Damage caused by a cyber-attack goes far beyond the direct cost of the hack itself; increasingly there is a significant reputational cost as well.
Severe cyber-break-ins permanently stripped 1.8 per cent off companies’ stock prices, on average, according to a new study by Oxford Economics.
Putting that 1.8 per cent drop in context, that dip represents a permanent loss of market capitalisation of £120m for a typical FTSE 100 business.
Some 315 breach events were examined in total with a focus on 65 “severe” and “catastrophic” breaches occurring since 2013 across seven global stock exchanges. It showed a significant connection between a severe cyber breach and a company’s share price performance allowing the researchers to link drops in share prices to hacking rather than market ripples.
It was found that, on average, a firm’s share price was 1.8 per cent lower in the wake of a breach than it would otherwise have been in the week following an attack. However, in some cases the relative share price fall for affected companies was much higher, with one attack lowering the company’s valuation by 15 per cent.
With this methodology it’s important to view such under-performance as a permanent impact on the firm’s overall performance. That’s because a firm’s share price reflects market participants’ expectations of future profitability as markets ‘price-in’ such incidents. Therefore, the reaction of a company’s share price in the immediate aftermath of a cyber breach should be viewed as representing the permanent effect of the attack on the firm’s future profits.
The analysis found that the studied security breaches cost investors at least £42bn in total. More than half of the sample – 38 to be precise – came from the US, while UK companies made up 14.
Disclosing cyber attacks
Europe’s General Data Protection Regulation which comes into effect in May 2018 means firms operating in Europe must disclose cyber-attacks within 72 hours of the breach, implying the cost of break-ins will increase because more will become public.
The cost involves numerous factors, some of which are difficult to compute. These include hiring external consultants to deal with a break-in, other incident response costs, and sourcing and installing extra security controls. They also include (potentially) customer compensation, lost business during an outage or suspension of service while a security problem is resolved, possible impairment of goodwill, and more.
Senior executives need to understand the impact of data loss on a business’ value, and consider factors such as how new regulations for mishandling data will strongly impact the public visibility of future hacks as well as how organisations will plan for, manage and report cybercrime, as incidents continue to rise.
The response to a cyber breach can only be as good as a company’s preparation for it. Once a breach has occurred the clock is ticking, and a business will only have a short period of time to instruct cyber specialists, lawyers, PR managers and insurers, while at the same time react to fulfil regulatory obligations and position itself in the best way possible to respond to, and mitigate, any potential regulatory investigation and media scrutiny.
Typically the real threat to UK businesses is not necessarily a fine from the Information Commissioner’s Office (ICO). This is a drop in the ocean compared to the bad press and loss of customer confidence that often follows a cyber-hack.