The risk of unsupervised digital transformation could bring an intense negative impact for a company. Consider the April 2011 PlayStation Network (PSN) data breach of Sony Corporation that causes serious damage, especially in conjunction with the global economic crisis and the powerful earthquake that hit Japan last March 11. The media described this breach as a “debacle,” “fiasco,” and “humiliation.”
Sony clarified that the company purposely took the network offline due to the massive data breach involving more than 100 million customer accounts.
The Japan earthquake and Sony’s data breach brings different impact on the society, but both provides a valuable helpful lesson in risk management and mitigation for companies with major role in digital services and valuable information assets.
The March 11 Japan earthquake affected the operations at several Sony plants and facilities. Widespread power outages resulted in suspension of Sony’s manufacturing operations. The outage prevented users from enjoying the PlayStation Network’s services, Sony’s video streaming services, online gaming and online access to music, movies, sports and TV shows.
Sony shut down PSN on April 20, a day after the detecting the breach. It was revealed that 77 million PSN subscribers had been breached and around 24.6 million Sony Online Entertainment accounts, from personal information of PSN subscribers to credit card records, had been exposed during the breach.
The impact of these two crises on Sony’s market valuation revealed a significant difference.
According to Sony, the earthquake cost was $475 million in fiscal 2011 and will increase to $1.8 billion in fiscal 2012. The full cost of the data breach has not been calculated, but an initial estimate reveals a cost of $171 million in fiscal 2012, which includes lost business and response costs.
The is also a much higher external estimates that includes potential future costs and market capitalization losses.
Analyzing the effect of Sony’s share price on the Tokyo Stock Exchange is also an efficient way to measuring and comparing the impact of these crises. The analysis reveals Sony’s share price (-19 percent) after the earthquake is almost the same as its impact to the general economy (-18 percent). The data breach caused a 12 percent loss in Sony’s share price, which is the equivalent of $3.6 billion in market capitalization. This data could worsen as more security weaknesses have been revealed as Sony has restored service, and the recovery phase is not yet fully complete.
There could be deficiency is evaluating events based on share risk price. However it is apparent that the PSN data breach knocked Sony off the post-tsunami economic recovery path in Japan.
An Ounce of Prevention
Could risk management prevented or mitigated Sony’s back-to-back crises?
The answer is probably not for the consequence of the Japanese earthquake, but the PSN data breach is a different story.
According to Shinji Hasejima, Sony’s CIO, “The vulnerability was a known vulnerability.” The breach occurred in PSN’s Web application service platform. With the level of threat uncertainty, every risk and security managers must deliberate on the planning a comprehensive strategic framework for protecting customer data.
This framework recommends a series of essential information that risk managers should consider.
Risk Management: Find out the data security vulnerabilities of the business and its impact; and the specific information assets that are on high priority.
Governance: Determine the person in charge in protecting the data assets of the business, top management’s commitment and the resources needed to fulfill this task correctly.
Integrated Security: Establish ways to prioritize security investments – IT, physical and personnel security – to reduce the overall risk profile of the company to an acceptable level.
Continuity Planning: Determine the business continuity as to how fast an operation can resume from disasters.
Challenge to Senior Management
An additional ounce of prevention is often far more effective than a pound of cure.
Failing to predict a natural catastrophe is acceptable and Sony’s management did not made anyone responsible, but the PSN data breach is again different story. Because of the software vulnerability, Sony will recover from the earthquake at a lower rate that other Japanese companies.
Total information protection might not be viable, but companies can implement effective information risk management programs.
These programs can prevent every adversary and minimize the consequences of successful attacks.