In the second instalment of a three-part series for Risk UK exploring ‘cyber’, what it is and how to manage it, Colin Lobley examines how cyber-driven threats stack up against other forms of risk and asks the fundamental question: “Is ‘cyber’ really the biggest risk a corporation faces, as many of today’s commentators would lead us to believe?”
Last month’s inaugural article entitled ‘Why Cyber Security is NOT a Boardroom issue’ (Risk UK, March 2015, pp56-57) boldly stated just that: cyber security is not a Boardroom issue contrary to mainstream views that it is (or should be).
The conclusion was that a more sensible approach is to integrate the value output of ‘cyber’ capability (ie IT and information) into operational performance reports and the business risks stemming from the cyber threat into existing operational and enterprise risk processes. Here, cyber security becomes a footnote in Board-level risk reports. A sub-section, if you like, that looks at how those risks are controlled.
Cyber incidents are seemingly high cost but have minimal impact on business value. It’s difficult to argue against the global reports and statistics here. Most are based on rigorous research practices. Study findings suggesting that data theft and other cyber crimes are on the rise year-on-year on the global stage, both by country and by sector, are sound.
It’s also difficult to argue that cyber security incidents do not have a cost attached to them. Robust studies show that, summed up on a global scale, those costs are also increasing.
That, though, is where these studies stop. They give general global averages and trends, rarely offering anything that’s uniquely relevant to an organisation attempting to conduct a cyber risk assessment. They offer no comparative analysis of how a residual cyber risk stacks up against other forms of risk.
Similarly, they offer no comparative analysis of how the cyber incident costs compare with other major risk events encountered on occasion by today’s businesses.
Perhaps most importantly, these studies stop after having given us those largely meaningless averaged global cost impacts rather than exploring the ultimate impact of incidents on business value (which Best Practice tells us is a task we should be addressing and completing).
Let’s explore beyond the superficial cost impacts and review financial statements and share price performance before, during and after cyber incidents to assess the real impact on company value.
Doing so yields some surprising results. In fact, my own analyses have shown that:
• The impact on shareholder value of cyber incidents is often smaller than many other types of risk event
• By inference, this lower-than-expected impact means that risks stemming from the cyber threat would be scored lower than other risks (even when ‘likelihood’ is factored into the risk equation)
The cyber incident scare stories – otherwise known as Case Studies – that state massive losses due to the breach in question are misleading. Losses are actually caused by completely non-cyber related events and external factors.
The Sony PlayStation Hack
In 2011, the personal data of approximately 77 million Sony PlayStation customers was stolen and the network down from 20 April for 23 days. National media articles harangued the Sony Corporation in what was billed as one of the largest data thefts in history (and, indeed, remains so to this day).
Sony Corporation’s response to the issue was widely regarded as being poor due to a slow start in terms of communicating the facts and the time it took to ensure the network was back up-and-running again.
The cost impact was reported to be $171 million. This may sound bad but, to place it into context, the operating costs for Sony in 2011 were $80 billion so the $171 million cyber incident costs were a blip, amounting to 0.2% of overall operating costs. Hardly significant.
What about the value impact? Overall, in April 2011 the organisation’s share price dropped by 11.06% (which we were led to believe was purely due to this cyber incident). However, in the previous month the share price dropped by 13.6%. This is not only a larger fall than the April losses but also occurred in a month when there was no major cyber incident affecting the company.
Taking this a stage further, when you stop to examine Sony’s share price over a four-year period from January 2011 to January this year and then assess that of one of its Forbes-listed competitors, namely Panasonic, you witness a very similar trend in share price.
At the start of January 2011, Sony boasted a share price of $36.04. Nearly two years later (as at 19 November 2012), this had fallen to a low of $10.02 representing a massive 72.2% drop over the period.
Panasonic held a share price of $14.20 at the start of January 2011. Skip forward along the similar two-year period and the company’s share price hit a low just two weeks later than did Sony’s, with Panasonic’s figures bottoming out on 3 December 2012 at $4.85 (a fall of 65.8% from its January 2011 start point).
Yes, Sony’s recovery has been slower since bottoming out but Panasonic and Sony are not entirely like-for-like entities, with Sony operating in some fiercely competitive segments – such as music and films – wherein Panasonic doesn’t have a touch point, which can go some way towards an explanation.
Overall, though, the profiles are exceptionally similar. They’re too similar to state with any confidence that the 2011 Sony cyber incident (and, more recently, the Sony Pictures hack that led to a malware infection late last year) had any exceptional impact on the short or long-term effect over and above other events and market forces affecting the whole of the industry in which it operates on a daily basis.
In fact, Sony Corporation’s 2012 Annual Report covering the financial year 2011-2012 when the cyber incident took place makes no mention of that episode. Some may say this is possibly because the company didn’t wish to highlight it any more.
The report actually attributes those losses suffered over the year to the two very sad extreme weather events – the Japanese earthquake and the tsunami in Thailand – and to the continued fall-out from the global economic crisis that, among other things, caused “other currencies to fall against the persistently strong Yen”. A cyber incident – even on a large scale – is miniscule when compared to occurrences such as these.
Don’t fear cyber… Take control
Comparing the national GDP losses from cyber crime against other risk drivers highlights that there are larger risks out there. Losses in the UK as a direct result of staff sick days are larger than those realised by cyber breaches.
Here, we’ve focused largely on impact. To assess the risk properly you also have to factor-in the aforementioned ‘likelihood’.
No doubt a cyber attack is more likely to occur than extreme weather events or failed global expansions.
Once you do factor-in ‘likelihood’ the risk posed by cyber security breaches may rise a bit higher up the Risk Register, but it’s doubtful it will ever reach the summit.
At this point let me be clear. I’m not saying don’t invest in controlling cyber threat-driven risks. Rather, it’s about setting these risks in context against every other risk such that the right amount of funding is invested.
Instead of being scared into investing too much you should take control. Assess the risk in a like-for-like way against business impact as you do with all your other risks.
Set your risk appetite and invest what you deem to be appropriate to reduce the likelihood and impact of a cyber episode occurring, but accept that you may suffer an incident. Also, make absolutely sure that you have tested and detailed crisis management plans in place.
Colin Lobley is Director at Manigent