evievee09 - Fotolia

Data breaches strip tens of millions off UK firms’ market value, study shows

Security experts say the fact that data breaches at FTSE 100 firms cost on average £120m in market value should be a wake-up call for boards to ensure they have an adequate cyber security strategy

Cyber attacks on top UK companies are leading to losses of 1.8% of share price or £120m on average, according to a study on the effects of data breaches on share prices.

This has doubled in the past 18 months, according to the report released by global advisory firm Oxford Economics and IT and business process services firm CGI.

The report is based on a study of 65 severe or catastrophic breaches at FTSE 100 companies in the past four years and indicates that investors are now punishing companies more harshly for cyber attacks.

The cyber value connection report, which is aimed at helping senior business people understand the impact of cyber breaches on company market value, reveals that investors have lost at least £42bn since 2013 due to the severe public domain cyber security incidents used for the study.

However, the report notes that this figure includes only 65 publicly known severe breaches, which means the true amount of company value lost due to cyber attacks is likely to be far higher.

The report examines factors such as how new regulations for mishandling data will also strongly impact the public visibility of future breaches and therefore how organisations will plan for, manage and report cyber crime as incidents continue to rise.

“Cyber security is a still a top priority for businesses, but business leaders, policy makers and investors still have work to do to take cyber security risk far more seriously,” said Andrew Rogoyski, vice-president of cyber security at CGI in the UK.

“We are beginning to see city analysts, venture capital firms and credit ratings agencies factor cyber security readiness into the way they assess firms. This is positive and should encourage boards across the world to treat cyber security as an enterprise-wide risk.”

Read more about data breaches

A good example of the effects of data breaches on company value is Yahoo, which was forced to discount by $350m the sale price of its core business to Verizon after revelations of data breaches in 2013 and 2014 affecting one billion and 500 million accounts, and of hackers forging cookies to gain access to customer accounts.

The cost of cyber attacks to investors is likely to skyrocket in the near future, said Rogoyski, as the General Data Protection Regulation (GDPR) and Network Information Security (NIS) directive mean that firms dealing with European citizens’ data must disclose all breaches of that data.

He estimates that only around 10% to 20% of the major breaches companies suffer in Europe are currently made public, so lost shareholder value across European markets could rise by as much as a factor of 10 when the new regulations take effect in May 2018.

“We are likely to see a rapid spike in publicly reported incidents in Europe and financial markets will respond accordingly. Company boards should be considering cyber security prevention and preparation as a critical way of protecting the interests of shareholders,” said Rogoyski.

Cyber breaches affect share prices

Ian Mulheirn, director of consulting at Oxford Economics, said the study shows a significant connection between a severe cyber breach and a company’s share price performance.

“It was found that, on average, a firm’s share price was 1.8% lower in the wake of a breach than it would otherwise have been in the week following an attack. However, in some cases the relative share price fall for affected companies was much higher, with one attack lowering the company’s valuation by 15%.”

Mulheirn said such underperformance should be viewed as a permanent impact on the firm’s overall performance.

“That’s because a firm’s share price reflects market participants’ expectations of future profitability as markets ‘price-in’ such incidents. Therefore the reaction of a company’s share price in the immediate aftermath of a cyber breach should be viewed as representing the permanent effect of the attack on the firm’s future profits.”

Raj Samani, chief scientist at McAfee said: “This latest research revealing the detrimental impact cybercrime can have on an organisation’s market value should serve as a warning to corporations across the globe. Data breaches damage far more than a company’s reputation, often hitting the bottom line hard.

“Corporations cannot afford to dismiss cyber security as a problem which just belongs to the IT department. The financial future of a corporation – and often that of its customers – can hinge upon the security of its business and user information.

“As a result, it is crucial for executives, including the chief financial officer and CEO, to take an active role in understanding the level of cyber risk they’re exposed to in order to implement an appropriate, effective cyber security strategy. This process should include assessing the value of the company’s data assets and implementing mitigation strategies appropriately proportioned to the level of risk involved.”

Making cyber security a priority

Alex Guillen-Estudillo, go-to-market marketing manager at Insight UK, said: “Today’s news will hopefully be the wake-up call businesses need to bring cyber security to the top of the boardroom agenda.

“Recent advances in technology mean that businesses now have access to a wealth of data and with that comes a risk they cannot ignore. The research proves that taking a backseat approach not only affects a business’s reputation, but it has potentially crippling financial consequences if they do incur a data breach,” he said.

Simon Moffatt, senior product manager at ForgeRock, said all organisations should have fully documented data breach plans in place that both minimise risk and enable them to respond quickly and effectively to any issues.

“As more and more services are delivered through digital channels, implementing strong device and person-based identity and access management practices will also be critical,” he said.

CGI’s recommends eight steps to achieve effective cyber security governance:

1. Appoint someone at board level to be responsible for cyber security with the authority and know-how to address the risks and demonstrate leadership during times of crisis.

2. Include cyber security on every board agenda, reporting on: risk to the business, nature of sensitive data and mitigation progress at a minimum.

3. Treat cyber security as a company-wide business risk and assess as you would with other key business risks such as major safety issues, environmental disasters and accounting scandals,

4. Ensure that the company understands the rapidly developing legal landscape that applies to cyber risk – in particular, begin preparing for the GDPR and NIS directive now.

5. Get specialist expertise to advise and inform the board, whether from internal teams or external advisors.

6. Set a programme of work to manage cyber risk, allowing a realistic time and budget.

7. Encourage discussion about risk appetite, risk avoidance, risk mitigation and cyber security insurance.

8. Assume you have already been breached but you might not yet know about it. Take action to reassure yourself no such attack has taken place, but plan on the assumption that they have.

Read more on Hackers and cybercrime prevention