An economic study ‘The cyber value connection’ shows that a typical ‘severe’ cyber security breach represents a permanent cost of 1.8pc of company value, as measured relative to a control group of peer companies. For a typical FTSE 100 firm this equates to a permanent loss of market capitalisation of £120m, according to CGI.
The full ‘Cyber value connection’ report is available for download, including case studies of company share price performance following a cyber breach: www.cgi-group.co.uk/CyberValueConnection.
Andrew Rogoyski, Vice President of Cyber Security at CGI in the UK, said: “As identified in CGI’s Global 1000 Outlook report, cyber security is a still a top priority for businesses, but business leaders, policy makers and investors still have work to do to take cyber security risk far more seriously. We are beginning to see City analysts, venture capital firms and credit ratings agencies factor cyber security readiness into the way they assess firms – this is positive and should encourage boards across the world to treat cyber security as an enterprise-wide risk.
“In the US firms are already obliged to report a breach. The same will soon be true for companies conducting business across Europe when the General Data Protection Regulation (GDPR) and Network Information and Services Directive come into force in 2018. When that happens we are likely to see a rapid spike in publicly reported incidents in Europe and financial markets will respond accordingly. Company boards should be considering cyber security prevention and preparation as a critical way of protecting the interests of shareholders.”
The study is based on economic modelling from Oxford Economics, which made an ‘Event Study’ analysing a sample of public cyber security breaches since 2013 across seven global stock exchanges, based on information from the Gemalto Breach Level Index. A sample of 65 ‘severe’ and ‘catastrophic’ cyber security breaches were then analysed to indicate the impact of these more significant attacks on company share price performance.
When the cumulative impact on shareholder value is considered the 65 severe cyber security breaches have cost investors £42 billion in total. However, it is important to note this figure includes only publicly known severe breaches – the true amount of company value lost due to cyber attacks is likely to be far higher. Furthermore, the cost of cyber attacks to investors is likely to skyrocket in the near future, as the General Data Protection Regulation means firms operating in Europe must disclose cyber attacks. In Rogoyski’s estimation “only around 10-20pc of the major breaches companies suffer in Europe are currently made public, so lost shareholder value across European markets could rise by as much as a factor of 10 when the new regulations take effect in May 2018.”
Ian Mulheirn, of Oxford Economics, said: “The study shows a significant connection between a severe cyber breach and a company’s share price performance. It was found that, on average, a firm’s share price was 1.8% lower in the wake of a breach than it would otherwise have been in the week following an attack. However, in some cases the relative share price fall for affected companies was much higher, with one attack lowering the company’s valuation by 15pc.
“With this methodology it’s important to view such underperformance as a permanent impact on the firm’s overall performance. That’s because a firm’s share price reflects market participants’ expectations of future profitability as markets ‘price-in’ such incidents. Therefore, the reaction of a company’s share price in the immediate aftermath of a cyber breach should be viewed as representing the permanent effect of the attack on the firm’s future profits.”
Comments
Guy Bunker, SVP Products, at cloud and data security product company Clearswift says of the GDPR: “Today, the fines which are in place for data breaches is relatively small, compared to those which will be coming in next year when the EU General Data Protection Regulation (GDPR) is enforced. The impact on share price will be more significant when this happens.
“However, businesses need to be focused on protecting their critical information rather than fines and the impact on share prices – although this does focus the minds of board members. For many organisations, the key is to understanding the critical information, discovering where it is located, how it is accessed and by who – without this, it is very difficult to adequately protect it. Today there are cost effective technologies which, coupled with processes, will help with this discovery process, including the flow of information inside, as well as across the organizational boundary and subsequently protect it.”
Alex Guillen-Estudillo, Go-to-Market marketing manager at IT services firm Insight UK, says: “Today’s news will hopefully be the wake-up call businesses need to bring cybersecurity to the top of the boardroom agenda. Recent advances in technology mean that businesses now have access to a wealth of data and with that comes a risk they cannot ignore. CGI’s research proves that taking a backseat approach not only affects a business’s reputation, but it has potentially crippling financial consequences if they do incur a data breach.
“Just last year it was revealed that cybercrime had cost the UK £11bn and today we are seeing how this number can be much larger for global investors. Recent data breaches remind us that no organisation – no matter how big or small – is exempt from malicious attacks and the best way to tackle this is to be prepared. While bolstering cyber security is vital, businesses also need a strategy for what happens when an attack does occur, and having a regular security training programme for all employees could be the answer. If the UK’s corporate landscape takes advantage of the numerous tools and services that not only help cement their cybersecurity practice, but also reduce the fallout, they will have the best chance at ensuring their reputation as a trustworthy business is maintained.”
And Paul Farrington, EMEA Solution Architects Manager, at application security product company Veracode, says: “Research conducted by Cebr demonstrated the significant impact to share price following the disclosure of a cybersecurity breach, with AOL suffering a 23.56pc drop in share price one month following its breach. This has meant that many organisations have hidden cyberattacks and data breaches out of fear of reputation damage and litigation.
“With GDPR, organisations will be obliged to disclose cyberattacks within 72 hours of the breach. And while transparency is of course a noble principal, we know today that many organisations are sitting on significant technical debt.
“In 2016, application vulnerabilities were the single biggest source of data loss. So whilst, of course, corporations ought to be held accountable to their customers, legislators should also be doing more to compel organisations to fix the root cause of the breach, which is insecure code that has not been assessed for security weaknesses. With fewer than four in 10 applications passing security policy requirements on initial assessment, naming and shaming alone will not fix this problem. Instead, we need to completely readdress how organisations approach application and software development.”
