At the risk of stating the obvious, a cyber event can be very expensive for a company. Not convinced? Just ask Target. As the company reported in January 2015, the total costs incurred in 2013 and 2014 were $252 million. Some have argued that after insurance recoveries and tax deductions are taken into account, cyber events may not be financially significant for a company, and that the financial consequences may not justify investing in expensive cyber security measures. While there are good counterarguments that investing in cyber security makes sense, a company now also needs to consider what would happen if a breach affected the company’s value.
Can a cyber event affect a company’s share price? Recent research suggests that it does.
CGI Group, Inc. in conjunction with Oxford Economics has published a new report that documents the effect of a severe cyber event on a company’s share price. The researchers looked at 315 events since 2013 with particular focus on those rated as “severe” or “catastrophic” on the Gemalto Breach Level Index. Those “severe” or “catastrophic” events (generically referred to as breaches in the report) affected 65 different companies that are publicly listed on one or more of seven global stock exchanges.
The report contains a number of interesting findings:
- A severe breach reduces a company’s value
Share prices fall by an average of 1.8% during the first week after a severe breach. In some cases the drop is as high as 15%.
- Underperforming companies fare worse than others
Companies that are underperforming other companies in their peer group saw their share prices decline by 2.7%. The share price drop for companies that were out-performing their peer group was 1.1%.
- A majority of companies lose value as a result of a severe breach
Two thirds of the companies that experienced a severe data breach saw their shares prices decline relative to other companies in their peer group.
- The negative effect of severe breaches on a company’s value is growing
More recent breaches are producing larger impacts on share prices. Breaches in 2013 produced an average 0.2% drop in the affected companies’ shares on the Friday following disclosure of the event. In 2014 the average drop was 1.5%, and in 2015 and 2016 the drop increased to 2.7%.
- Some business sectors are being hit harder than others
The financial and communications sectors have been hit hardest. Their average share prices declined by 2.7% and 2.6% respectively. Surprisingly, the retail, hospitality and travel sector and the healthcare sector fared much better. Declines for those sectors were only 0.4% and 0.7% respectively.
The CGI report asserts that the declines in share prices are permanent. There is no data in the report that supports that though. The basis for the assertion seems to be captured in comments from Ian Mulheirn of Oxford Economics in the press release announcing the report:
With this methodology it’s important to view such underperformance as a permanent impact on the firm’s overall performance. That’s because a firm’s share price reflects market participants’ expectations of future profitability as markets ‘price-in’ such incidents. Therefore, the reaction of a company’s share price in the immediate aftermath of a cyber breach should be viewed as representing the permanent effect of the attack on the firm’s future profits.
This challenges the assumption I think a lot of us have made that, except in rare circumstances, even a large data breach seldom has a lasting effect on a company’s value. More research will be needed to test the hypothesis that a breach has a permanent effect. While I tend to think it will be very difficult to establish that a breach permanently reduces a company’s share price, if that could be shown it could help build a much-anticipated wave of breach-related shareholder suits against directors and officers.
The CGI report is likely to be sobering, if not altogether surprising, news for corporate leaders around the world. Empirical evidence that severe cyber events affect a company’s share price should spur even greater effort to identify and manage cyber risks and their financial consequences.