One of the great, unanswered questions in the security field is what adverse cyber incidents really cost businesses. Do hacks and data breaches really drive customers away? Depress sales or scare off investors?
That’s a critical question because businesses are all about managing risks. But to manage risk you must understand what it is you’re managing. From the CEO or Board of Directors’ perspective, investments only make sense to the extent that they build a business: boosting earnings or hedging against losses. To make it super simple: it doesn’t make any sense to spend, let’s say, $100,000 on a cyber defense if the “bad outcome” you’re hoping to avoid won’t cause more than $10,000 in direct or indirect damages to the firm. In that instance, you’re over paying for security.
But the costs associated with security incidents are notoriously hard to measure. Direct costs – like hiring experts to investigate and clean up after a breach, or of making customers “whole” – typically through credit monitoring services and refunds – are well understood. The insurance industry has stepped up with products designed to give companies protection against those kinds of costs associated with cyber-attacks.
But what about the indirect costs of cyber incidents like data breaches? Those are notoriously difficult things to measure. Do customers think less well of your firm after a data breach and choose to shop elsewhere? Do business partners become wary of sharing information, linking sensitive systems or sharing proprietary data? Perhaps most important: do investors begin to look askance at a company that has been breached?
Well, now there’s some interesting data on that last item: the impact on share price, following a report by the firm CGI and Oxford Economics, and it suggests that the impact of breaches on the price of a company’s stock may be bigger than many expected.
In a report released this week, CGI and Oxford presented the results of an analysis of the performance of the stock of firms that were the subject of ‘severe’ and ‘catastrophic’ breaches. Those events were selected from a register of 315 breach events in the recent Gemalto Breach Level Index report.
The companies concluded that severe cybersecurity breaches impose a “permanent cost” of 1.8 per cent of the company’s value – a hit of approximately $150 million (£120 million) for the average firm on London’s FTSE index. In some cases, breaches have taken as much as 15% off an affected company’s valuation, the companies said.
To do their study, CGI and Oxford examined share price movements in companies that had experienced cyber breaches and compared them to the share price movements of a cohort of similar companies operating in the same markets. The goal: isolating the impact of the cyber breach from other, broader market movements.
They found that two thirds of the companies they studied who had experienced a severe data breach had their share price adversely impacted, in comparison with their peer group, after suffering a cyber breach. The impact wasn’t the same for every company. CGI and Oxford found that it varied by industry sector, with financial (-2.7%), communications (-2.6%), industrial (-2.3%) and technology (-2.1%) firms experiencing the biggest hits to their share, while sectors like healthcare (-.7%) and retail (-.4%) were less affected.
The largest individual hits were to media and communications, retail and technology firms, which experienced drops ranging from 7% to 15% in their share price.
The factors that drag a stock price down are many and complex, but CGI and Oxford point to things like public (media) attention to the incident, which sours investors, as well as follow-on revelations about legal proceedings and possible regulatory and compliance costs associated with an adverse incident like a breach.
Those effects can be lasting, also. Firms that suffered the ten largest share price impacts were firms in which the breach continues to be a topic that affects their ongoing business performance. For those companies, markets, investors and customers want reassurance that business operations are fully restored and that the security vulnerabilities have been removed, putting a drag on recovery from the incident.
The findings of the CGI/Oxford/Gemalto study go alongside efforts by The Ponemon Institute and others to quantify the cost of breaches and other adverse cyber incidents. The stock price report is just another data point, but it’s also a powerful metric to throw out there to “bottom line”-focused Board members and executives about the real cost of insecurity. Here’s hoping they take notice!