Cybersecurity is a pervasive subject for IT, but cyberattacks today are affecting a large swath of individuals outside of IT as well. Data breaches can impact the lives of people whose personal information is stolen for years after the incident has been forgotten. In other cases, proprietary information can be stolen that eliminates competitive advantages for internal business units and product divisions. Ransomware and DDoS attacks can disrupt business operations and services for customers and vendors for days and weeks on end. Furthermore, the scale of some cyberattacks today are affecting earnings and profits while severely tarnishing the corporate image of those afflicted. (2017 felt like a banner year for cybercrime, but learn what companies are doing to counter it in Cybercrime 2018: The Enterprise Strikes Back.)
As a result, these incidents are, at least in the short term, depreciating stock prices, which affects shareholders and as a result, is ringing alarm bells in corporate boardrooms. According to the 2016 Deloitte/Society for Corporate Governance Board Practices Survey, cybersecurity ranked as the number one risk that boards focus on today. As further evidence, according to the NACD's Director's Handbook on Cyber-Risk Oversight, less than 40 percent of corporate directors reported that cybersecurity risks were routinely covered in board meetings in 2014. In 2017 that figure was 90 percent.
The Losses Are Staggering
Cybersecurity concerns within corporate boardrooms are well founded based on some of the threats in 2017 experienced by large corporations.
- Nuance Communications is a major provider of voice and language tools based in Burlington, Massachusetts that produces a suite of dictation and transcription services that serve more than 500,000 clinicians and 10,000 health care facilities. These services allow doctors to dictate notes from the telephone. The company was hit by the global Petya attack on June 27, disrupting its core operations for three to five weeks, forcing the company to offer dictation service alternatives to customers affected by the outage. It took a full five weeks to fully restore all of its cloud services. Because nearly half of the company’s revenue comes from these products, the company announced in late July that the attack would negatively affect quarterly earnings. The stock fell four percent immediately after the announcement, and trading was halted that morning.
- In late September, we witnessed one of the largest data breaches in history in which the personal data of 145.5 million Americans was stolen in the now notorious Equifax breach. To compound the ordeal, top executives were slow in publicizing the incident and initial steps to address the problem were ill conceived. Equifax became the brunt of jokes and intense criticism during the weeks after the attack. Its stock plunged by 30 percent within a week, eventually bottoming after falling an additional 15 percent further. Equity losses during that period amounted to over $4 billion dollars. Cleanup costs alone were $87.5 million and Equifax reported a 27 percent drop in its third quarter net income. (The Equifax breach was caused by a third-party vulnerability. Learn more in Qualitative vs Quantitative: Time to Change How We Assess the Severity of Third-Party Vulnerabilities?)
The staggering losses from cyberattacks did not just suddenly appear in 2017. In 2011, cybercrime costs for businesses in the U.S. totaled $9 billion. By 2015, these costs had spiraled to over $400 billion, and rose further to $600 billion in 2016. Cyberattacks are projected to cost businesses nearly $2 trillion by 2019. The amounts associated with cyberattacks are shocking and the public is starting to take notice. Furthermore, investors are growing more educated about the disruption and mammoth costs involved in a cyberattack today.
The Question of Equity Performance Long Term
While there is little doubt that equity markets can hammer a publicly traded company in the days following a data breach, there is mixed evidence concerning whether or not cybersecurity incidents have a sustaining negative effect long term. A study issued by IT consultant company CGI and Oxford Economics showed that cybersecurity breaches erode company share prices approximately 1.8 percent on a permanent basis. The study involved 65 companies that experienced a breach involving hundreds of thousands of records or more since 2013. The total cost to shareholders of the 65 companies in the study amounted to more than $52 billion. The conclusion of the report was that investors of a typical FTSE 100 firm are definitely worse off after a breach for an elongated period.
Another study conducted by Compairtech last year produced similar findings. The study involved 24 publicly traded companies such as Target and Yahoo that were victims of a data breach involving at least 1 million records. Results of the study showed the following:
- Stocks on average suffered an immediate decrease in share price following a breach of 0.43 percent, about equal to their average daily volatility.
- In the long term, share prices continue to rise on average, but at a much slower pace. There was a 45.6 percent increase in share price during three years prior to breach, and only 14.8 percent growth in the three years after. Daily volatility was about the same for both periods.
- Breached companies tend to underperform the NASDAQ. They recover to the index’s performance level after 38 days on average, but after three years the NASDAQ ultimately outperforms them by a margin of over 40 percent.
A recent study conducted by Georgetown University, however, shows little correlation between security breaches and long-term equity performance. The study involved a data set of 235 companies with recorded data breaches dating back to 2005. The companies represented all industries including consumer discretionary, financials, health care and technology. The study reported no meaningful disparity between pre- and post-performance after 90 days following the breach. The authors of the study concluded that losses involving the impact of data breaches on company stock seems to be highly dependent on many variables that are unique to the company. Another study published in the Harvard Business Review in 2015 concluded that while stock prices do fall considerably in the days following an attack such as the one on Home Depot, stock prices begin to rebound after two weeks on average and behave normally based on market conditions. The study did state financial services, health care and global telecom companies experience the most lasting damage.
Reactions to a Cybersecurity Incident
In politics, there is the old adage that the cover-up is far worse than the crime. This may be the case concerning cyberattacks as well. One case in point was the U.K. phone and broadband provider, TalkTalk, which suffered a data breach involving 4 million of its customers in 2015. The stock fell more than 10 percent within the first two days. Management was highly criticized in the following months for its poor handling of the situation, which contributed to the loss of over 90,000 customers. The stock failed to recover in the manner of those in the Georgetown and Harvard University studies.
This is the very reason why the weight of the responsibility to keep an organization safe from cyber threats, as well as the reaction to one, is placed on the CEO, CIO/CTO/CSO, and the executive team. Cybersecurity is no longer an “IT problem.” It is a matter that should involve both senior management and the board of directors that they report to. Two things seem certain – attacks will only increase in the coming years and the costs of those attacks will certainly rise along with them.