New research from Oxford Economics has revealed that following a severe data breach, public limited companies can expect a significant impact to their market value with share prices expected to tumble by at least 1.8%. For the average FTSE 100 firm, this equates to about £120 million. The study examined over 60 public security breaches over the last three years and then looked at the effect on the share price of the businesses involved. The Oxford Economics Study was commissioned by CGI Group, the IT services group who wanted to assess just how data breaches affect company valuations as well as hoping to raise awareness of information and data security to PLC board members.
Although the study suggested share prices could stumble as much as 1.8%, Ian Mulheirn, director of consulting at Oxford Economics said that in some cases, the effect could be as much as 15%.
“With this methodology it’s important to view such underperformance as a permanent impact on the firm’s overall performance. That’s because a firm’s share price reflects market participants’ expectations of future profitability as markets ‘price-in’ such incidents”, he said.
“Therefore, the reaction of a company’s share price in the immediate aftermath of a cyber-breach should be viewed as representing the permanent effect of the attack on the firm’s future profits.”
The situation could be even worse for public limited companies who suffer a data breach once the European Union’s General Data Protection Regulations are implemented in May 2018. Not only could they suffer a potential loss in market value but they will be hit with fines under the new regulations. The can be very severe with companies facing fines of up to €20m or 4% of annual worldwide turnover, whichever is greater – far exceeding the current maximum of £500,000. This could impact significantly impact thousands of businesses across Europe when you consider that in the UK alone, according to government figures, 90% of large organisations and 74% of SMEs reported a security breach, leading to an estimated total of £1.4bn in regulatory fines. Post May 2018, they could be facing much more severe penalties.
Raj Samani, chief scientist at McAfee has called for organisations across the globe to be much more proactive about information security. Corporations cannot afford to dismiss cybersecurity as a problem which just belongs to the IT department. The financial future of a corporation – and often that of its customers – can hinge upon the security of its business and user information. As a result, it is crucial for executives, including the CFO and CEO, to take an active role in understanding the level of cyber-risk they’re exposed to in order to implement an appropriate, effective cybersecurity strategy.”