Cyber security attacks have a debilitating effect on companies’ stock prices, causing an average decline of 1.8% percent on a permanent basis in cases of severe breaches, according to a new report.
In an analysis of 65 companies affected by hacks since 2013, security consultant CGI and Oxford Economics found that the share prices of two-thirds of firms was adversely impacted, with financial firms the worst affected. In some cases, breaches have wiped as much as 15% off companies’ valuations.
Investors in a typical FTSE 100 firm would be worse off by an average of 120 million pounds after a severe breach — such as those involving the loss of hundreds of thousands of records — while the overall cost to shareholders would be more than 42 billion pounds ($52.4 billion), the report said.
“The study shows a significant connection between a severe cyber breach and a company’s share price performance,” Ian Mulheim, director of consulting at Oxford Economics, said in a news release.
The report used a cyber breach index compiled by Dutch security firm Gemalto. Researchers compared each company’s share price against a cohort of similar companies to isolate the impact of cyber breaches from other market movements.
According to the report, financial services experience a particularly severe impact from hacks because of the industry’s “high levels of regulation, the importance of customer confidence and the potential for financial fraud to be a facet of the breach.” Communications firms also were badly affected while those least affected were retail, hospitality and travel companies.
Andrew Rogoyski, vice president of cyber security at CGI in the U.K., estimated that only around 10% to 20% of the major breaches companies suffer in Europe are currently made public, so declines in stock prices could rise by as much as a factor of 10 after new regulations requiring companies to notify users of a breach within 72 hours take effect in May 2018.
“We are beginning to see city analysts, venture capital firms and credit ratings agencies factor cyber security reading in a news release.
U.S. firms are already required to disclose breaches.