Cyberattacks wipe more than $50bn off big biz value, say beancounters

Wak€ up and patch your sy£tems, already

Australian money at a crime scene

Severe cyber-break-ins permanently stripped 1.8 per cent off companies' stock prices, on average, according to a new study out today.

Putting that 1.8 per cent drop in context, that dip represents a permanent loss of market capitalization of £120m ($150m) for a typical FTSE 100 biz, we're told.

Eggheads at Oxford Economics in England analyzed a sample of 65 publicly disclosed corporate network intrusions since 2013 from around the world. We're told the Gemalto Breach Level Index was used to select the victims. Their share performance post-breach was then compared against a control group of similar companies that hadn't experienced a data theft. That allowed the researchers to link drops in share prices to hacking rather than market ripples.

"The study shows a significant connection between a severe cyber breach and a company's share price performance," said Ian Mulheirn of Oxford Economics.

"It was found that, on average, a firm's share price was 1.8 per cent lower in the wake of a breach than it would otherwise have been in the week following an attack. However, in some cases the relative share price fall for affected companies was much higher, with one attack lowering the company's valuation by 15 per cent.

"With this methodology it's important to view such underperformance as a permanent impact on the firm's overall performance. That's because a firm's share price reflects market participants' expectations of future profitability as markets 'price-in' such incidents. Therefore, the reaction of a company's share price in the immediate aftermath of a cyber breach should be viewed as representing the permanent effect of the attack on the firm's future profits."

The number crunchers claim the studied security breaches cost investors £42bn (US$52bn) in total. More than half of the sample – 38 to be precise – came from the US, while UK companies made up 14.

Europe's General Data Protection Regulation which comes into effect in May 2018 means firms operating in Europe must disclose cyber attacks within 72 hours of the breach, implying the cost of break-ins will increase because more will become public.

The cost involves numerous factors, some of which are difficult to compute. These include hiring external consultants to deal with a break-in, other incident response costs, and sourcing and installing extra security controls. They also include (potentially) customer compensation, lost business during an outage or suspension of service while a security problem was resolved, possible impairment of goodwill, and more.

The researchers' Cyber-Value Connection report, sponsored by CGI Group, was produced to help senior execs understand the impact of data loss on a business' value. It examines factors such as how new regulations for mishandling data will strongly impact the public visibility of future hacks as well as how organisations will plan for, manage and report cybercrime, as incidents continue to rise.

Simon Moffatt, senior product manager at ForgeRock, said: "The report by CGI Group and Oxford Economics demonstrates that the damage caused by a cyberattack goes far beyond the direct cost of the hack itself; increasingly there is a significant reputational cost as well."

Reg comment

The profit and loss of major breach victims such as Target, TJ Maxx, Heartland Payment Systems, Anthem, Yahoo!, TalkTalk et al normally take a hit in the quarter or quarters following a cyberattack, but these figures often rebound in the long term. Wouldn't share prices recover too? It seems a bit of a leap of faith to suggest that break-ins have a permanent effect on a firm's business. Panic selling by some investors in the immediate wake of a hack, which would explain at least part of a drop in share price, doesn't seem like a reliable metric even as a small part of "priced-in" permanent post-hack business impairment.

In short, the study feels like a stick designed to (finally) persuade the boardroom to pay attention to the risk of cybercrime and act accordingly by coming up with a well-thought-out and properly resourced security policy. ®


Biting the hand that feeds IT © 1998–2017