Global listed companies hit by a cyber attack saw a combined loss in market value of US$53 billion on the first day’s trading following the revelation of an incident and those affected took an average of 24 days to recover pre-crisis valuations. This is according to an analysis of cyber attacks on global listed companies in the past three years by international law firm Freshfields Bruckhaus Deringer.
The study also revealed that share prices across the 135 reported cases only experienced a marginal fall in the immediate aftermath of an attack. On the day following the revelation of a cyber attack, less than half (44%) of the companies saw their share prices fall. Valuations across the group actually increased by 0.17% on average. After one week, companies hit by a cyber attack saw an average dip in share price values of just 0.26%.
The majority of companies (60%) saw shares restored to pre-crisis levels after four weeks. At this point, average share prices were up by 0.62%.
Freshfields partner and cyber security expert Jane Jenkins says, "Cyber threats are now more targeted and more widespread than ever before. Cyber security breaches can leave a company struggling to manage the fallout on many fronts: loss of competitor advantage, interruption of business operations, impact on revenue and reputational damage. Yet, despite the possible repercussions, share prices only experienced a blip as investors appear surprisingly unfazed."
"It may be that the recurring tales of misplaced laptops, briefcases left on trains and lost personal and confidential data, which rarely make headlines for more than a day or two, have led investors to take information breaches in their stride. However, as reliance on cloud and mobile technology increases, and cyber criminals are becoming ever more sophisticated, organisations are more vulnerable to an attack that could bring with it commercially devastating consequences."
"The EU Commission estimates that 80-90% of companies have already been on the end of a cyber attack and that the majority of these attacks go unreported. The volume of cyber attacks that become public are therefore just the tip of the iceberg and belie the full scale of the problem. While investors are yet to fully wake up to cyber risk, organisations should take advantage of this respite to make cyber security a board-level priority."
The analysis also reveals the type of attack that is likely to spook investors the most. Although rare (among the sample of companies analysed, only one company was reportedly affected) identifiable instances of industrial espionage had the biggest immediate impact on share price leading to a fall of -0.85% on the day after a cyber attack. However shares had recovered after five days.
Perhaps unsurprisingly given the publicity that ‘hacktivists’ (those that hack into an organisations’ computer system for politically or socially motivated purposes) aim to court, ‘hacktivism’ has the longest-term affect on share price. Companies targeted by hacktivists suffered an average loss in share price value of 2.1% five days following the cyber attack, falling further to -2.4% after one week and -2.6% after four weeks.
In contrast, the markets typically ignored attacks launched by cyber criminals and hackers with share prices rising in line with the market across the group of affected companies.
Chris Forsyth, IP partner and cyber security specialist at Freshfields adds, "For the time being, cyber security remains a voluntary exercise for most companies in the US and Europe, although the regulatory environment is toughening as governments get to grips with the implications of cyber crime."
"The EU is moving to force companies in certain sectors to report all cyber breaches and take specific risk management measures to protect systems and data. The US is also ramping up its focus as American businesses and government institutions experience an increasing number of attacks. High standards on cyber security across all sectors of UK business are vital if we are to remain competitive. We risk being left behind if we do not engage with this problem now."
Avril Martindale, partner and cyber security expert, concludes, "Cyber attacks are a very serious threat to businesses as they can go right to the heart of a company’s value. In many sectors, ranging from high technology to pharma and automotive, information is part of a company’s DNA. We are increasingly seeing buyers ask for more deal security around cyber attacks in recognition that a target’s value could be totally obliterated by a previous or future attack."
"Effective cyber security requires spending money and dedicating resources but commercial organisations can take comfort that they don’t need to throw money at protecting everything. While the markets are treating cyber attacks with relative sympathy, companies should seize the opportunity to assess their vulnerabilities and what and where their most valuable information is. By making this assessment, they can then prioritise money and resources to mitigate the risk of being crippled by a cyber attack."