At the risk of stating the obvious, a cyber event can be very expensive for a company. Not convinced? Just ask Target. As the company reported in January 2015, the total costs incurred in 2013 and 2014 were $252 million. Some have argued that after insurance recoveries and tax deductions are taken into account, cyber events may not be financially significant for a company, and that the financial consequences may not justify investing in expensive cyber security measures. While there are good counterarguments that investing in cyber security makes sense, a company now also needs to consider what would happen if a breach affected the company’s value.
Can a cyber event affect a company’s share price? Recent research suggests that it does.
CGI Group, Inc. in conjunction with Oxford Economics has published a new report that documents the effect of a severe cyber event on a company’s share price. The researchers looked at 315 events since 2013 with particular focus on those rated as “severe” or “catastrophic” on the Gemalto Breach Level Index. Those “severe” or “catastrophic” events (generically referred to as breaches in the report) affected 65 different companies that are publicly listed on one or more of seven global stock exchanges.
The report contains a number of interesting findings:
- A severe breach reduces a company’s value
Share prices fall by an average of 1.8% during the first week after a severe breach. In some cases the drop is as high as 15%.
- Underperforming companies fare worse than others
Companies that are underperforming other companies in their peer group saw their share prices decline by 2.7%. The share price drop for companies that were out-performing their peer group was 1.1%.
- A majority of companies lose value as a result of a severe breach
Two thirds of the companies that experienced a severe data breach saw their shares prices decline relative to other companies in their peer group.
- The negative effect of severe breaches on a company’s value is growing
More recent breaches are producing larger impacts on share prices. Breaches in 2013 produced an average 0.2% drop in the affected companies’ shares on the Friday following disclosure of the event. In 2014 the average drop was 1.5%, and in 2015 and 2016 the drop increased to 2.7%.
- Some business sectors are being hit harder than others
The financial and communications sectors have been hit hardest. Their average share prices declined by 2.7% and 2.6% respectively. Surprisingly, the retail, hospitality and travel sector and the healthcare sector fared much better. Declines for those sectors were only 0.4% and 0.7% respectively.
The CGI report asserts that the declines in share prices are permanent. There is no data in the report that supports that though. The basis for the assertion seems to be captured in comments from Ian Mulheirn of Oxford Economics in the press release announcing the report:
With this methodology it’s important to view such underperformance as a permanent impact on the firm’s overall performance. That’s because a firm’s share price reflects market participants’ expectations of future profitability as markets ‘price-in’ such incidents. Therefore, the reaction of a company’s share price in the immediate aftermath of a cyber breach should be viewed as representing the permanent effect of the attack on the firm’s future profits.
This challenges the assumption I think a lot of us have made that, except in rare circumstances, even a large data breach seldom has a lasting effect on a company’s value. More research will be needed to test the hypothesis that a breach has a permanent effect. While I tend to think it will be very difficult to establish that a breach permanently reduces a company’s share price, if that could be shown it could help build a much-anticipated wave of breach-related shareholder suits against directors and officers.
The CGI report is likely to be sobering, if not altogether surprising, news for corporate leaders around the world. Empirical evidence that severe cyber events affect a company’s share price should spur even greater effort to identify and manage cyber risks and their financial consequences.
As technology progress and capabilities of information warfare have developed significantly in recent years, the probability of cyber attacks have increased as well. Computer-network attacks mainly known as cyber attacks can destroy adversary data, computer systems, and networks, and can have a major effect on an adversary’s ability to wage war (Bayles, 2001).
Unauthorized attacks are attacks in which attacker get access in to the system by the means of different hacking or cracking techniques. This type of activity will be performed by some outsider who wants to have access of the system in order to use it for some negative purpose.
In the cyber arena especially during business transaction, the situation is, in some ways, worse than simply paying too little heed to a potential new threat until it manifests itself such the result of the processes where sometimes becomes biased or unfavorable. Threats in the cyber arena have manifested themselves. We are reminded constantly of our vulnerabilities to the threat, yet we still are not doing enough. Every hour of every day, some individual or group is writing or disseminating a new disruptive virus or worm or is breaking into a computer network or to harm a network by some other means. It is usually said that it is very productive and simple to bring computer in our systems and to increase its usage but at the same time it is significantly difficult and far more expensive to develop technologies to make it secure mainly because of the internet, a network which is used to share information rather than hiding it. Most cyber attackers are attracted to high value targets such as networks, servers, or routers, whose disruption could yield financial or political consequences (Vatis, 2001).
Risk management plays a great role in managing this specific risk. Risk will always be manageable and measurable. In order to be a victim of a fraud everyone takes accountability and responsibility.