Could a cyberattack send your stock price crashing?

A 2015 Harvard Business Review article argued that data breeches at publicly traded companies don’t generally hurt stock prices. The argument went that the damage from hacks can be hard to quantify or understand, so shareholders only “react to breach news when it has direct impact on business operations” or “results in immediate changes to a company’s expected profitability.” A stock might drop when news of a cyberattack breaks, but the price recovers quickly.

However, things have changed since the article was published.

CIBC World Markets equity strategist Ian de Verteuil made public this week a report titled The Known Unknowns. He suggests “it is likely we will have a major cyber-crime issue at one or more large public Canadian companies over the next year or two” and that it will result in a more important impact on stock prices than we have seen in the past.

The Globe and Mail reports:

“Mr. de Verteuil looked at five major cyberattacks on large companies over the past several years and found that stock prices dropped an average of only 2.4 per cent following a significant breach. In some of the cases there were extenuating circumstances. With JPMorgan, for example, the company made it clear the stolen information did not contain confidential data, such as passwords or account numbers.

In other cases, the attacks were significantly more costly to shareholders than the 2.4-per-cent average price decline. In the month following the 2015 cyberattack on Target Corp., the company’s share price slid, underperforming the market by 400 basis points. When the 2013 and 2014 breaches at Yahoo Inc. were made public in 2016, the company was in acquisition talks with Verizon Communications Inc. “The acquisition price was adjusted lower by $350-million (U.S.) – representing a 7 per cent drop in value,” Mr. de Verteuil noted.

Still, the 2.4-per-cent average decline is significantly less than what Mr. de Verteuil said he would have otherwise expected. That doesn’t mean that investors should be lulled into a false sense of security. According to a 2017 survey by IBM Security and the Ponemon Institute, over the past four years, cybersecurity breaches cost Canadian companies an average of $4.56-million per breach.

“The impact is a long-term brand issue more than a short-term expense issue,” Mr. de Verteuil said in an interview. “That’s tougher for the market to evaluate.” He added that it’s hard to measure the impact of cyberattacks on share price because companies are measured relative to their sector, and a cyberattack on one company can hurt investor confidence in others like it.

“Whatever the evidence to date, we believe that the frequency and severity of cyber-attacks will increase over time,” Mr. de Verteuil wrote in the report. “Shrewd investors will need a series of questions that provide insight into how seriously the c-suite of a company takes cyber-risk.””

It’s no surprise that this would be the case. As cyber-protection tools have become more sophisticated, victims of cyberattacks are being scrutinized rather than pitied. It is shocking to think that companies in 2017 would not take steps to protect their proprietary data more carefully, or implement corporate policies to avoid having employees fall for phishing schemes. And yet as we know, this is all too often the case.

There is no excuse for this, and there is no reason to let your company become the next victim of the world’s cybercriminals. With the help of Evizone Secure Communications (ESC) and Evizone Communications Governance (ECG), you can be sure that your most sensitive files are protected by our state-of-the-art software.