While the direct cost of dealing with cybersecurity breaches has been well documented, few studies have captured how much damage they can do to a company’s share price.
Now, new research reveals the share-price hit can be even larger than the physical reparation costs. And, more concerningly, the pain lingers.
Conducted by Oxford Economics and commissioned by IT consultant CGI, the British study, released this morning, examined the market performance of 65 companies globally that had been victims of cyber attacks since 2013.
They found that share prices fell by an average of 1.8% “on a permanent basis” following a severe breach, translating to a reduction in market capitalization at a typical blue-chip company of around $150 million.
The average direct costs of cyberattacks for companies worldwide in 2016 was $7.7 million, up 23% on the previous year, according to a recent analysis of 237 companies conducted by the Ponemon Institute on behalf of HP.
In extreme instances, attacks have wiped up to 15% off a company’s share price, according to Oxford and CGI’s latest analysis. An obvious example is Yahoo, which took a $350 million haircut on its sale price to Verizon, though banks also have much to lose.
The research found that companies in the financial services sector were most affected by breaches, followed by media and communications companies. Those least affected included retailers and healthcare providers.
As recently reported in Chief Executive, companies from the U.K. to U.S. still have large holes in their cyber defenses, despite the fact that CEOs are becoming increasingly alert to the risks.
Cyber defenses can be expensive—both the technology and the talent—and even companies with supposedly stringent checks such as Yahoo were breached. Governments, however, are tending toward forcing companies to protect themselves, leaving CEOs with little choice but to act.
“Clearly, the CEO has responsibility for increasing company value,” the latest report’s authors said. “With the link between cyber breach and company value established in this report, it is clear the CEO’s responsibility must also include direction and governance of cybersecurity.”