Digitalisation comes with benefits, and pitfalls, for businesses. A new report highlights the cost of severe cybersecurity breaches on the share price of companies in the long-term, which average a reduction of 1.8%. The research too finds that the long-term negative effect on share price is increasing, creating additional incentives for business owners and the executive to act to prevent breaches where possible.
The digitalisation of business process creates a number of benefits to business operations, from lower costs to additional revenue streams. Digitalisation is not without issue however, as cybersecurity costs mount, transformation programmes fail and regulatory frameworks are imposed to haul in and forestall potentially abusive practices.
One area that is increasingly on the agenda at the boardroom level is cybersecurity. Businesses are increasingly finding themselves open to security incidents, with costs for business as a whole running in the order of $280 billion according to a recent report from Grant Thornton.
In a new report from CGI, titled ‘The Cyber-Value Connection’, the consulting firm explores the effect of cybersecurity breaches on the share price of companies affected. The research involved independent economic modelling from Oxford Economics, whose analytical methodology examines share price movements in companies that had experienced cyber breaches.
The research shows that there is a link between the share price of a company and cybersecurity breaches. Across the 65 companies in the sample, affected by a severe cybersecurity incident, the average long-term effect on share price was found to be 1.8%.
The performance of companies prior to the breach was found to have a correlation with the effect of the breach on share price. Poorly performing companies were found to be harder hit, their share price falling by an average of 2.3%, while companies outperforming their peers were found to average 1.1% reductions in share price in the long-term. The low sample size, the research notes, prohibits predictions in terms of the usual statistical levels of significance.
When averaging over the value of the average FTSE 100 company, a 1.8% average reduction in share price would see a £120 million loss of market capitalisation. Multiplying the average across the 65 companies whose severe breaches were considered as part of the research, the total costs hit £42 billion for the respective shareholders.
The research in addition to identifying the average cost to companies affected from a severe breach, also found that catastrophic breaches resulted in significant depreciations in the long-term value of companies. One UK media and communications company, that had a catastrophic breach in 2015, has seen its share price fall by 15% in the long-term, while a retail company, also in the UK, has suffered a loss of 12.9% of its share price value from a breach in 2014.
Company share prices across a range of sectors have been negatively affected by catastrophic breaches, with the top 10 largest breaches covered by the research ranging between a fall of 15% and 4.8%.
The value of a major UK supermarket, following a cyber security breach, saw almost immediate reprisal from investors, as the share price fell by more than 7 percentage points during the week following the incident. The fallout from the event saw a further 1 percentage point drop as the full consequences of the event became clear to an irate public.
The research also found that the effects of cyber security incidents, measure on the Friday following the event, are becoming more severe with time. The average percentage point decrease to a firm’s share price stood at 0.2% in 2013, by 2014 this stood at a decrease of 1.5% of their share price, while for the period 2015/16 the effect of share price almost doubled to a decrease of 2.7%.
The research also found that different sectors are affected differently in terms of loss to their respective share prices. The retail, hospitality and travel industry, for instance, saw a negative impact of 0.4% on their share price measured on the Friday following the incident, heathcare saw a drop of 0.7%, while technology saw a decrease of 2.1%. Communications and financial firms were the hardest hit however, with decreases of 2.6% and 2.7% respectively.
Remarking on the research, a spokesperson from CGI states, “Clearly, the CEO has responsibility for increasing company value. With the link between cyber breach and company value established in this report, it is clear the CEO’s responsibility must also include direction and governance of cybersecurity.”