A Reputation Non-Event
It’s a sign of the times when a bank known for being at the center of controversy is robbed of 83 million records by cyber-thieves — and nothing happens. No accusations of board incompetence from disappointed investors. No declarations of regulatory opprobrium from shocked regulators, although a few State Attorneys General are probing, looking for some political points. No hand wringing in the blogosphere from any other aggrieved stakeholder group.
No one seems the least bit surprised. According to an analysis published by Consensiv, the reputation controls company, based on reputation value metrics we use at Steel City Re, JPMorgan Chase’s reputation premium, a measure of additional value arising from favorable stakeholder expectations, is up slightly to the 91st percentile within its peer group since the breach was first disclosed in July.
It is as if cyber theft has become as shocking as dog-bites-man, a headline that aptly characterized the absence of any reputational value changes when Home Depot announced their data loss last month.
What is the behavioral economics explanation for this lack of reaction and nascent reputation crisis compared to, say, the board-led bloodletting at Target less than a year ago for the same alleged offense?
It’s a sign of the times when a bank known for being at the center of controversy is robbed of 83 million records by cyber-thieves — and nothing happens.
The most unlikely explanation for the lack of interest is that focus has shifted from JPMorgan Chase to what the thieves were after. Think Pulp Fiction.
A Chicago security expert with Vasco Data Security told USA Today, “This is a truly remarkable attack, but not just in its scope — hackers successfully penetrated one of the most secure organizations on this planet and they stole absolutely nothing of value — no money, no Social Security numbers, no passwords.”
It is an intrusion taken directly from the screenplay for the television program, The Blacklist.
A more likely explanation is lack of culpability on the part of JPMorgan Chase. Like their other risk management programs, JPMorgan is known to have a good security program in which they invest heavily. (Hence “one of the most secure organizations on this planet.”) Stakeholders are concluding that the fundamental nature of security is broken and are giving the company the benefit of any doubt.
A second contributing factor is that a cyber theft event is no longer a “let down.” The Washington Post diagnoses data breach fatigue. According to a survey released last week by PricewaterhouseCoopers, the number of cyber security incidents has increased 48 percent this year, to 42.8 million, or the equivalent of 177,339 incoming attackers per day.
The end result is that stakeholders are viewing JPMorgan Chase as a crime victim rather than crime villain, so kudos to the company’s enterprise risk managers and their reputation risk strategy for earning that win for the company. And kudos for providing an object lesson benefiting the greater risk management community: practice risk management as if you really mean it, and make sure the company’s leadership receive credit for planetary excellence.
Reputation value volatility, or lack thereof, is an indicator of excellence in reputation management. But nothing speaks reputation risk management success like having a boring crisis.
Read all of Nir Kossovsky’s Risk Insider contributions.