Losing your customers' data should have an impact on your company value but historically that hasn't always been the case. Now an analysis of new data claims to show that investors and analysts are starting to ‘price in' data breaches when valuing companies.
That's according to a report from Oxford Economics on behalf of the CGI Group, a provider of information and business services to clients worldwide.
Oxford Economics analysed the share performance of 65 companies which had suffered high-profile cyber breaches in the past four years. By comparing each company against a selection of their peers in the industry, the analysts calculated that the companies had lost an average of US$ 645 million (£516 million) each in market valuation as a result of the breaches.
In percentage terms, this worked out to an average 1.8 percent decline in market value, or US$42 billion (£34 billion) for the 65 companies being measured.
Extrapolating this to the FTSE 100 index of leading London companies, this would equate to an average £120 million loss in shareholder value, according to Andrew Rogoyski, vice president of cyber security at CGI.
He told SC Media UK that he was excited by the results of the study which showed for the first time a strong correlation between cyber-breaches and negative impacts on companies' share prices.
Previous studies have failed to find a meaningful link between cyber-incidents and company valuations, Rogoyski said. “That's not to suggest that [previous studies] were wrong, but it's an indication that the market is changing – investors are becoming more sensitive to cyber-attacks and the impact that this has on company's reputation and performance.”
As investors and analysts become more aware of cyber-security, the impact on share price is actually getting worse, he added. The average over 3½ years was 1.8 percent, he said, but in the first year of the study, 2013, the impact was a negligible 0.2 percent. In 2014 it had risen to 1.5 percent, and in 2015/16 it was 2.7 percent – overall demonstrating a strong upward trend.
The results fit well with anecdotal evidence that CGI has witnessed in the various markets that it operates in, he said. “We have found more organisations starting to ask questions about cyber-security preparedness in the context of acquisitions and investments,” he said. “Investors are asking whether the companies they are looking to buy into are protecting their intellectual property and the sensitive information they hold about customers.”
The internet services company Yahoo is a case in point. Shareholders have seen the value of their shareholdings slide as the company has revealed historic data breaches, leading telecoms provider Verizon to downgrade its offer price by 7.8 percent, or US$ 350 million (£280 million), during negotiations to buy the company.
Part of the problem for investors and analysts in assessing the impact of cyber-breaches is the time it takes for the accountants to disclose losses on companies' annual reports.
“One frustrating aspect of this argument is that it has taken years for company accountants to measure the impact of breaches,” Rogoyski said. “Where they have put prices on cyber-attacks like Sony, it has taken two to three years for those numbers to appear. It's frustrating when you see a company breached and in the public eye, and the value should go down but the share price doesn't' reflect that.”
An unexpected finding from the report comes from looking at why some companies see bigger impacts on their share prices than others following data breaches. Some of this can be explained by the scale of the breach and how much media attention the incident received, but after discounting for those effects, what becomes apparent is that companies which were more highly regarded among their peers, as measured by share price, suffered less than those who were less well regarded.
So an underperforming company will suffer more than an overperforming company, all other things being equal.
The impact of data breaches on share price will only get worse, Rogoyski predicted. The General Data Protection Regulation (GDPR), due to come into effect in 2018, will require companies in most cases to report data breaches within 72 hours.
CGI estimates that currently only about 10 percent of data breaches are reported publicly and even then it may take some time for the information to come out. Greater reporting will raise awareness of the extent and fallout from breaches.
GDPR will also empower the Information Commissioner to fine transgressors up to four percent of their global turnover – a figure designed to get the attention of the board of directors.
Bob Tarzey, analyst and director at Quocirca, told SC that he wasn't surprised by CGI's report. “Breaches are being taken more seriously by financial analysts and that is having an impact on share price,” he said.
“With GDPR, it can also impact the bottom line because of the fines, and we have seen CEOs resign and companies like Yahoo see their merger plans up in the air because of data breaches,” he added.
However, he believes that the impact on reputation can be lessened if the management move quickly to fix the breach, manage publicity and inform regulators.