Risks relating to cyber security have risen to the top of the corporate agenda in recent years but few company leaders are aware of the full extent of the possible damage that data breaches can cause.
A new study commissioned by cyber security firm CGI and conducted by Oxford Economics, has found that companies’ share prices fall by an average of 1.8 per cent on a permanent basis following a severe breach – where large amounts of sensitive information are lost.
This means a typical FTSE 100 firm is worse off by an average of £120m after a breach, according to the study.
Oxford Economics compiled the data using the Gemalto Breach Index – a register of publicly disclosed cyber security breaches.
Some 315 breach events were examined in total with a focus on 65 “severe” and “catastrophic” breaches occurring since 2013 across seven global stock exchanges. The analysis found that investors have lost at least £42bn due to severe public domain cyber security incidents since 2013.
Dr Andrew Rogoyski, vice president of cyber security services at CGI UK, said there is a “huge difference” between industry sectors that are targeted for attacks and those that suffer major cyber breaches.
“Healthcare is an example of a sector that suffers a large number of breaches but isn’t necessarily targeted, because there aren’t many ways to monetise attacks on health companies, yet.” Dr Rogoyski told The Independent.
“Companies that perform financial transactions tend to be targeted because of the potential for cyber criminals to make money out of them,” he added.
Many company chiefs appear to be unaware of their firm’s vulnerability to a cyber-attack.
“The reality is that cyber security isn’t perceived to grow the top or bottom line, so it’s often under-funded,” Dr Rogoyski explained.
Andrew Gilchrist, a senior associate at international law firm K&L Gates LLP, said the response to a cyber breach can only be as good as a company’s preparation for it.
“Once a breach has occurred, the clock is ticking and a business will only have a short period of time to instruct cyber specialists, lawyers, PR managers and insurers, while at the same time react to fulfilits regulatory obligations and position itself in the best way possible to respond to, and mitigate, anypotential regulatory investigation and media scrutiny,” Mr Gilchrist said.
“Experience shows us that the real threat to UK businesses is not necessarily a fine from the Information Commissioner’s Office (ICO). This is a drop in the ocean compared to the bad press and loss of customer confidence that often follows a cyber-hack,” he added.
Online lender Wonga earlier this week became the latest in a long line of companies to discover that information they hold on their customers had been compromised. Wonga’s breach could affect up to 270,000 current and former customers.
In November last year, thousands of Tesco Bank accounts were compromised and customers saw hundreds of pounds wiped from their balances.
A cyber-attack on phone company TalkTalk in 2015 resulted in a £400,000 fine from the ICO for security failings which led to the theft of personal data of almost 157,000 customers.