CGI-Oxford Economics Study: “Severe cyber breaches lead to massive decline in share prices”

CGI has unveiled the results of an in-depth economic study entitled ‘The Cyber-Value Connection’, which shows that a typical ‘severe’ cyber security breach represents a permanent cost of 1.8% of a company’s value, as measured relative to a control group of peer companies. For a typical FTSE 100 firm, this equates to a permanent loss of market capitalisation of £120 million, signalling a significant loss of value for shareholders.

“As duly identified in CGI’s Global 1,000 Outlook report, cyber security remains a top priority for businesses, but business leaders, policy-makers and investors still have much work to do when it comes to taking cyber security risk far more seriously,” commented Andrew Rogoyski, vice-president of cyber security at CGI in the UK.

Rogoyski continued: “We’re beginning to see City analysts, venture capital firms and credit ratings agencies factor cyber security readiness into the way in which they assess firms. This is positive and should encourage Boards across the world to treat cyber security as an enterprise-wide risk.”

The study is based on economic modelling from Oxford Economics, which conducted an ‘Event Study’ analysing a sample of public cyber security breaches since 2013 across seven global Stock Exchanges based on information collated from the Gemalto Breach Level Index. A sample of 65 ‘Severe’ and ‘Catastrophic’ cyber security breaches was then analysed to indicate the impact of these more significant attacks on company share price performance.

Cost to investors of £42 billion

When the cumulative impact on shareholder value is considered, the 65 ‘Severe’ cyber security breaches have cost investors £42 billion in total. However, it’s important to note this figure includes only publicly known severe breaches: the true amount of company value lost due to cyber attacks is likely to be far higher.

Furthermore, the cost of cyber attacks to investors is likely to skyrocket in the near future, as the EU’s General Data Protection Regulation (GDPR) means that firms operating in Europe must disclose cyber attack episodes.

In Rogoyski’s estimation “only around 10%-20% of the major breaches companies suffer in Europe are currently made public, so lost shareholder value across European markets could rise by as much as a factor of ten when the new regulations take effect in May 2018.”

Permanent impact on company performance

Ian Mulheirn of Oxford Economics commented: “The study shows a significant connection between a severe cyber breach and a company’s share price performance. It was found that, on average, a firm’s share price was 1.8% lower in the wake of a breach than it would otherwise have been in the week following an attack. However, in some cases the relative share price fall for affected companies was much higher, with one attack lowering the company’s valuation by no less than 15%.”

Mulheirn continued: “With this methodology, it’s important to view such under-performance as a permanent impact on the firm’s overall performance. That’s because a firm’s share price reflects market participants’ expectations of future profitability as markets ‘price-in’ such incidents. Therefore, the reaction of a company’s share price in the immediate aftermath of a cyber breach should be viewed as representing the permanent effect of the attack on the firm’s future profits.”

Rogoyski also stated: “In the US, firms are already obliged to report a breach. The same will soon be true for companies conducting business across Europe when the GDPR and the Network Information and Services Directive (NISD) come into force in 2018. When that happens, we’re likely to see a rapid spike in publicly reported incidents in Europe and the financial markets will respond accordingly. Company Boards of Directors should be considering cyber security prevention and preparation now as a critical way of protecting the interests of shareholders.”

Eight steps to achieve effective cyber security governance

*Appoint someone at Board level to be responsible for cyber security with the authority and know-how to address the risks and demonstrate leadership during times of crisis

*Include cyber security on every Board meeting agenda, reporting on risk to the business, the nature of sensitive data and mitigation progress as a minimum

*Treat cyber security as a company-wide business risk and assess this subject as you would with other key business risks such as major safety issues, environmental disasters and accounting scandals

*Ensure that the company understands the rapidly developing legal landscape that applies to cyber risk (in particular, begin preparing for the GDPR and the NISD now)

*Arrange for specialist expertise (internal teams or external advisors) to advise and inform the Board

*Set a programme of work to manage cyber risk, allowing a realistic time and budget

*Encourage discussion about risk appetite, risk avoidance, risk mitigation and cyber security insurance

*Assume that you’ve already been breached, but you might not yet know about it. Take action to reassure yourself that no such attack has taken place, but plan on the assumption that it has

‘The Cyber-Value Connection’ report is available for download, and includes Case Studies of company share price performance following a cyber breach. Access the report here:

About the Author
Brian Sims BA (Hons) Hon FSyI, Editor, Risk UK (Pro-Activ Publications) Beginning his career in professional journalism at The Builder Group in March 1992, Brian was appointed Editor of Security Management Today in November 2000 having spent eight years in engineering journalism across two titles: Building Services Journal and Light & Lighting. In 2005, Brian received the BSIA Chairman’s Award for Promoting The Security Industry and, a year later, the Skills for Security Special Award for an Outstanding Contribution to the Security Business Sector. In 2008, Brian was The Security Institute’s nomination for the Association of Security Consultants’ highly prestigious Imbert Prize and, in 2013, was a nominated finalist for the Institute's George van Schalkwyk Award. An Honorary Fellow of The Security Institute, Brian serves as a Judge for the BSIA’s Security Personnel of the Year Awards and the Securitas Good Customer Award. Between 2008 and 2014, Brian pioneered the use of digital media across the security sector, including webinars and Audio Shows. Brian’s actively involved in 50-plus security groups on LinkedIn and hosts the popular Risk UK Twitter site. Brian is a frequent speaker on the conference circuit. He has organised and chaired conference programmes for both IFSEC International and ASIS International and has been published in the national media. Brian was appointed Editor of Risk UK at Pro-Activ Publications in July 2014 and as Editor of The Paper (Pro-Activ Publications' dedicated business newspaper for security professionals) in September 2015. Brian was appointed Editor of Risk Xtra at Pro-Activ Publications in May 2018.

Related Posts