Public limited companies (PLCs) can expect their share price to tumble at least 1.8% following a severe breach, equating to £120m for a FTSE100 firm, according to a new study carried out by Oxford Economics.
The advisory firm was commissioned by IT services giant CGI Group to assess for the first time the impact of serious cyber-attacks on organizations’ market value, hoping to drive home the importance of information security to board members.
The firm studied a sample of over 60 public security breaches outlined in the Gemalto Breach Level Index between 2013 and 2016, and then compared the share price performance of the most severe incidents with a control group that didn’t suffer a breach.
These 'control' organizations are located in the same country, have a similar number of employees and operate in the same sector as those breached firms.
The study not only revealed the average financial hit to a breached firm amounted to 1.8% of its share price, but also that this figure had doubled in the past 18 months.
CGI vice-president of cybersecurity, Andrew Rogoyski, claimed the true figure is likely to be much higher when breach notification laws are introduced with the European General Data Protection Regulation (GDPR).
“Only around 10%-20% of the major breaches companies suffer in Europe are currently made public, so lost shareholder value across European markets could rise by as much as a factor of 10 when the new regulations take effect in May 2018”, he argued.
Oxford Economics’ director of consulting, Ian Mulheirn, added that in some cases, a breach can lower a PLC’s share price by as much as 15%.
“With this methodology it’s important to view such underperformance as a permanent impact on the firm’s overall performance. That’s because a firm’s share price reflects market participants’ expectations of future profitability as markets ‘price-in’ such incidents”, he explained.
“Therefore, the reaction of a company’s share price in the immediate aftermath of a cyber-breach should be viewed as representing the permanent effect of the attack on the firm’s future profits.”
Raj Samani, chief scientist at McAfee, claimed the report should serve as a warning to organizations worldwide.
“Corporations cannot afford to dismiss cybersecurity as a problem which just belongs to the IT department. The financial future of a corporation – and often that of its customers – can hinge upon the security of its business and user information”, he argued.
“As a result, it is crucial for executives, including the CFO and CEO, to take an active role in understanding the level of cyber-risk they’re exposed to in order to implement an appropriate, effective cybersecurity strategy.”
Guy Bunker, senior vice president of products at Clearswift, added that the impact on share price will be even greater post-GDPR because of the heavy fines set to be levied by the regulation.
“For many organizations, the key is to understanding the critical information, discovering where it is located, how it is accessed and by who; without this, it is very difficult to adequately protect it,” he claimed.