data Breaches Impact the Stock Price?
My name’s Guy Melamed, CFO and COO for Varonis. I’ve been with the company since 2011, in charge of all the financial statements and execution of strategic operational plans, in charge of the legal department, and IR as well. And kind of enjoying the ride.
There’s a discrepancy online where there’ve been studies that say that breaches don’t impact the stock price. Sure, a breach will typically lead to a one-time large expense or maybe smaller reoccurring expenses. There might be a potential decrease in revenue, but in the long term, investors tend to look past the breach, and they really just focus on the strength of the business and the value of the company. What do you think about data breaches and their impact on the stock price?
I’m not so qualified to talk about statistics on stock price and how a breach would affect a stock price in the short term or in the long term. What I can say is that what we’ve seen in so many events, in so many breaches that have taken place in the last couple of years, is that if you go back to those companies, and ask them would they have rather dealt with a breach or just buy a software, take measures that can help them in protecting or preventing or minimizing the amount and the magnitude of the breach, I think the answer is pretty obvious.
So we’ve seen companies that have gone out of business because of breaches. We’ve seen companies that will have to deal with litigation for years ahead. So where’s that factored in? There’s just so many components. It’s more of a philosophy that if you can do something active to try and minimize risk, then why not do it?
I think companies, more from a philosophical perspective, should try and actively take action in order to minimize risk. And companies that are under the belief that it won’t affect them and that they’re going to be okay, I think are acting slightly irresponsible.
Data Breaches and Breach Notification
Let’s talk about breach notification. It’s said that the time to discovery increases the cost of a data breach, and research has said that most companies take over six months to detect data breaches. If you’re in the EU, article 31 of the GDPR says that data controllers, they’ll need to notify authorities of a breach within 72 hours at the latest upon learning about the exposure, if it results in a risk to a consumer. If you’re already protecting or in the process of protecting your data, how do you reconcile the time in figuring this element out? What do companies need to do? How much are we talking about?
So the surveys that we’ve been tracking show that 70% of the beaches are discovered within months or years. And I think a great example of a breach that affected a company years later was a Yahoo deal. This was a breach and I don’t know if it was four years ago or three or five years ago, but it was discovered as part of an M&A process and had an effect, an actual quantifiable number that impacted the transaction price.
So a company would obviously rather try and identify breaches as soon as possible, so they can take action, minimize some of the cost and be transparent with both the customers, the investors, and the shareholders.
GDPR definitely changes the reporting requirement, and if you’re breached, you have to provide that information within 72 hours. That’s a short period of time, and in order to be able to comply with that regulation, and in order to have better tracking, you really have to have systems, programs, personnel in place to try to identify this.
And the fines that come from GDPR, I’m talking about, you know, some of the requirements and some of the fines related to those requirements, are 4% of global revenue or $25 million, whichever is greater. That’s a huge number that could affect companies in so many ways, definitely something that from our perspective what we see is causing a lot of interest, causing a lot of discussion, and companies are not ignoring the regulation because of its significance.
Should You Just Pay the Fine?
So when you’ve done the risk analysis of viewing the GDPR fines, companies resigned to paying a fine because the fine isn’t that costly. And so let’s just pay the fine and get it over with.
My response is that it probably fits with an analysis or an analogy that says if I go through a red light, I know that the fine is probably minimal and I can live with a fine. There’s so many other consequences. First of all, there’s, the fine is pretty large when it comes to GDPR.
There’re so many other components that thinking that you can be okay, and just by paying the fine and being breached is definitely not the action that I would like to take as the company’s CFO and definitely would try and act in a way that would minimize the risk long term and short term.
A Story that Might Help IT Pros Get Budget
And what are your tips for IT managers who are trying to get budget to get a data security solution they need to help prevent a breach?
So I’m not sure I’m qualified to give tips, but I will share a story that I heard from one of our customers.
And during a discussion, he was asked, “What is the best way to get budget, in order to get the Varonis product or any other product for that matter that can protect the company in the long term?”
And his response was, “Make sure the risk assessment, the evaluation and whatever you’re doing in that demo is done on the finance documents. If the finance personnel, if the CFO can see how many people have access to the financial statements or any other sensitive information within his folders or her folders and have access to information they shouldn’t have access to, you’ll find the budget, they’ll find the budget.”
So that’s definitely something that I I could relate because if I would see risk on files that I know team members shouldn’t have access to, we could move things around within the budget to have something purchased that wasn’t necessarily budget initially when I can quantify the risk in my mind.
Minimally, You Should Have a Discussion
And any final thought as CFO as it relates to the cost if you don’t invest in security?
I think no one anymore can ignore the risk. I think three, four, five years ago, we would talk to companies, show them the risk assessment, show how vulnerable they are, how many sensitive files are open to everyone in the company, show them how much data is open to everyone.
And people could live with the risk. I don’t think people, after all the breaches that have taken place and the amount of risks that companies are dealing with, can ignore it anymore. I think they have to take measures, think about it, or at least have a discussion. If they decide that they want to live with the risk, it should definitely be done after discussion with the legal department, the HR department, CEO, CFO, CISO, if all parties agree that the risk is not worth doing any, taking any action, then at least you had a conversation.
But if it’s decided by one person within the organization and it’s not shared between the different departments, between the different roles that would eventually be responsible, then I think that’s just not good practice.