The potential impact of cyberattacks on company value continues to be misunderstood by many business leaders and finance professionals. So, while financial audits are regulated, why is cyber-risk still largely ignored and underplayed?
Serious business interruption after a breach has one of the largest effects on the value of companies because of its impact on cash flow, according to David Chinn, senior partner at McKinsey.
“Attackers are becoming more aggressive,” he says. “Previously, they aimed to steal data. Now more interruption can come from ransomware or collateral damage from nation state attacks. For example, to cover their tracks, attackers are willing to damage companies’ residual networks.
“In most cases, company share prices bounce back from business interruption. However, the stock market is particularly sensitive to the competence of the response. For example, being unclear, saying something that proved to be wrong, call centres that people can’t get through to, websites that don’t work; these can all be damaging.”
According to the Ponemon Institute, disruptions that can affect corporate value include system downtime, increased communication including help desk activities, issuing new accounts, legal expenditure and identity protection.
Globally, companies that contained a breach in less than 30 days saved more than $1 million compared with those taking longer. However, containment is taking longer due to the increasing severity of attacks, says Ponemon.
Caleb Barlow, vice president of threat intelligence at IBM Security, says transport giant Maersk’s response to the NotPetya attacks of 2017 was a great example of how to react. “They updated their website, telling people what was happening and restarted business operations in fewer than ten days, from scratch in some areas,” he says. “Few companies could do that. We spend a lot of time training companies to make faster decisions in this kind of scenario.”
Fines by regulators over data breaches do not always affect a company’s share price at the time they are issued. By that time, the damage has often been done and the markets have factored in the impact already.
However, they can have an impact if the market is not expecting them or perhaps not expecting such severity. For example, when the Information Commissioner fined telecommunications company TalkTalk a record £400,000 in relation to a data breach, its share price, which had already plummeted after the attack, continued to fall after the announcement of the fine. The company’s stock price has yet to recover.
The effect of regulation on corporate values could be set to rise dramatically now that the European Union’s General Data Protection Regulation (GDPR), which allows for much higher fines, has come into effect. For example, millions of Facebook user accounts were exposed by a security breach in September 2018. Under GDPR, the company could be fined up to 4 per cent of its global annual revenue, which would be £1.3 billion.
Some experts have commented that TalkTalk was lucky in the sense that it was fined under more lenient rules before GDPR came in.
IBM Security’s Mr Barlow says that, apart from the size of the new GDPR limits, the biggest issue with fines is that regulation can be quirky and misunderstood by many companies. “For example, they don’t realise that the biggest regulatory impact is the speed of decision-making and process in responding to the breach,” he says.
Loss of customer data is often a critical factor affecting share price after a data breach. For example, when credit information company Equifax lost more than a third of its value after reporting a data breach in 2017, it was largely due to hackers stealing personal customer information. This included addresses and social security, driver’s licence and credit card numbers.
According to a study by the Ponemon Institute, the average cost per lost or stolen record in a breach is $148 and the more records the company loses, the higher the cost.
Ponemon says incident teams and better security such as encryption help mitigate these costs. It says organisations that fall victim to data breaches on average see their share price fall 5 per cent immediately after the disclosure of a breach. Falls range from 3 per cent for companies with good security to 7 per cent for companies with poor. Longer term, damage to corporate value can be even more, says Ponemon.
But having an incident response team saves $14 per record and the extensive use of encryption reduces cost by $13 per record.
As hackers become more sophisticated, there is greater risk of them obtaining sensitive commercial information such as intellectual property (IP) and using it.
Mr Barlow at IBM Security says: “If another country steals your IP, it has gone forever, you can’t get it back and they will use it against you. So it is important to try and find out exactly what you have lost, who took the data and some idea of their motivation.”
Mr Chinn of McKinsey says one way to guard against this is to ringfence the company’s most valuable information. “If you can’t keep attackers out completely, identify and protect the things that can impact most on corporate value,” he says. “People are shifting from protecting the perimeter to differentiated protection according to the value of the asset.”
Such information could take many forms. “For example, in a pharmaceutical company, clinical trial records are extremely valuable IP as they affect share price,” says Mr Chinn. “In a manufacturing company, the systems that operate the factories are critical to corporate value. If you are in the middle of a big merger, the details of what you are willing to pay or the negotiation strategy are also incredibly valuable.”
Reputation and trust
More organisations worldwide lost customers last year after data breaches, according to the Ponemon Institute. This could be due to increased awareness of breaches and expectations of what a company should do after one. According to a recent IBM Harris survey, 75 per cent of consumers said they would not buy from a company, no matter how good it was, if it was not protecting their data.
In the United States, losing customers after a breach cost companies $4.2 million on average, Ponemon says. Meanwhile 71 per cent of chief marketing officers believe the biggest cost of a security incident is loss of brand value.
McKinsey’s Mr Chinn says: “When customer data is stolen, lost trust in management can impact corporate value and turnover significantly. Companies have been much quicker to report cyberattacks; however, there is a balance if they are trying to get the attacker out without them knowing and don’t want to publicise the fact.”
Peter Lefkowitz, chief digital risk officer at Citrix Systems, says media coverage has a major impact on share price. “The breaches that make front page news suffer the worst,” he says. “Those cases usually involve something new and different or people hiding things. Often they have lots of problems happening at once, or the attack is by a nation state, or we learn more about [their governance] from the company’s poor response.”
Ponemon says organisations can reduce these losses if they have a leader, such as a chief information security officer, directing initiatives to improve customer trust in their guarding of personal information. Offering victims identity protection in the aftermath of a breach also helps.