Just how hard does a cy­ber at­tack hit the bot­tom line?

The National - News - - IN DEPTH BUSINESS -

Cy­ber at­tacks are a grow­ing threat to busi­ness, with risk of­fi­cers list­ing cy­ber se­cu­rity as their great­est con­cern and more than 2,200 con­firmed data breaches in 2017, ac­cord­ing to a new re­port from Ver­i­zon.

The head­lines about hack­ing of­ten fo­cus on po­ten­tial harm to con­sumers whose data is stolen, but there had not been an anal­y­sis of the ef­fects of at­tacks on a com­pany’s sales, mar­ket val­u­a­tion and other met­rics. A re­cent study does just that, al­though im­per­fectly.

Us­ing events re­ported as breaches in the non-profit Pri­vacy Rights Clear­ing­house, a team of economists from Sin­ga­pore, Cyprus, Hong Kong and the US ex­am­ined which firms are at high­est risk of at­tack and what the con­se­quences are. They matched com­pany names in the clear­ing­house to other in­for­ma­tion and cre­ated a sam­ple of al­most 150 firms.

That low num­ber sug­gests that suc­cess­ful at­tacks were rel­a­tively rare – or were not fully re­flected in the Pri­vacy Rights Clear­ing­house. Cer­tainly, some at­tacks could go undis­closed. Govern­ment re­port­ing re­quire­ments vary by state in the US, and fi­nan­cial mar­ket re­port­ing de­pends on the na­ture of the at­tack and the com­pany in­volved. The data also are drawn only from 2005 to 2014, so they ex­clude the lat­est hacks like those doc­u­mented in the Ver­i­zon study.

The study is on firmer ground when it as­sesses the im­pact of an at­tack, but even there lim­i­ta­tions are present. The economists study how a com­pany suf­fer­ing an at­tack com­pares to a sim­i­lar com­pany that has not been hit. The chal­lenge is again that they can­not be com­pletely sure that the com­par­i­son com­pany has not suf­fered an at­tack. How­ever, to the ex­tent that what af­fects the fi­nan­cial pic­ture is not the at­tack it­self but rather its dis­clo­sure, the method­ol­ogy works well. For ex­am­ple, the im­pact on stock mar­ket val­u­a­tion is likely to be tied to dis­clo­sure, and the au­thors have ver­i­fied that dis­closed events are in­cluded in their data.

With that caveat in mind, the re­sults sug­gest sig­nif­i­cant but not cat­a­strophic ef­fects from dis­closed breaches. The av­er­age loss in mar­ket cap­i­tal­i­sa­tion fol­low­ing an at­tack is about 1 per cent, with larger losses when per­sonal fi­nan­cial in­for­ma­tion is in­volved and smaller losses when that is not the case. On av­er­age, a hack in­volv­ing per­sonal fi­nan­cial in­for­ma­tion gen­er­ates a loss of a lit­tle less than $1.5 bil­lion in mar­ket value. Re­peated at­tacks gen­er­ate dis­pro­por­tional ef­fects. The au­thors also find that firms where boards as­sess risk fare bet­ter fol­low­ing an at­tack than com­pa­nies where boards do not.

The study also as­sesses the im­pact of an at­tack on fac­tors be­yond the eq­uity mar­ket. The au­thors find a de­cline of sales growth of more than 3 per cent on av­er­age and more than 5 per cent for firms in retail in­dus­tries. They also find that firms cut in­vest­ment, in­crease debt (with lever­age ra­tios ris­ing by more than 2 per­cent­age points on av­er­age af­ter an at­tack), and ex­pe­ri­ence a re­duc­tion in credit rat­ing. Board as­sess­ment of risk prac­tices tends to in­crease af­ter an at­tack and chief ex­ec­u­tive bonuses de­cline.

What is a firm to do to pro­tect it­self, be­yond re­in­forc­ing aware­ness among its em­ploy­ees? One ap­proach is cy­ber in­sur­ance, which pays out af­ter an at­tack. That pro­tects the af­fected firms, but the ap­proach also puts an onus on the un­der­writ­ers to as­sess the risks and to be­come a hub of best prac­tices for in­sured firms to fol­low.

Sig­nif­i­cant ques­tions ex­ist about whether many of the in­sur­ance com­pa­nies en­ter­ing this mar­ket are un­der­tak­ing tasks well, how­ever. As the threat evolves, a stronger cy­ber in­sur­ance mar­ket could not only cush­ion the fi­nan­cial ef­fects on com­pa­nies but also min­imise how of­ten hack­ing at­tempts are suc­cess­ful – which would help pro­tect con­sumers as well.

What is a firm to do to pro­tect it­self, be­yond aware­ness among its em­ploy­ees? One ap­proach is cy­ber in­sur­ance

Newspapers in English

Newspapers from UAE

© PressReader. All rights reserved.