Sidestepping the sensationalism – Do cyber security incidents really impact valuations?
2016 was an interesting year for those interested in the impact of cyber security incidents on asset valuations. USD350 million (7.2 per cent) was wiped off Yahoo’s purchase price after it disclosed several cyber security incidents during its acquisition by Verizon.
And Muddy Waters Capital shorted the medical implant manufacturer St Jude Medical (STJ) before releasing information about several serious security vulnerabilities in its core pacemaker products. The St Jude stock dropped over 10 per cent intraday, and Muddy Waters Capital ended the year with a 16 per cent gain.
The impact of cyber security incidents on asset valuation is clearly of interest to our clients, and these two examples would seem to suggest a strong correlation. However these are isolated incidents in a small sample size and so care should be taken in drawing such conclusions.
Several studies have looked at larger sample sizes aiming to provide more definite insights. One, “Market Implications of Data Breaches”1 concludes that there is a small impact in the first 3 days after a breach (-1.13 per cent) which by day 14 has fully rebounded. Another, “The Cyber-Value Connection”2 concludes that companies suffer on average a 1.8 per cent decline in share price, but this impact is permanent. Going further, “The Impact of Data Breaches on Reputation and Share Value”3 suggests that the immediate impact on share price is actually closer to 5 per cent.
There is a lack of full consensus here, and it should be noted that the reports with the more headline grabbing conclusions were sponsored by security technology providers. (see “Cyber attacks knock millions off FTSE share prices”)
Sidestepping the sensationalism, all three do agree on one aspect however – that initially share prices drop, and in some cases quite significantly. The Lange and Burger study, which appears to be the more thorough of the three, also suggests that these losses are subsequently fully recovered. This fits well with the typical news cycle of a cyber security incident. Initially little is known, and the market expects the worst. Over time, as more information is released and the impact can be fully assessed, it is often determined to be less critical than initially feared.
The Lange and Burger study adds one further interesting conclusion. If a cyber incident impacts a company’s core business, for instance if a VISA payments processor loses a significant number of credit card details, the resultant impact on share price can be catastrophic. Clearly Muddy Waters Capital understood this when they shorted St Jude:
“Muddy Waters Capital is short St Jude Medical, Inc (STJ US). There is a strong possibility that close to half of STJ’s revenue is about to disappear for approximately two years. STJ’s pacemakers, ICDs, and CRTs might – and in our view, should – be recalled and remediated.”4
This returns us to traditional methods of asset valuation; analysis of damage to revenue streams, and the impact of cyber security incident cost on profitability.
Usefully the Ponemon Institute produce a yearly study of the cost of cyber breaches5. For those wanting a fuller understanding I would very much encourage reading the report in full, however for now two of the key take-aways are:
- Costs per country vary, with breaches in the US, for instance, being 3.4 times more expensive than breaches in India and Brazil
- Costs per industry vary, with breaches in Finance being 1.7 times more expensive than in Retail, and in Health 3.5 times more expensive.
Amongst other factors, Ponemon attributes these large discrepancies to the relative strength of regulation in the various countries and industries – eg highly regulated industries like Finance and Health are likely to incur greater costs. Bearing this in mind we can surely expect cyber incident costs to rise in the EU and UK due to the introduction of GDPR, and it might be wise to take this into account when analysing portfolios for cyber security risk.
An understanding of cost, however, is only half the equation, and needs to be seen in the context of turnover and profit. Clearly companies with larger turnovers and profits can absorb Cyber Security incident costs better than those with smaller turnovers and profits.
The infamous Talk Talk incident of October 2015 provides a clear example of this. The breach was estimated to have cost GBP60 million, against a backdrop of operating profit of only GBP54 million the previous year. This was one of the factors that led to a share price slide of 19 per cent.
Another contributing factor to the share price slide was that this was the third incident that Talk Talk had suffered that year. This pointed to a very serious failure in cyber security governance and insufficient cyber security defences. Both the Ponemon IBM report and the Ponemon Centrify report also highlight poor cyber security governance, cyber defences and lack of incident response capabilities as aggravating factors to increased cost / negative share price impact, and clearly this factor should not be overlooked.
All together this points to a far more sober analysis of cyber security impact on asset valuation than some headlines would suggest. In conclusion there are five key factors that should be considered:
- There is little direct correlation between cyber security incidents and long-term asset values
- Initial impacts to asset value may be overstated and often prices recover in the medium to long term
- Traditional valuation models, which analyse the impact of cyber incident costs on current and future earnings, are useful tools in determining value impact
- Cyber incidents that directly impact the core business, and hence turnover, will have a much greater effect on value than those that do not
- The cyber security maturity of an organisation – its ability to detect, respond and contain a cyber incident – makes a material difference to the level of impact of an incident on asset value
And lastly one final point. If a company suffers a serious cyber security incident during a deal, as Yahoo did, there may be little or no time to recover from the initial impact and the sale price could be significantly affected. Strategies to prevent this occurring are therefore strongly advised!
1 Russell Lange and Dr Eric Burger – December 2016 (https://s2erc.georgetown.edu/sites/s2erc/files/documents/breachwriteup_pdf_final.pdf)
2 Oxford Economics – Sponsored by CGI (https://www.cgi-group.co.uk/sites/default/files/files_uk/pdf/cybervalueconnection_full_report_final_lr.pdf)
3 Ponemon Institute - Sponsored by Centrify (https://www.centrify.com/media/4737054/ponemon_data_breach_impact_study.pdf)
5 Cost of Data Breach Study – sponsored by IBM (https://www.ibm.com/security/data-breach)