Reputation in financial services has two dimensions. Capability perception changes slowly. Character perception can be destroyed in a single news cycle. A cyber breach tests both, but it is the response that decides which one survives.
This article draws on the Oxford Cyber Security Executive Briefing completed in mid-2024, incorporating Rupert Younger's reputation framework and the IRA Financial Trust case study.
Rupert Younger, founder of the Oxford University Centre for Corporate Reputation, makes a distinction that most boards have not internalised. An organisation's reputation operates on two dimensions. The first is capability: does the firm deliver high-quality products and services? This perception changes slowly. Markets form a view of capability over years and it takes sustained failure to shift it. The second dimension is character: how does the organisation behave? How does it treat customers, suppliers, and the public? How does it make decisions when things go wrong? Character perception can change overnight.
Applied to cyber security in financial services, this framework explains why some firms survive breaches and others do not. The breach itself damages capability perception. Customers and counterparties question whether the firm can protect their data and assets. That is serious, but it is recoverable. What is not recoverable is a character failure in the response: a cover-up, a refusal to disclose, or a public blame game between counterparties while customers are left without answers.
A breach tests capability. The response tests character. Only one of those judgements is permanent.
In February 2022, hackers breached accounts at IRA Financial Trust, a provider of self-directed retirement accounts that used the Gemini cryptocurrency exchange for custody. Customer cryptocurrency was stolen. What followed was not a coordinated response. It was a public dispute about responsibility.
Maria Stagliano, a spokesperson for IRA Financial Trust, stated that the investigation centred on security controls that Gemini did not offer or make available. She declined to specify which controls IRA Financial Trust had implemented. Gemini responded by stating that it offered a range of security controls including two-factor mandatory authentication for all accounts and approved addresses. Neither company addressed the fundamental questions their customers were asking: how many accounts were breached, whether the losses were recoverable, and who was responsible for reimbursement.
Customers found themselves caught between two companies pointing fingers at each other. The capability failure was the breach itself. The character failure was everything that came after. Both firms demonstrated that when the relationship between a platform and its custody provider breaks down, the customer pays the price not just financially but informationally. They could not get a straight answer from either side.
This is where Younger's framework is most useful. IRA Financial Trust and Gemini may eventually resolve their capability issues, patch the controls, and improve the security architecture. But the character damage, the public blame-shifting, the refusal to answer direct questions, the absence of a clear reimbursement plan, is far harder to undo. Once a firm's character is questioned, the only reliable remedy, according to Younger, is to remove the individuals responsible for the failure. Structural change signals seriousness in a way that public statements do not.
There is a less visible cost to cyber security that boards rarely discuss: the commercial damage caused by controls that are too aggressive. In the credit card industry, fraud detection systems that cannot distinguish a legitimate transaction from a fraudulent one reject more than 50% of valid transactions in emerging markets. Several major payment companies have identified the developing world as critical for strategic growth in the coming decades, yet their own cyber controls are blocking more than $300 billion per year in legitimate commerce.
This is not a failure of security. It is a failure of calibration. Controls designed to prevent fraud are generating a different kind of loss: lost revenue, lost customers, and lost trust in the payment system itself. The firms that solve this problem, building fraud analytics sophisticated enough to permit more legitimate transactions while maintaining genuine protection, will unlock significant commercial value. The point is that cyber security is not only a defensive discipline. It is a commercial one. Getting the calibration wrong in either direction, too lax or too aggressive, carries a cost.
Most board-level discussions about cyber risk focus on prevention: how do we stop a breach from happening? That is necessary but insufficient. Boards also need a plan for what happens in the first 72 hours after a breach is detected, because that is when character perception is formed. Who communicates to customers? What do they say? How quickly? With what level of transparency? The firms that answer these questions before a breach occurs are the ones whose character reputation survives intact.
The second question boards should ask is whether their cyber controls are calibrated to the business, not just to the threat. A control framework that prevents breaches but also prevents legitimate commercial activity is not protecting the firm. It is constraining it. The goal is not maximum security. It is appropriate security: controls that are proportionate to the risk, transparent to the customer, and aligned with the firm's commercial objectives.
Younger's framework reduces to a simple test. After a cyber incident, will people say the firm was unlucky, or will they say the firm behaved badly? The breach determines the first question. The response determines the second. Only one of those two judgements is permanent.
Written following the Oxford Cyber Security Executive Briefing, 2024.
References: Younger, R. Oxford University Centre for Corporate Reputation. Turton (2022), Byrd (2022), Benson (2022), Nelson (2022). IRA Financial Trust / Gemini breach reporting. Dobrygowski, D. and Vadala, D. (2020). Does Your Board Really Understand Your Cyber Risks? Harvard Business Review.