Cybersecurity Incidents Cost Shareholders £42 Billion

Shareholders and investors are taking significant financial hits when it comes to security incidents, according to an economic study by CGI based on modelling from Oxford Economics.

A ‘severe’ cyber security breach for a typical FTSE 100 company now equates to a permanent market capitalisation loss of £120 million, or 1.8 percent of company value, as measured relative to a control group of peer companies.

The Cyber Value Connection study analysed a sample of 65 ‘severe’ and ‘catastrophic’ cyber security breaches that have taken place since 2013, with the cumulative impact on shareholder value costing investors a total of £42 billion.

Big bucks

“As identified in CGI’s Global 1000 Outlook report, cyber security is a still a top priority for businesses, but business leaders, policy makers and investors still have work to do to take cyber security risk far more seriously.” commented Andrew Rogoyski, head of cyber security at CGI in the UK.

“We are beginning to see City analysts, venture capital firms and credit ratings agencies factor cyber security readiness into the way they assess firms – this is positive and should encourage boards across the world to treat cyber security as an enterprise-wide risk.”

The study notes that the financial figures only include publicly known security breaches, so the true amount of value lost and cost to investors is likely to be far higher.

And the numbers are only likely to increase in the future. The incoming GDPR means European firms will have to disclose all data breaches, leading Rogoyski to suggest that lost shareholder value across Europe “could rise by as much as a factor of 10 when the new regulations take effect in May 2018.”

Ian Mulheirn, director of consulting at Oxford Economics commented: “With this methodology it’s important to view such underperformance as a permanent impact on the firm’s overall performance. That’s because a firm’s share price reflects market participants’ expectations of future profitability as markets ‘price-in’ such incidents.

“Therefore, the reaction of a company’s share price in the immediate aftermath of a cyber breach should be viewed as representing the permanent effect of the attack on the firm’s future profits.”

Breaches, breaches everywhere

Security incidents have sadly become commonplace over the last 18 months or so, with new breach alerts affecting high-profile organisations seemingly hitting the headlines on a weekly basis.

In April alone we’ve had a cyber attack on the International Association of Athletics Federations (IAAF) which could put confidential athlete data at risk and payday loan company Wonga suffered a data breach that could have resulted in the theft of the personal data of 245,000 UK customers.

However, these are relatively small fry compared to some of the breaches that became public in 2016, Yahoo was of course the most high-profile victim after it admitted to suffering the biggest data breach in history after more than a billion user accounts were hacked.

Tumblr and MySpace were just two of the other well-known names to make the list and, as the security challenges facing business continue to increase, the rate of breaches is unlikely to slow down in 2017.

Are you a security pro? Try our quiz!