Just how hard does a cyber attack hit the bottom line?
Cyber attacks are a growing threat to business, with risk officers listing cyber security as their greatest concern and more than 2,200 confirmed data breaches in 2017, according to a new report from Verizon.
The headlines about hacking often focus on potential harm to consumers whose data is stolen, but there had not been an analysis of the effects of attacks on a company’s sales, market valuation and other metrics. A recent study does just that, although imperfectly.
Using events reported as breaches in the non-profit Privacy Rights Clearinghouse, a team of economists from Singapore, Cyprus, Hong Kong and the US examined which firms are at highest risk of attack and what the consequences are. They matched company names in the clearinghouse to other information and created a sample of almost 150 firms.
That low number suggests that successful attacks were relatively rare – or were not fully reflected in the Privacy Rights Clearinghouse. Certainly, some attacks could go undisclosed. Government reporting requirements vary by state in the US, and financial market reporting depends on the nature of the attack and the company involved. The data also are drawn only from 2005 to 2014, so they exclude the latest hacks like those documented in the Verizon study.
The study is on firmer ground when it assesses the impact of an attack, but even there limitations are present. The economists study how a company suffering an attack compares to a similar company that has not been hit. The challenge is again that they cannot be completely sure that the comparison company has not suffered an attack. However, to the extent that what affects the financial picture is not the attack itself but rather its disclosure, the methodology works well. For example, the impact on stock market valuation is likely to be tied to disclosure, and the authors have verified that disclosed events are included in their data.
With that caveat in mind, the results suggest significant but not catastrophic effects from disclosed breaches. The average loss in market capitalisation following an attack is about 1 per cent, with larger losses when personal financial information is involved and smaller losses when that is not the case. On average, a hack involving personal financial information generates a loss of a little less than $1.5 billion in market value. Repeated attacks generate disproportional effects. The authors also find that firms where boards assess risk fare better following an attack than companies where boards do not.
The study also assesses the impact of an attack on factors beyond the equity market. The authors find a decline of sales growth of more than 3 per cent on average and more than 5 per cent for firms in retail industries. They also find that firms cut investment, increase debt (with leverage ratios rising by more than 2 percentage points on average after an attack), and experience a reduction in credit rating. Board assessment of risk practices tends to increase after an attack and chief executive bonuses decline.
What is a firm to do to protect itself, beyond reinforcing awareness among its employees? One approach is cyber insurance, which pays out after an attack. That protects the affected firms, but the approach also puts an onus on the underwriters to assess the risks and to become a hub of best practices for insured firms to follow.
Significant questions exist about whether many of the insurance companies entering this market are undertaking tasks well, however. As the threat evolves, a stronger cyber insurance market could not only cushion the financial effects on companies but also minimise how often hacking attempts are successful – which would help protect consumers as well.
What is a firm to do to protect itself, beyond awareness among its employees? One approach is cyber insurance