Economically quantifying the damage caused by a cyber attack with, perhaps, a loss of data is being studied by all stakeholders in all production sectors.
The European Central Bank (ECB), in the report published at the beginning of 2019 and carried out in close collaboration with the Competent National Authorities (ANC) and with the contribution of the Joint Supervisory Groups (JST), identifies among the three most important risk factors cyber crime and computer system dysfunctions are important.
Faced with the objective fact that cyber risk is increasingly becoming one of the relevant factors, it is fair to ask whether a cyber attack could have impacts on a company’s stock value and to what extent. If it were possible to identify this effect, the company could not only better assess the risks to be managed, but also identify the most suitable risk treatment methods and implement the best containment strategies in the event of an event.
The value of a security is not only the company, but the market itself and, as any market is respected, the law of supply and demand applies such that, if suddenly massive sales of a security began, the the price of the same would drop suddenly and this would cancel out any benefit in the short term. It is therefore necessary to understand what is the right time to carry out “sell or buy” operations based on the extent of the event that affected the company.
If it were shown that a cyber attack could affect the stock value, the latter would also prove to be an exceptional tool for massive acquisitions of securities at advantageous prices.
The measurement of the effect on the value of an economic event of a company is, for many, a demanding activity, but this measurement can be carried out through the use of an analysis of an Event Study nature. This technique, based on an econometric analysis method, is aimed at assessing the impact of a specific event on the value of a company through the use of financial data, i.e. checking the changes in the course of actions in following an unexpected event. If the hypotheses of market efficiency are valid, i.e. that the prices instantly reflect the new information available, the analysis of the change in the prices of the securities represents a reflection of the change in the company’s future expected cash flows. Therefore, by observing the prices of the securities in a limited period in which information is made available about a certain unexpected event and analyzing the amplitude of the unexpected performance, it is possible to infer the statistical significance on this event and its impact.
Unlike other analysis techniques, this is carried out ex-post, after the announcement of an event. In this way, it is possible to better understand, thanks to reliable data, what the actual impact of an event has been on the course of the titles. Although it is carried out after the occurrence of a given event, it has a predictive value, since, if there were regularities in the results, it would be possible to expect at least a similar impact in the future. Using this model, the Global Cyber Security Center foundation (www.gcsec.org) conducted a study to understand possible causes of the effect between cyber attacks and a company’s share value.
The sample, taken into consideration by the study, includes 221 companies / institutions / financial institutions affected by major cyber attacks between 2011 and 2019 belonging to four different geographical regions: NORAM (Canada, United States and Mexico), EMEA (Europe, Middle East and North Africa), JAPAC (Asia Pacific, Japan, China), LATAM (Latin America). Of these, 60 were used for the Event Study analysis, as they are listed. The threat considered in the study is solely that related to the cyber attack scenario.
No human errors or natural catastrophes were contemplated. In the sample selected there are only those events that have been made publicly available officially and with an official quantification of the losses of more than one million dollars. The events, which did not meet these criteria, were not included in the sample in order not to incur the risk of contamination of the results.
The study was coordinated by Massimo Cappelli and is the result of a thesis project carried out at the GCSEC Foundation by doctor Marika Mazza graduated in Economic Analysis at the University of Rome “La Sapienza” and currently financial analyst at an important bank depository on a global scale.
At this point I just have to suggest reading.
Impatto del cyber risk su valore azionario (Download PDF)