Recently CGI commissioned research from Oxford Economics to explore the link between a cyber incident and company value. Specifically, we wanted to develop an analytical methodology to examine share-price movements in companies that had experienced publicly disclosed cyber breaches. Over recent years many reports and opinion pieces have asserted that there is a link – it’s intuitively obvious surely? – between a cyber incident and cyber breach. Most have relied on anecdotal evidence, some have used companies own assessments, as laid out in their annual reports. The problem with the former is that the argument is based in opinion rather than fact, with the latter that there is a paucity of data – there are only a small handful of companies that have publicly declared the financial impact that a cyber incident has had on their performance.
With the help of Oxford Economics, CGI has finally proven the link and we hope that this will encourage businesses around the world to invest more heavily in the protective measures that our increasingly digital economies need. The average impact, measured to be 1.8%, may seem relatively modest but for an average FTSE100 company this represents a loss of value of approximately £120 million pounds, a substantial amount.
Perhaps more interesting is the rate of increase of the measured impact – according to our research, the impact was all but negligible 3 years ago, then 1.5% 2 years ago, rising to 2.7% in the last 18 months. If this trajectory continues, the impact on company value will become very substantial indeed within the next 3-5 years. The growth of impact reflects, we believe, the growing understanding that a cyber breach can have a material impact on company performance and is being factored in by market analysts looking to forecast company future earnings when such incidents occur.
How does this relate to public sector organisations?
Obviously there is no public measure of impact following a cyber breach. No share price to analyse. One can examine the regulatory fines imposed by the Information Commissioner’s Office; public organisations, ranging from healthcare to local government organisations feature all too often. The fines, which reflect the conduct and nature of the breach, do not really represent the true impact on the organisation in question and, in any case, are capped at a maximum value of £500,000 (although this limit will increase under the forthcoming European General Data Protection Regulation which comes into full force on 25th May 2018).
So, is there any way to learn the lessons of the private sector and transpose these into the public sector? The most direct link is to understand that the reduced share price that follows a cyber incident reflects a drop in the forecast earnings of the company in question. The reduced earnings come from are either loss of sales or increased costs. In the case of loss of sales, this is usually a reflection of customer confidence, brand damage or disruption to services, all of which reduce the company’s income.
This has equivalent impact for a public sector organisation, for example, if citizens decide to avoid the use of online services following a breach, there is a knock on impact as manual processes are used in preference or an impact in service targets as delays are introduced, pending assurance that the online services are safe to use. It is equally apparent that the second element, an increase in costs, also applies to public sector organisations that suffer a breach. There are the direct costs of dealing with an incident, such as the legal and forensic specialists needed to resolve the incident, the cost of notification of subjects affected by a data breach, the cost of remediation (repair) of the affected information systems, the fines that may be imposed by regulatory authorities, and so on. There are also indirect increases in costs, as citizens revert to old, invariably more expensive, forms of interactions with the organisation.
Like the private sector, public sector organisations that are most impacted are those that are either heavily reliant on the digital provision of services or those that have a strong need to demonstrate that interactions with them are secure. Increasingly, these two factors are becoming fundamental to all public sector organisations, with good examples being HMRC, DWP, CPS, Home Office, NCA, FCO and MoJ.
All of these organisations are heavily reliant on security to underpin the interactions that are made with millions of UK citizens on a daily basis. What’s more, justice organisations have a complex set of challenges, needing to keep deeply sensitive information secure for fear of jeopardising a prosecution, exposing a witness to intimidation, tampering with evidence, and many other scenarios.
While these authorities are taking great care to design proportionate security into their services, so that all information is handled and managed with proportionate care, it’s clear that a cyber breach, of any form, for these public organisations could be catastrophic.
So, taking the evidence that the commercial sector is now starting to understand the true impact on business performance following a cyber breach, public sector organisations need to learn that the same factors that lead to under performance apply equally to them. They may not have a visible share price as an indicator but they have service improvement targets and budgets to meet, all of which will be impacted by a breach. A change of mindset is required where organisations treat cyber security as a real risk to the organisation, an essential underpinning of the digital services that all organisations now rely upon and a priority investment to ensure that the necessary protective measures are put in place.