Companies that have faced cyber attacks are often criticised for not having stringent enough guards – but their wallets can be affected too.
According to research by IT consultancy CGI and Oxford Economics, cyber attacks since 2013 have cost companies around £42bn. This is because once a hack is announced, share prices fall by an average of 1.8 percent.
If a FTSE100 firm is attacked by cyber criminals, investors can lose an average of £1.2m and with two in three companies seeing a negative impact on their share price after suffering a data breach, this figure is increasing.
As part of the research, CGI and Oxford Economics analysed 65 companies which had been hit by data attacks since 2013.
The analysis compared each company’s share price against similar companies in order to isolate the impact of the breach from other market movements.
In extreme cases, one company saw a breach wipe as much as 15 percent off its valuation.
In the past few years, large-scale cyber attacks never seem to be far from the news and the effects of them can be felt afterwards.
For instance, the Yahoo data breaches, which led to over 1bn accounts being compromised, meant Verizon eventually ending up acquiring the company for a $350m discount.
Just this week it was revealed that the British payday loan firm Wonga suffered a breach, affecting up to 245,000 customers in the UK. It is thought that financial data, including bank account numbers and sort codes, were stolen in the breach.
Cyber security was named as one of the top five business priorities according to CGI’s Global 100 report but in other surveys, the company has found that boards are often unequipped to deal with and understand the diverse issues presented by a cyber breach.
And the issue is becoming more pressing. The report believes there is evidence that cyber attacks appear to have a much more severe negative impact on share prices, particularly when compared to 2013.
Of the companies analysed, it was found that financial services experience the biggest burden in terms of impact.
This is because of the high levels of regulation these companies face, the importance of customer confidence in the organisations and the potential for financial fraud to be an element in the breach.
Industrial and technological companies come close behind, in due to how a breach could affect their intellectual property.
Governments across the world are moving to mandatory breach notification to ensure that businesses are doing enough to address and mitigate cyber risk.
In Europe, the General Data Protection Regulation (GDPR) will come into force in May 2018 to ensure this happens in member states.
As well, despite the uncertainty over what laws the UK will keep after Brexit, the UK government has made it clear that the GDPR is here to stay. This will prevent companies holding back from announcing data breaches as a way to save their share prices as it will be mandatory to declare it.
As a result, the report suggests that companies need to ensure they have robust cyber governance to detect attacks and declare them, to protect the company’s data as well as its reputation.