2016 was an interesting year for those interested in the impact of cyber security incidents on asset valuations. USD350 million (7.2 per cent) was wiped off Yahoo’s purchase price after it disclosed several cyber security incidents during its acquisition by Verizon.
And Muddy Waters Capital shorted the medical implant manufacturer St Jude Medical (STJ) before releasing information about several serious security vulnerabilities in its core pacemaker products. The St Jude stock dropped over 10 per cent intraday, and Muddy Waters Capital ended the year with a 16 per cent gain.
The impact of cyber security incidents on asset valuation is clearly of interest to our clients, and these two examples would seem to suggest a strong correlation. However these are isolated incidents in a small sample size and so care should be taken in drawing such conclusions.
Several studies have looked at larger sample sizes aiming to provide more definite insights. One, “Market Implications of Data Breaches”1 concludes that there is a small impact in the first 3 days after a breach (-1.13 per cent) which by day 14 has fully rebounded. Another, “The Cyber-Value Connection”2 concludes that companies suffer on average a 1.8 per cent decline in share price, but this impact is permanent. Going further, “The Impact of Data Breaches on Reputation and Share Value”3 suggests that the immediate impact on share price is actually closer to 5 per cent.
There is a lack of full consensus here, and it should be noted that the reports with the more headline grabbing conclusions were sponsored by security technology providers. (see “Cyber attacks knock millions off FTSE share prices”)
Sidestepping the sensationalism, all three do agree on one aspect however – that initially share prices drop, and in some cases quite significantly. The Lange and Burger study, which appears to be the more thorough of the three, also suggests that these losses are subsequently fully recovered. This fits well with the typical news cycle of a cyber security incident. Initially little is known, and the market expects the worst. Over time, as more information is released and the impact can be fully assessed, it is often determined to be less critical than initially feared.
The Lange and Burger study adds one further interesting conclusion. If a cyber incident impacts a company’s core business, for instance if a VISA payments processor loses a significant number of credit card details, the resultant impact on share price can be catastrophic. Clearly Muddy Waters Capital understood this when they shorted St Jude:
“Muddy Waters Capital is short St Jude Medical, Inc (STJ US). There is a strong possibility that close to half of STJ’s revenue is about to disappear for approximately two years. STJ’s pacemakers, ICDs, and CRTs might – and in our view, should – be recalled and remediated.”4
This returns us to traditional methods of asset valuation; analysis of damage to revenue streams, and the impact of cyber security incident cost on profitability.
Usefully the Ponemon Institute produce a yearly study of the cost of cyber breaches5. For those wanting a fuller understanding I would very much encourage reading the report in full, however for now two of the key take-aways are:
Amongst other factors, Ponemon attributes these large discrepancies to the relative strength of regulation in the various countries and industries – eg highly regulated industries like Finance and Health are likely to incur greater costs. Bearing this in mind we can surely expect cyber incident costs to rise in the EU and UK due to the introduction of GDPR, and it might be wise to take this into account when analysing portfolios for cyber security risk.
An understanding of cost, however, is only half the equation, and needs to be seen in the context of turnover and profit. Clearly companies with larger turnovers and profits can absorb Cyber Security incident costs better than those with smaller turnovers and profits.
The infamous Talk Talk incident of October 2015 provides a clear example of this. The breach was estimated to have cost GBP60 million, against a backdrop of operating profit of only GBP54 million the previous year. This was one of the factors that led to a share price slide of 19 per cent.
Another contributing factor to the share price slide was that this was the third incident that Talk Talk had suffered that year. This pointed to a very serious failure in cyber security governance and insufficient cyber security defences. Both the Ponemon IBM report and the Ponemon Centrify report also highlight poor cyber security governance, cyber defences and lack of incident response capabilities as aggravating factors to increased cost / negative share price impact, and clearly this factor should not be overlooked.
All together this points to a far more sober analysis of cyber security impact on asset valuation than some headlines would suggest. In conclusion there are five key factors that should be considered:
And lastly one final point. If a company suffers a serious cyber security incident during a deal, as Yahoo did, there may be little or no time to recover from the initial impact and the sale price could be significantly affected. Strategies to prevent this occurring are therefore strongly advised!
1 Russell Lange and Dr Eric Burger – December 2016 (https://s2erc.georgetown.edu/sites/s2erc/files/documents/breachwriteup_pdf_final.pdf)
2 Oxford Economics – Sponsored by CGI (https://www.cgi-group.co.uk/sites/default/files/files_uk/pdf/cybervalueconnection_full_report_final_lr.pdf)
3 Ponemon Institute - Sponsored by Centrify (https://www.centrify.com/media/4737054/ponemon_data_breach_impact_study.pdf)
5 Cost of Data Breach Study – sponsored by IBM (https://www.ibm.com/security/data-breach)
Wed 12/06/2019 - 13:03
Thu 23/05/2019 - 15:59
Thu 23/05/2019 - 10:58
Thu 09/05/2019 - 10:20
Wed 08/05/2019 - 10:54
Tue 14/05/2019 - 10:33
Wed 24/04/2019 - 17:11
Wed 24/04/2019 - 09:18
Thu 21/03/2019 - 10:32
Wed 20/03/2019 - 15:05