In-brief: a report by the firm CGI and Oxford Economics suggests the impact of breaches on the price of a company’s stock may be bigger than many expected, depressing the price investors pay for the stock by almost two percent.
One of the great, unanswered questions in the security field is what adverse cyber incidents really cost businesses. Do hacks and data breaches really drive customers away? Depress sales or scare off investors?
That’s a critical question because businesses are all about managing risks. But to manage risk you must understand what it is you’re managing. From the CEO or Board of Directors’ perspective, investments only make sense to the extent that they build a business: boosting earnings or hedging against losses. To make it super simple: it doesn’t make any sense to spend, let’s say, $100,000 on a cyber defense if the “bad outcome” you’re hoping to avoid won’t cause more than $10,000 in direct or indirect damages to the firm. In that instance, you’re over paying for security.
But the costs associated with security incidents are notoriously hard to measure. Direct costs – like hiring experts to investigate and clean up after a breach, or of making customers “whole” – typically through credit monitoring services and refunds – are well understood. The insurance industry has stepped up with products designed to give companies protection against those kinds of costs associated with cyber-attacks.
But what about the indirect costs of cyber incidents like data breaches? Those are notoriously difficult things to measure. Do customers think less well of your firm after a data breach and choose to shop elsewhere? Do business partners become wary of sharing information, linking sensitive systems or sharing proprietary data? Perhaps most important: do investors begin to look askance at a company that has been breached?
Well, now there’s some interesting data on that last item: the impact on share price, following a report by the firm CGI and Oxford Economics that suggests the impact of breaches on the price of a company’s stock may be bigger than many expected. That conclusion comes from an analysis of the performance of the stock of firms that were the subject of ‘severe’ and ‘catastrophic’ breaches. Those events were selected from a register of 315 breach events in the recent Gemalto Breach Level Index report.