Numerous security experts have noted that data breaches at the Financial Times Stock Exchange’s (FTSE) 100 firms have cost approximately £120 million in market value.
£120 million isn’t really loose change that organisations and firms should disregard; it should be a wake-up call!
According to the Breach Level Index, almost 1.4 billion data records were lost or stolen in 2016. The statistics showed an 86% increase from the previous year. The Breach Level Index notes that:
“…more and more organisations are accepting the fact that, despite their best efforts, security breaches are unavoidable.”
I don’t believe this is good enough; the amount it’s costing the industry should be a strong incentive for firms and their security departments to ensure their cybersecurity is robust.
Drop in share price
According to Computer Weekly, top UK firms are incurring losses on their share price – as much as 1.8%! – as a direct result of data breaches.
The CGI White Paper notes that this figure has doubled in the past 18 months. They also note that, in extreme cases, data breaches have wiped as much as 15% off affected companies’ values.
Will more data breaches be disclosed?
Although these data breaches can have a significant impact on shareholders, the Cyber-Value Connection analysis suggests that data breaches will become more and more costly.
One of the reasons for this is because regulations like the Data Protection Act, the EU General Data Protection Regulation (GDPR), and the Network Information Security (NIS) Directive will enforce heavier compliance and punishments from companies. If they fail to comply with data protection regulations, fines – among other sanctions – can be imposed on them. From May 2018, the GDPR can also force companies to disclose data breaches, which should hopefully ensure that companies plan and manage, as well as report, cyber-attacks.
In the companies’ best interest
Surely it’s in the best interest for the CEO to address these security concerns? As the CGI study says: “the CEO has [the] responsibility for increasing company value”. With evidence to support the link between data breaches and the decrease in company value, it’s clear that CEOs must get their acts together to ensure direction and governance when it comes to cybersecurity for their company.
In the shareholders’ best interest
The report was based on the study of 65 ‘severe or catastrophic’ breaches at FTSE’s 100 companies in the past 4 years. It seems that shareholders are kicking the companies up the backside to take cybersecurity seriously. I mean, who wouldn’t when your investment depends on it? Why should shareholders lose value in their shares just because the company can’t seem to have adequate cybersecurity?
The CGI report reveals that shareholders have lost at least £42 billion since 2013 due to ‘severe’ data breaches. However, the report notes that this figure includes only the publicly known ‘severe’ breaches, and the actual amount lost is likely to be a lot higher.
How data breaches can directly affect share price
An example of how data breaches can affect company share prices can be shown in Yahoo’s data breach (2014). The tech giant reportedly compromised approximately 1 billion email accounts. In their sale with Verizon, Yahoo was forced to give a discount of $350 million (£271 million) after the breach in 2013 and 2014.
Cyber-security recommendations
Companies may wish to take up the CGI’s recommendations for effective cyber-security as follow:
- Appoint someone at board level to be responsible for cyber security and know-how to address the risks and demonstrate leadership during times of crisis.
- Include cyber security on every board agenda, reporting on: risk to the business; nature of sensitive data; and mitigation progress at a minimum.
- Treat cyber security as a company-wide business risk and assess as you would with other key business risks such as major safety issues, environmental disasters, or accounting scandals.
- Ensure the company understands the rapidly developing legal landscape that applies to cyber risk – in particular, begin preparing for the GDPR and NIS directives now!
- Get specialist expertise to advise and inform the board; whether from internal teams or external advisors.
- Set a programme of work to manage cyber risk, allowing a realistic time and budget.
- Encourage discussion about risk appetite, risk avoidance, risk mitigation, and cyber security insurance.
- Assume you have already been breached but you might not yet know about it. Take action to reassure yourself no such attack has taken place, but plan on the assumption that they have.
Source Info:
http://breachlevelindex.com/assets/Breach-Level-Index-Report-2016-Gemalto.pdf
https://www.cgi-group.co.uk/white-paper/the-cyber-value-connection