Cyberattacks are an increasingly common threat to business, with risk officers listing cybersecurity as their greatest concern and more than 2,200 confirmed data breaches in 2017, according to a new report from Verizon. The headlines about hacking often focus on potential harm to consumers whose data is stolen, but there hadn’t been a systematic analysis of the effects of cyberattacks on a company’s sales, market valuation and other metrics. A recent study does just that, though imperfectly.
Using events reported as cyber-breaches in the nonprofit Privacy Rights Clearinghouse, a team of economists from Singapore, Cyprus, Hong Kong and the U.S. examined which firms are at highest risk of attack and what the consequences are. They manually matched the company names in the clearinghouse to other information and wound up with a sample of almost 150 affected firms.
That low number suggests that successful cyberattacks were relatively rare — or were not fully reflected in the Privacy Rights Clearinghouse. Certainly some attacks could go undisclosed. Government reporting requirements vary by state in the U.S., and financial market reporting depends on the nature of the attack and the company involved. The data also are drawn only from 2005 through 2014, so they exclude the latest rash of hacks like those documented in the Verizon study. The part of the analysis that examines which firms are affected by attacks is thus somewhat suspect, given that it’s clear the authors do not have a complete and recent sample of hacks.
The study is on firmer ground when it assesses the impact of an attack, but even here there are some limitations. The economists study how a company suffering an attack compares to an otherwise similar company that has not been hit by a cyber-intrusion. The challenge is again that they can’t be completely sure that the comparison company hasn’t actually also suffered an attack — undisclosed by the company, or perhaps even unbeknownst to the company. However, to the extent that what affects the financial picture is not the attack itself but rather its disclosure, the methodology works well. For example, the impact on stock market valuation is likely tied to disclosure (and the authors have verified that disclosed events are included in their data).
With that caveat in mind, the results suggest significant but not catastrophic effects from disclosed cyber-breaches. The average loss in market capitalization following an attack is about 1 percent, with larger losses when personal financial information is involved and smaller losses when that’s not the case. On average, a hack involving personal financial information generates a loss of a little under $1.5 billion in market value. Repeated attacks generate disproportional effects. The authors also find that firms with board oversight of risk (measured by factors such as whether there is a risk committee) fare better following an attack.
The study also assesses the impact of an attack on factors beyond the equity market. The authors find a decline of sales growth of more than 3 percent on average and more than 5 percent for firms in retail industries. They also find that firms reduce investment, increase debt (with leverage ratios rising by more than 2 percentage points on average after an attack), and experience a reduction in their credit rating. Board oversight of risk practices tends to increase after an attack, and CEO bonuses decline.
What is a firm to do to protect itself against these costs, beyond reinforcing good cyber-hygiene among its employees? One emergent approach is cyber insurance, which pays out to a company after an attack. That protects the affected firms, but the approach also puts an onus on the underwriters to assess the risks and to become a hub of best practices for insured firms to follow. (I suggested 15 years ago that we “could even imagine insurance firms hiring cyber-experts to advise insured firms on how to reduce their exposure to cyberattacks.” That has become a reality.)
Orszag is a Bloomberg View columnist. He is a vice chairman of investment banking at Lazard. He was President Barack Obama’s director of the Office of Management and Budget from 2009 to 2010 and the director of the Congressional Budget Office from 2007 to 2008.