A new study from Oxford Economics has found a strong correlation between corporate cyber-breaches and negative impacts on share price.
Although the relationship might appear obvious, previous studies had failed to find it, according to Andrew Rogoyski, vice president of cyber security at CGI, a provider of business services worldwide, which had commissioned the research.
In some cases the link has been clear – Yahoo’s record breaking data breaches in 2013-14 led to a well publicised shaving of $350 million off the initial $4.8 billion price tag for its sale to Verizon.
But many smaller scale breaches have not been reflected in share prices, or only after a long time lag, Rogoyski told SC Media UK this week, adding that previous studies have failed to find a meaningful link between cyber-incidents and company valuations.
The correlation in this latest study shows that investors and analysts are starting to price in cyber breaches when valuing companies, he suggested.
To test the hypothesis Oxford Economics analysed the share performance of 65 companies which had suffered high-profile cyber breaches in the past four years.
By comparing each company against a selection of their peers in the industry, the analysts calculated that the companies had lost an average of US$ 645 million (£516 million) each in market valuation as a result of the breaches.
In percentage terms, this worked out to an average 1.8 percent decline in market value, or US$42 billion (£34 billion) for the 65 companies being measured.
Extrapolating this to the FTSE 100 index of leading London companies, this would equate to an average £120 million loss in shareholder value.
The study appears to show that as investors and analysts have become more aware of cyber-security, the impact on share price has been getting worse. The average over 3½ years was 1.8 percent, but in the first year of the study, 2013, the impact was just 0.2 percent. In 2014 it had risen to 1.5 percent, and in 2015/16 to 2.7 percent.
The research also indicates that underperforming firms suffer worse impact from a cyber breach than firms that are overperforming, other things being equal.
CGI predicts that the impact of data breaches on share price will get worse when General Data Protection Regulation (GDPR), comes into effect in 2018 and companies will be required in most cases to report data breaches within 72 hours, besides facing possible penalties of up to four percent of annual turnover.