Recently, CGI commissioned research from Oxford Economics—The Cyber-Value Connection—to explore the link between a cyber incident and company value. Specifically, we wanted to develop an analytical methodology to examine share-price movements in companies that had experienced publicly disclosed cyber breaches.
Over recent years, many reports and opinion pieces have asserted that there is a link between a cyber incident and cyber breach. Most have relied on anecdotal evidence, and some have used companies’ own assessments as laid out in their annual reports. The problem with the former is it is based in opinion rather than fact, and with the latter is a lack of data as only a handful of companies have publicly declared the financial impact of a cyber incident on their performance.
With the help of Oxford Economics, CGI has proven the link through a rigorous econometric model, one we hope will encourage businesses around the world to invest more heavily in the protective measures that our increasingly digital economies need. The average impact of a severe breach on company value, measured to be 1.8%, may seem relatively modest, but for an average FTSE100 company this represents a loss of value of approximately £120 million pounds—a substantial amount.
How does this relate to public sector organizations?
Obviously, there is no public measure of impact following a cyber breach. No share price to analyze. In the UK, one can examine the regulatory fines imposed by the Information Commissioner’s Office. Public organizations, ranging from healthcare to local government, feature in the list of receiving these fines all too often. The fines, which reflect the conduct and nature of the breach, do not really represent the true impact on the organization in question and, in any case, are capped at a maximum value of £500,000 (although this limit will increase under the forthcoming European General Data Protection Regulation that comes into full force on May 25, 2018).
So, is there any way to learn the lessons of the private sector and transpose these into the public sector? The most direct link is to understand that the reduced share price that follows a cyber incident reflects a drop in the forecast earnings of the company in question. The reduced earnings come from either loss of sales or increased costs. In the case of loss of sales, this is usually a reflection of customer confidence, brand damage or disruption to services, all of which reduce the company’s income.
This has equivalent impact for a public sector organization. For example, if citizens decide to avoid the use of online services following a breach, there is an add-on impact as manual processes are used in preference. There also is an impact in service targets as delays are introduced, pending assurance that the online services are safe to use. It is equally apparent that the second element, an increase in costs, also applies to public sector organizations that suffer a breach. There are the direct costs of dealing with an incident, such as the legal and forensic specialists needed to resolve the incident, the cost of notification of subjects affected by a data breach, the cost of remediation (repair) of the affected information systems, the fines that may be imposed by regulatory authorities, and so on. There are also indirect increases in costs, as citizens revert to old, invariably more expensive, forms of interactions with the organization.
Like the private sector, public sector organizations that are most impacted are those that are either heavily reliant on the digital provision of services or those that have a strong need to demonstrate that interactions with them are secure. Increasingly, these two factors are becoming fundamental to all public sector organizations, with good examples in the UK being Her Majesty’s Revenue & Customs, Department for Work and Pensions, Crown Prosecution Service, Home Office, National Crime Agency, Foreign and Commonwealth Office, and the Ministry of Justice. All of these organizations are heavily reliant on security to underpin the interactions that are made with millions of citizens on a daily basis. What’s more, justice organizations have a particularly complex set of challenges, needing to keep deeply sensitive information secure for fear of jeopardizing a prosecution, exposing a witness to intimidation, tampering with evidence, and many other scenarios.
While these authorities are taking great care to design proportionate security into their services, so that all information is handled and managed with proportionate care, it’s clear that a cyber breach, of any form, for these public organizations could be catastrophic.
So, taking the evidence that the commercial sector is starting to understand the true impact on business performance following a cyber breach, public sector organizations also are learning that the same factors that lead to corporate underperformance apply equally to them. They may not have a visible share price as an indicator, but they have service improvement targets and budgets to meet, all of which will be impacted by a breach. A change of mindset is required where organizations treat cybersecurity as a real risk to the organization, as an essential underpinning of the digital services that all organizations now rely upon, and as a priority investment to ensure that the necessary protective measures are put in place.
I invite you to read my related blog, also drawing from our Cyber-Value Connection report, where I offer key cybersecurity questions CEOs should ask their organizations.