Severe cyber breaches cost PLCs 1.8% of company value or £120 million, according to a new CGI study, and these figures are set to skyrocket in the future as General Data Protection Regulation in Europe requiring firms to reveal cyber breaches is rolled out – a move which could see European firms scrambling to cover their exposures with increased reinsurance purchase.
Andrew Rogoyski, Vice President of Cyber Security at CGI in the UK, said that currently firms only reveal an estimated 10% of attacks to the public, so the soon to come implementation of the data protection regulation could mean “lost shareholder value across European markets could rise by as much as a factor of 10 when the new regulations take effect in May 2018.”
According to CGI estimations an average 1.8% of company value loss amounts to a permanent market capitalisation loss of £120 million for a typical FTSE 100 firm, and Rogoyski said as the business world wakes up to the extent to which cyber breaches could soon shake firm’s shareholder value, rating agencies are already beginning to factor cyber security defenses into firm’s evaluations: “As identified in CGI’s Global 1000 Outlook report, cyber security is still a top priority for businesses, but business leaders, policy makers and investors still have work to do to take cyber security risk far more seriously.”
He continued; “We are beginning to see City analysts, venture capital firms and credit ratings agencies factor cyber security readiness into the way they assess firms – this is positive and should encourage boards across the world to treat cyber security as an enterprise-wide risk.”
The CGI study – which was based on an Oxford Economics modelling analysis of a sample of 65 public cyber security breaches since 2013 across seven global stock exchanges – revealed that the cumulative impact value on shareholders is $42 billion in total.
However, this figure includes only publicly known severe breaches – so the true figure is likely to be far higher.
Ian Mulheirn, Oxford Economics, commented: “The study shows a significant connection between a severe cyber breach and a company’s share price performance. It was found that, on average, a firm’s share price was 1.8% lower in the wake of a breach than it would otherwise have been in the week following an attack. However, in some cases the relative share price fall for affected companies was much higher, with one attack lowering the company’s valuation by 15%.”
He continued: “With this methodology it’s important to view such underperformance as a permanent impact on the firm’s overall performance. That’s because a firm’s share price reflects market participants’ expectations of future profitability as markets ‘price-in’ such incidents. Therefore, the reaction of a company’s share price in the immediate aftermath of a cyber breach should be viewed as representing the permanent effect of the attack on the firm’s future profits.”
In light of the expected hard-hitting impact of the new data regulation, CGI recommended firms work proactively to establish effective cyber security governance by appointing cyber-risk qualified staff at board level to head up cyber risk, include cyber security on every board agenda, treat cyber security as a company-wide business risk, and get specialist expertise to advise and inform the board.
CGI further advised to set a programme of work to manage cyber risk, and assume that firms have already been breached but might not yet know it.
In recent years, cyber risk has become a buzz word for re/insurers who have made moves to expand coverage to include more of this growing threat to business – in a reinsurance market awash with surplus of capital, the capacity to offer protection against cyber risk appears to be less of an issue than the challenge of building risk models that understand and evolve along with the rate of cyber risk growth.
And although the growing sphere of cyber risk is still vastly underinsured and underexplored, 2017 has already seen reinsurance giants, as well as information service providers, such as CGI, invest relentlessly to make headway into developing new models for cyber risk analytics and coverage.
Opportunities for reinsurance are expanding in the fast-developing cyber line of business; cyber risk concerns rose to 2nd most feared threat of loss in the U.S. and Europe, and 3rd globally, according to an Allianz industry survey; and in a highly competitive market, firms that manage to crack the seemingly impossible cyber code could be rewarded with re/insurance cover demand skyrocketing along with the growing threat.
