CGI (TSX: GIB.A) (NYSE: GIB) today unveils the results of an in-depth economic study ‘The Cyber-Value Connection’, which shows that a typical ‘severe’ cyber security breach represents a permanent cost of 1.8% of company value, as measured relative to a control group of peer companies. For a typical FTSE 100 firm this equates to a permanent loss of market capitalisation of £120 million, signalling a significant loss of value for shareholders.
“As identified in CGI’s Global 1000 Outlook report, cyber security is a still a top priority for businesses, but business leaders, policy makers and investors still have work to do to take cyber security risk far more seriously.” commented Andrew Rogoyski, Vice President of Cyber Security at CGI in the UK. He continued: “We are beginning to see City analysts, venture capital firms and credit ratings agencies factor cyber security readiness into the way they assess firms – this is positive and should encourage boards across the world to treat cyber security as an enterprise-wide risk.”
The study is based on economic modelling from Oxford Economics, which conducted an ‘Event Study’ analysing a sample of public cyber security breaches since 2013 across seven global stock exchanges, based on information from the Gemalto Breach Level Index. A sample of 65 ‘severe’ and ‘catastrophic’ cyber security breaches were then analysed to indicate the impact of these more significant attacks on company share price performance.
When the cumulative impact on shareholder value is considered the 65 severe cyber security breaches have cost investors £42 billion in total. However, it is important to note this figure includes only publicly known severe breaches – the true amount of company value lost due to cyber attacks is likely to be far higher. Furthermore, the cost of cyber attacks to investors is likely to skyrocket in the near future, as the General Data Protection Regulation means firms operating in Europe must disclose cyber attacks. In Rogoyski’s estimation “only around 10-20% of the major breaches companies suffer in Europe are currently made public, so lost shareholder value across European markets could rise by as much as a factor of 10 when the new regulations take effect in May 2018.”
Ian Mulheirn, Oxford Economics, commented: “The study shows a significant connection between a severe cyber breach and a company’s share price performance. It was found that, on average, a firm’s share price was 1.8% lower in the wake of a breach than it would otherwise have been in the week following an attack. However, in some cases the relative share price fall for affected companies was much higher, with one attack lowering the company’s valuation by 15%.”
He continued: “With this methodology it’s important to view such underperformance as a permanent impact on the firm’s overall performance. That’s because a firm’s share price reflects market participants’ expectations of future profitability as markets ‘price-in’ such incidents. Therefore, the reaction of a company’s share price in the immediate aftermath of a cyber breach should be viewed as representing the permanent effect of the attack on the firm’s future profits.”
Share price movement of a UK Communications company, compared to a control group of similar firms, following a major cyber security breach in week 5.
Rogoyski added: “In the US firms are already obliged to report a breach. The same will soon be true for companies conducting business across Europe when the General Data Protection Regulation (GDPR) and Network Information and Services Directive come into force in 2018. When that happens we are likely to see a rapid spike in publicly reported incidents in Europe and financial markets will respond accordingly. Company boards should be considering cyber security prevention and preparation as a critical way of protecting the interests of shareholders.”
CGI’s recommended eight steps to achieve effective cyber security governance:
- Appoint someone at board level to be responsible for cyber security with the authority and know-how to address the risks and demonstrate leadership during times of crisis
- Include cyber security on every board agenda, reporting on: risk to the business, nature of sensitive data and mitigation progress at a minimum
- Treat cyber security as a company-wide business risk and assess as you would with other key business risks such as major safety issues, environmental disasters and accounting scandals,
- Ensure that the company understands the rapidly developing legal landscape that applies to cyber risk – in particular, begin preparing for the GDPR and NISD now
- Get specialist expertise to advise and inform the board, whether from internal teams or external advisors
- Set a programme of work to manage cyber risk, allowing a realistic time and budget
- Encourage discussion about risk appetite, risk avoidance, risk mitigation and cyber security insurance
- Assume that you have already been breached but you might not yet know about it. Take action to reassure yourself that no such attack has taken place but plan on the assumption that they have.
‘The Cyber-Value Connection’ report is available for download, including case studies of company share price performance following a cyber breach: www.cgi.com/uk/CyberValueConnection
About the Event Study methodology
Oxford Economics’ ‘Event Study’ analysis drew on the world’s most comprehensive database of cyber security incidents, the Gemalto ‘Breach Level Index’, which records all disclosed cyber security breaches to have affected listed firms between 2013 and 2016H1. Each cyber breach is scored between 0-10 in terms of its severity based on a range of factors including the number of records lost, the type of data and the nature of the attack. For the purposes of Oxford Economics’ ‘Event Study’ analysis into share price performance a subsample was taken of those 65 incidents scoring 7 or higher in terms of severity.
Market | Severe or critical breaches between 2013 - 2016H1 |
US | 38 |
UK | 14 |
Japan | 6 |
France | 3 |
Korea | 3 |
Italy | 1 |
Oxford Economics used the Gemalto Breach Index data to estimate the impact of the severe incidents on the affected firm’s share price using a Difference-In-Difference (DID) method. This involves assessing the share price performance of the affected firm against a control group of firms that did not suffer an attack. The control group for each incident was selected so as to include firms that were listed in the same country, of a similar size (based on number of employees) and that operate in the same sector. The DID method tests whether the relative share price performance of the affected firm differs significantly versus its peer group in a one week period following the incident compared to a two week period prior to the incident.
About CGI
Founded in 1976, CGI Group Inc. is the fifth largest independent information technology and business process services firm in the world. Approximately 68,000 professionals serve thousands of global clients from offices and delivery centers across the Americas, Europe and Asia Pacific, leveraging a comprehensive portfolio of services including high-end business and IT consulting, systems integration, application development and maintenance, infrastructure management as well as a wide range of proprietary solutions. With annual revenue in excess of C$10 billion and an order backlog of C$20 billion, CGI shares are listed on the TSX (GIB.A) and the NYSE (GIB). Website: www.cgi.com
For more information
Paul Corrall
UK External Communications
Paul.Corrall@CGI.com
+44 7341 782 985
About Oxford Economics
Oxford Economics was founded in 1981 as a commercial venture with Oxford University’s business college to provide economic forecasting and modelling to UK companies and financial institutions expanding abroad. Since then, we have become one of the world’s foremost independent global advisory firms, providing reports, forecasts and analytical tools on 200 countries, 100 industrial sectors and over 3,000 cities. Headquartered in Oxford, England, with regional centers in London, New York, and Singapore, Oxford Economics has offices across the globe in Belfast, Chicago, Dubai, Miami, Milan, Paris, Philadelphia, San Francisco, and Washington DC. We employ over 250 full-time staff, including 150 professional economists, industry experts and business editors—one of the largest teams of macroeconomists and thought leadership specialists. Website: www.oxfordeconomics.com