By Elon Kaplan
Cybersecurity may be one of the most evasive business risks to manage. Decision makers are bombarded with horror stories of firms losing their core assets due to reputation catastrophes following publications of cyber attacks and confidentiality breaches. Publishing numbers of records (preferably in the millions) stolen from large corporates always make headlines. However, looking at hard data – is the reputation risk so devastating? To put it operationally – will there be a significant decline in share price value due to cyber attack over a period of one quarter? What impact should we expect to see?
A study conducted in 2014 by Arcuri, Brogi & Gandolfi concluded that while financial organizations do not suffer from any impact on their stock price following a cyber attack (in fact the average stock price rose a quarter after the publication of cyberattack by 1.9%) other industries suffer mild impact over a quarter (-2.3%) http://www.efmaefm.org/0EFMAMEETINGS/EFMA%20ANNUAL%20MEETINGS/2014-Rome/papers/EFMA2014_0408_fullpaper.pdf.
These numbers may fall within the standard spread of stock values over a period of several months. Are these numbers true for current data?
To get a current perspective we reviewed the stock price impact of several high profile attacks – Anthem, T-Mobile, Vtech, Vodafone, Hilton. For each case we compared the stock price a month prior to publication of the attack and a quarter post publication. The review of that sample of attacks reveals very a interesting picture – while the average impact on stock value for the group was marginal (-1.3%) the spread of stock value changes was significant ranging between -9.3% to +7.16%.
The findings are consistent – on average reputation impact of cyber attack is not making a profound change on stock valuation.
However, is average stock value telling the full story on cyber reputation impact?
As we recall the attack on Ashley Madison came at a disastrous timing – just before going public. The nature of the business, public ethical criticism and the timing of the attack collaborated to make it a high-profile collapse.
So is cyber reputation risk a myth?
The statistical answer is – yes. On average the reputation impact of cyber attacks is marginal. In comparison financial losses from money theft and core business IP risk have far greater impact.
However – much like the statistician who drowned in a 5” pool – average does not tell the whole story. In a specific business sectors and with specific business conditions and attacks on specific assets – cyber reputation could be an issue of life and death for corporates and individuals.
Risk officers and senior executives are, thus, faced with a dilemma – overspend on protecting against marginal threats or leave the organization exposed to reputation disaster.
Executives must make educated plans taking into account all parameters of cyber risk, business sector, geopolitical and business events. Moreover – what-if scenarios and simulations are the only true way to generate comprehensive risk perspective and make educated decisions.
For that function Cytegic introduces the “What If” scenario analysis of the Cyber Decision Support system. Using Cytegic’s comprehensive cybersecurity management suit CISOs and C level executives can run financial sensitivity analysis and plan ahead not only based on technology and security posture but also to take into account business plans, risk hedging and – most of all – timing.
Elon Kaplan, Ph.D.
Cytegic – Cybersecurity Management Solutions www.cytegic.com
Come visit us at InfoSec London
Booth #L63, June 7th – 9th