I met Matthew some months ago and immediately recognized his exceptional analysing capabilities. He is brilliant, with a deep knowledge of the risk analisys and solid international experience. As Senior Associate with Booz & Co based in Rome, he leads the firm’s Cyber Security & ICT Resilience service offering, so he has a privileged point of view that allows him to view, process and analyse issues and concerns of big players in the market.
With him, some months ago, I had one of the most interesting conversation on cybersecurity topics I ever had. During this conversation he asked me this very intriguing question: "If you had to present three cybersecurity topics at a G8 meeting in 15 minutes, which subjects would you choose? And why?". After thinking about it for a while I gave my answer.
And, if Matthew had asked you this question what answer would you have given him?
Now it's a pleasure to me to leave the floor to Matthew.
Digital transformation can have a profoundly negative impact on a company when its risks are not managed properly. Consider the PlayStation Network (PSN) data breach disclosed by Sony Corporation in April 2011, and the events that have unfolded since. Described in the press as a “debacle,” “fiasco,” and “humiliation,” the breach clearly inflicted serious damage on Sony, especially in combination with the generally poor economic conditions globally and the other major crisis already under way in Japan at the time of the breach, resulting from the earthquake of March 11, 2011.
That earthquake was the most powerful ever to hit Japan, and the fourth most powerful in the world since modern record keeping began in 1900. The overall cost is estimated to exceed US$200 billion, making it the most expensive natural disaster on record.
Just over a month later, on April 20, 2011, a 14-year-old boy returned to his Chicago home after school expecting to join three friends online and play Might & Magic: Clash of Heroes (a fantasy adventure in which young people from different cultures band together to stop demons from taking over the world) on his Sony PlayStation 3. But the PSN service was down. Several days later, Sony explained that it had taken the network offline on purpose because of a massive data breach that eventually involved more than 100 million customer accounts.
Though the Japanese earthquake and Sony’s data breach are certainly not comparable in terms of societal impact and suffering, they do provide a useful lesson in risk management and mitigation for companies with major positions in digital services and valuable information assets.
In late April, Sony announced that the 10th and final plant affected by the earthquake would resume production by the end of May. The cost of the earthquake, according to Sony, was $475 million in fiscal 2011 and will approach $1.8 billion in fiscal 2012.
In contrast, Sony has not yet been able to calculate the full cost of the data breach. The company initially estimated the cost at $171 million in fiscal 2012, including lost business and response costs such as identifying and repairing the breach and notifying subscribers. But Sony hastened to add that this figure did not account for costs related to class action lawsuits by customers (at least two of which are already under way), customer identity theft, and credit card theft. External estimates, which include these potential future costs and losses in market capitalization, are much higher. For example, the most widely recognized industry standard for evaluating such events, the Ponemon Institute’s annual “Cost of a Data Breach” report, estimates that the PSN breach could eventually cost Sony as much as $24.5 billion. The actual cost will likely lie somewhere between the two estimates.
Another way to effectively measure and compare the potential impacts of these two crises is to analyze their effects on Sony’s share price on the Tokyo Stock Exchange (see Exhibit 1).
This analysis reveals a significant difference in the impacts of the two crises on the company’s market valuation. The immediate impact of the earthquake on Sony’s share price (-19 percent) was generally perceived by capital markets to be about the same as the impact to the general economy (-18 percent), but both recovered about 50 percent of the loss by March 27. After that, Sony’s share price slowly dropped in comparison to the Nikkei index, probably due to the actual impact of the earthquake on its operations. The data breach, on the other hand, caused a sustained 12 percent loss in Sony’s share price—the equivalent of $3.6 billion in market capitalization. And recent events suggest that this could worsen, because more security weaknesses have been revealed as Sony has restored service, and the recovery phase is not yet fully complete.
Evaluating events based on share price is admittedly imperfect, but the key message is clear: The PSN data breach knocked Sony off the post-tsunami economic recovery path in Japan.
This raises a critical question: Could risk management have prevented or mitigated Sony’s back-to-back crises?
In a crisis of the magnitude and consequence of the Japanese earthquake, the answer is probably not. It was clearly a Black Swan—an event with extremely low probability and devastating impact. A risk manager who predicted that an earthquake such as this would occur, and requested the budget necessary to protect the company against it, would most likely have been ignored.
The PSN data breach, however, is another story. According to Shinji Hasejima, Sony’s CIO, the breach occurred in PSN’s Web application service platform. “The vulnerability was a known vulnerability,” he said during a press conference on May 1, 2011. Further, in the current threat environment, IT security and risk managers feel that it is almost certain that adversaries will try to access their information.
If you had asked Sony’s senior leaders a year ago to identify 10 events that could potentially erase 12 percent of their market capitalization in a matter of days, “unauthorized access to a list of online gamers” probably would not have made the list. If you had asked the same executives after the earthquake to identify 10 events that might keep Sony from recovering at the same rate as the overall economy in Japan, the result would likely have been the same. Yet that is exactly what happened.
No one held Sony’s management responsible for failing to predict an unimaginable natural catastrophe, but the PSN data breach is sure to be a different story. Sony will recover from the earthquake at a substantially slower rate than other Japanese companies because an as-yet-unidentified culprit (probably Anonymous) exploited a known software vulnerability. Why that happened is something Sony management is having a hard time explaining to its board of directors, to judges and juries in class action lawsuits, and, most important, to its customers and shareholders.
Matthew W. Holt, MBA, CISSP, CISM, is a Senior Associate with Booz & Co based in Rome, Italy, and he leads the firm’s Cyber Security & ICT Resilience service offering. This includes development of national / corporate policy and governance models, risk management, integrated security, incident management, and business continuity planning. Mr. Holt’s background encompasses 22 years of international experience for both government and private sector clients including the United States Department of Defense and multiple Fortune 500 companies.