Report assesses cyberattack cost on share values

A UK study suggests that major cyber security attacks launched against companies in recent years have wiped at least £42bn (US$52.4bn) off the value of their shares.

The research commissioned by cyber security consultant CGI and conducted by business management consultant Oxford Economics found that a “significant connection between a severe cyber breach and a company’s share price performance” with the share price typically falling by an average of 1.8% on a permanent basis.

Investors in a typical FTSE 100 company would be worse off by an average of £120m after a breach, according to the study. The data analysed 65 “severe” to “catastrophic” cyber security breaches out of a total of 315 breach events since 2013.

Andrew Rogoyski, CGI’s vice president of cyber security in the UK, believes that “only around 10% to 20% of the major breaches companies suffer in Europe are currently made public, so lost shareholder value across European markets could rise by as much as a factor of 10” when regulation requiring companies to notify users of a breach within 72 hours is introduced in May 2018.

“We are beginning to see city analysts, venture capital firms and credit ratings agencies factor cyber security readiness into the way they assess firms,” Rogoyski added. “This is positive and should encourage boards across the world to treat cyber security as an enterprise-wide risk.”

Oxford Economics collated the data using the Gemalto ‘Breach Level Index’, which records all disclosed cyber security breaches to have affected listed firms between 2013 and 2016. Two in three firms suffered an adverse impact on their share price after being targeted by a cyber breach, with the financial services sector hit hardest, followed by companies in the communications industry

“Financial services experience the greatest burden in terms of impact, reflecting the high levels of regulation, the importance of customer confidence and the potential for financial fraud to be a facet of the breach,” the report’s authors state.

Commenting on the report, Jake Summerfield, managing director of event manager The Network Group Events, said that it was important to remember that not all cyber-attacks necessarily result in a hit to share prices.

“From our close work with chief information security officers (CISOs) from the FTSE 250 at the Financial Services Information Security Network event, in many cases where cyber-attacks do occur shareholders are not affected, and it’s often down to the way firms respond to a breach.

“Even with investment in cyber-security measures, no firm is 100% safe from a potential attack. Whether or not an assault impacts share price is therefore down to how a company responds to a suspected breach, and whether the way they store their data is compliant with data laws. After all, there are two types of company: those that have been hacked, and those that don’t know they’ve been hacked.”



Related reading