Major cyber incidents have hit some of the biggest brands in the world — from Target and Uber to Pizza Hut and Home Depot. They’ve cost many millions of dollars, triggered lawsuits and left lingering questions about transparency and honesty in customer communications.
Addressing the security, legal and regulatory requirements, which increasingly come with fines and other penalties, is critical, but so too is attending to the fallout for customer trust and loyalty.
One of the challenges is that when organizations approach cyber incidents and cyber risks, it’s largely seen through the lens of technology and legal risks, according to Russell Abratt, professor of marketing at George Mason University.
These are important, naturally, but overlooking customer detriment can leave a significant dent on the brand’s standing. “It can lead to organizations not fully thinking about the effect on stakeholders,” said Abratt.
Organizations risk damage to their reputation and brand value, with one Australian academic study finding that customer perception and loss of trust after an incident negatively impacts the cyber reputation of the impacted organization.
How cyber incidents lead to customer churn
How organizations communicate a breach to their customers plays a critical role in maintaining strong customer relationships; when such communication fails to meet the public’s expectations, reputations suffer.
A study from 2017 conducted by the Ponemon Institute for Centrify, now Delinea, attempted to quantify the loss of faith, and found two-thirds of respondents reported losing trust in the organization after a breach.
“Organizations must appreciate that when you don't treat customers the way they say they want to be treated, it's going to affect the immediate image of the business, and in the longer term, it's going to affect its reputation,” Abratt said.
Businesses can suffer backlash from customers in the aftermath of a data breach. The Ponemon Institute study found that those organizations with a poor security posture saw customer churn increase by up to 7%, equating to potentially millions in lost revenue.
Organizations then face the cost of acquiring new customers to redress the customer churn, as well as reputational losses and damage to goodwill. But there are ways to minimize the hit to customer confidence.
Organizations can leverage their existing goodwill and brand value, but a lot depends on the organization’s standing with customers prior to the incident.
“Even though there’s a high possibility that brand value can go down after a major incident, having reputational capital with customers helps them forgive the business,” Abratt said.
Is a cyber incident rich pickings for competitors?
In the midst of a cyber breach, clear communications about the incident to existing and potential customers is vital to maintain customer loyalty and brand standing.
Businesses are more likely to bounce back from such a setback when they communicate information about the incident and its likely impact on customer information with honesty and transparency, providing appropriate details and expressing remorse.
“Transparency demonstrates accountability and a commitment to improvement, and it goes a long way to rebuilding their trust and maintaining their loyalty,” said Sarah Jarvis, communications and propositions director at loyalty specialist Eagle Eye.
The risks are too high not to. The Ponemon Institute study found nearly one-third of consumers impacted by a breach said they discontinued their relationship with the business that had suffered the breach.
Brand experts such as Abratt point out that suffering a cyber incident dilutes the brand promise. “And that will lead to problems with the businesses’ reputation,” he said.
There’s also the risk that departing customers head straight to a competitor as a way to register their protest with their wallet.
But brand equity logic suggests customers will weigh the convenience of staying with an existing business against the effort it takes to change brands.
“It depends on the organization and whether the next best alternative is seen as good or not. For instance, with Uber, which has had cyber incidents, there aren’t that many alternatives,” Abratt said.
‘Customers want justice’
One of the other important considerations for organizations responding to a cyber incident is the question of how to compensate affected customers.
“Customers want justice,” Abratt said.
In business, this translates into some kind of offering in line with the scale of the disruption or impact, whether that’s a subscription extension, gift card, additional account credit, access to data protection services or other option.
Angry customers can inflict damage on the brand through poor reviews or negative word of mouth amplified through online and social channels and other means — especially if they feel overlooked in the face of an incident.
“It’s shortsighted for brands not to consider how customers have been harmed, and if they feel betrayed, they can become angry,” he said.
If customer patterns remain largely unchanged, there may still have been a hit to the brand that makes it vulnerable to challengers. After stabilizing things in the short term, the work starts in building the brand equity to recover and weather any future storms.
“As a brand custodian, you have to worry about that sort of damage, even if the customer behavior doesn't appear to have changed a huge amount right away,” he says.
It may seem counterintuitive, but Abratt suggests many customers actually want to continue doing business with the brand, but they’re looking for recognition of the customer impact to continue the relationship.
“It’s like they’re saying: ‘I want to do business with you. You missed up here. Just fix it, and it will be forgiven,’” he said.
