Single breach can wipe 1.8 per cent of market cap
A data breach can decimate market value of a company to the tune of £120 million, finds first study to definitively link the two...
What is thought to be the first in-depth economic study into the correlation between a business suffering a data breach and resulting share prices has been published.
The headline discovery, while anecdotally unsurprising, is that a severe digital breach costs a publicly listed company an average of 1.8 per cent of company value. For a typical FTSE 100 firm this equates to a permanent loss of market capitalisation of a sizeable £120m, signalling a significant loss of value for shareholders.
When the cumulative impact on shareholder value was considered the 65 severe cyber security breaches sampled in the study ended up costing investors £42bn in total.
However, the study notes, in some extreme cases, serious breaches have wiped as much as 15 per cent from affected companies’ valuations. The most obvious recent example of this mechanism in real-world action is Yahoo’s acquisition by Verizon, a deal which saw $350m (£279m) lopped off the agreed price of $4.8bn (£3.9bn) after two huge - and very public - data breaches were admitted last year. That’s actually a particularly bruising deal for Yahoo in the light of this study, a drop of more than seven per cent.
The study found that a full two-thirds of companies that suffered a severe breach saw their share price drop permanently after the incident.
One case gave a dramatic demonstration of the impact - the graph shows share price movement of a UK Communications company, compared to a control group of similar firms. The company suffered two separate attacks during 2015. The first attack (shown as occurring in week two in the graph) had little discernible impact on the company’s share price, but a second major breach in week five saw the stock valuation plummet. While the company estimated that the hack resulted in between £30-35 million in one-off costs, its value fell by more than £430 million in the week following the incident.
The researchers noted that not all companies are equal - those that were already underperforming in comparison with their peer group saw their share price impacted harder — a reduction of 2.3 per cent in comparison with an average of 1.1 per cent for companies performing ahead of their peer group. There was also evidence that the impact of cyber attacks on share price has become more pronounced over recent years. Breaches that occurred over the past 18 months led to a much more severe negative impact – particularly in comparison to 2013.
The ‘Event Study’, by Oxford Economics and CGI analysed a sample of public cyber security breaches since 2013 across seven global stock exchanges, based on information from the Gemalto Breach Level Index. A sample of 65 ‘severe’ and ‘catastrophic’ cyber security breaches were then analysed to indicate the impact of these more significant attacks on company share price performance.
As the researchers noted, the tendency of European companies to keep quiet about breaches if possible has resulted in only an estimated 10-20 per cent being made public currently. This figure is set to change dramatically when compulsory breach notification legislation under GDPR comes into force next year in May 2018, which in turn could lead to a much rockier ride for Euro stock markets as a result.
Whether your business is ‘ready’ for GDPR or not, it’s certainly a good time to think about upgrading your cybersecurity management stance through these four easy steps:
Comprehensive inventory of your digital assets
Make sure that you continuously monitor all your digital assets: data, users, software and hardware. In the era of cloud, BYOD, BYOA and outsourcing - it’s a challenging task, but without it you’d better not to spend on cybersecurity.
Holistic risk assessment and priority-based risk mitigation plan
Once you have a comprehensive inventory of your digital assets, you need to organize all relevant people from your organization and external experts to conduct holistic risk assessment. You need to identify and prioritize all risks applicable to your organization, your business processes and your people. Once identified, assign the right people to mitigate those risks, related threats and vulnerabilities within a clear timeline.
RFP, vendor evaluation and implementation
Keep in mind that a solution working perfectly at UBS or HSBC premises may fail at your organization. Not because the solution is bad, but just because it may be inappropriate for your business processes, company size, business culture or employees. Before signing a cybersecurity offer – follow a thorough RFP process.
Evaluation, review and continuous monitoring
Once deployed into production, make sure that a security solution meets the initial requirements in accordance to your risk mitigation plan. Implement continuous monitoring for your digital assets, emerging risks, threats and vulnerabilities; re-assess your risks when required.