Main Street vs. Wall Street Who is to Blame for Data Breaches? Spring 2014

Abu Dhabi

Beijing

Berlin

Brussels

Dallas

Dubai

Frankfurt

Hong Kong

Johannesburg

London

Milan

Munich

New York

Paris

Rome

San Francisco

São Paulo

Shanghai

Singapore

Stockholm

Vienna

Washington, D.C.

© BRUNSWICK | 2014 | 1

Growing Trend Scale and impact of data security issues continue to rise

Recent research has

determined the average cost

of a data breach to be $5.5

million per organization

and an average of $194 per

compromised record.

Studies also found for the

fourth straight year that

organizations’ need to respond

rapidly to data breaches drove

the associated costs higher.

Source: Open Security Foundation / DataLossDB.org; Ponemon Institute “Cost of a Breach Study”, 2011

21 44

157

644

774

1048

720

818

1072

1331

0

200

400

600

800

1000

1200

1400

2003 2004 2005 2006 2007 2008 2009 2010 2011 2012

Data Loss DB.org Incidents Over Time

© BRUNSWICK | 2014 | 2

High Risk, High Profile Privacy and data security issues are gaining attention worldwide

© BRUNSWICK | 2014 | 3

Heated Debate Retailers and Banks are going head-to-head over who is responsible

“For years, banks have continued

to issue fraud-prone magnetic

stripe cards to U.S. customers,

putting sensitive financial information

at risk while simultaneously touting

the security benefits of next

generation 'PIN and Chip' card

technology for customers in Europe

and dozens of other markets.”

“The NRF should focus its attention on

responding to the harm that security

breaches at several retailers have done

to consumers and their financial

institutions rather than hurling false

allegations blaming the banking

industry for these retail breaches.

Retailers and their processors —

not banks — are responsible for

the systems in their stores that process

payment cards.”

© BRUNSWICK | 2014 | 4

25% 75%

Retailers are doing enough to prevent data breaches, but the rise in usage of debit cards, credit cards and online payment systems, as well as increased capabilities of online thieves, means that data breaches are just the “new normal”

Retailers are not doing enough to prevent data breaches and need to take significant actions to improve the security of their payment systems

Are retailers doing enough to prevent data breaches?

What news events have consumers seen, read, or heard about? How concerned are consumers?

90%

83%

83%

78%

60%

A data breach at some U.S. retailers that resulted in the theft of the credit card information of more than 100 million consumers

Pop star Justin Bieber being arrested for DUI, drag racing, and resisting arrest

Security concerns for the upcoming Sochi Winter Olympics

President Obama giving the 2014 State of the Union address

President Obama announcing changes to the NSA surveillance program

94% concerned about data breaches at retailers

Difficult Opinion Environment Consumers are aware, concerned, and believe retailers are not doing enough to stop data breaches

© BRUNSWICK | 2014 | 5 Source: Harris Interactive – 2013 RQ Summary Report

High Marks for Industry Reputation… Retail industry is regarded as one of the most respected, banking is among the least respected

Tobacco

Government

Banking

Financial Services

Airline

Insurance

Pharmaceutical

Energy

Manufacturing

Automotive

Telecommunications

Consumer Products

Retail

Travel & Tourism

Technology

Industry Reputation Ratings NEGATIVE NEUTRAL POSITIVE

© BRUNSWICK | 2014 | 6

…But, Public Casts More Blame on Retailers Nearly as likely to hold retailers responsible as the criminals themselves; One-third will boycott

72% 28% Retailers Banks

Who is responsible? How have consumers responded?

65%

34%

24%

23%

12%

Started using cash more often

Stopped shopping at certain retailers

Started shopping more at online retailers

Stopped using my debit or credit card

Switched banks or credit card companies

79% 61%

34% 26% 18% 17%

TheCriminals

Retailers Banks Government Shoppers LawEnforcement

© BRUNSWICK | 2014 | 7

Making debit and credit cards more secure

63% 37%

Banks say that retailers are at fault for lacking the necessary security measures to prevent cyber-attacks from taking place, and therefore should be responsible for reissuing cards compromised in a security breach when the retailer is at fault.

Retailers say that banks are at fault for issuing cards with faulty technology that leaves customers prone to security lapses, and therefore should take steps to ensure credit card security so the cards are less likely to be corrupted.

70% 30%

Some say that in a situation where a systemic data breach is caused by a retailer’s payment system, the retailer should be financially responsible for these fraudulent charges,

NOT the credit card issuer. Would this be fair or unfair?

Unfair Fair

Clear Need for Effective Messaging Consumers side with the banks over shifting more financial liability to retailers

56% 44% Strengthening retail networks against hackers

The best defense against future data breaches is…

© BRUNSWICK | 2014 | 8

1 2 3 4 5 6

Lasting Impact Brunswick analysis of post-breach valuation discovered a long-term downward trend

Analysis of the average daily valuation data of 10 companies that have recently experienced large

data breaches uncovered that stock prices never fully rebound two quarters after the breach.

Anatomy of a Breach’s Impact on Valuation

Day before breach

Bargain buyback

Initial sell-off Long-term downward trend

Months after breach announcement

Lev

el o

f pr

e-br

each

val

uati

on

Average daily closing price

100%

95%

90%

85%

80%