Businesses have increasingly come under attack by hackers over the past few years but the massive negative impact data breaches can have on companies' valuations is not yet fully quantified. A recent study conducted by Oxford Economics reveals that "severe" cyberattacks have cost UK business investors close to £42bn since 2013.

The study, commissioned by CGI Group, revealed that cyberattacks can adversely affect FTSE 100 companies' shares, with stock prices falling 1.8%, on average, after a "severe breach". This translates to a loss of £120 million, on an average, for investors in a typical FTSE company. But in some extreme cases, breaches have wiped out as much as 15% of affected companies' valuations.

The study also highlighted the financial sector is becoming increasingly concerned and more vigilant about cybersecurity. A recent survey of buy side investors across the UK, Europe, US and Asia found that most of them would "lower post close valuations if either party in the merger had suffered a breach."An example of this would be the Verizon-Yahoo acquisition deal. Following Yahoo's disclosure of massive data breaches that affected millions of user accounts, the deal underwent an 8% cut.

The survey also found that since 2014, a quarter of all investors took an investment decision based on the security capabilities of a firm.

How are industrial sectors affected by breaches?

The study examined around 315 data breaches, focusing on 65 "severe" and "catastrophic" attacks that targeted seven global stock exchanges since 2013.

The report said, "There is evidence that the impact of cyber attacks on share price has become more pronounced over recent years. Severe or catastrophic cyber breaches appear to produce markedly different impacts across different market sectors."

The level of impact that a cyberattacks has differs from one sector to another. The report said that the retail, travel and hospitality industries suffered relatively lower impact "as companies in these
sectors increasingly rely on online sales channels."

Cyberattacks impact on UK businesses
Cyberattacks can adversely affect FTSE 100 companies' shares, with stock prices falling 1.8%, on average, after a breach Oxford Economics / Gemalto / Bloomberg

The report pointed out that retail, media and communications firms appear to suffer more cyberattacks because of "account access" and "identity theft". Whereas the technology and industrial sectors primarily suffer more breaches focused on "financial access".

Raj Samani, chief scientist at McAfee, told IBTimes UK, "This latest research revealing the detrimental impact cybercrime can have on an organisation's market value should serve as a warning to corporations across the globe. Data breaches damage far more than a company's reputation, often hitting the bottom line hard."

Dr Andrew Rogoyski, the vice-president of cybersecurity services at CGI UK, told The Independent: "Healthcare is an example of a sector that suffers a large number of breaches but isn't necessarily targeted, because there aren't many ways to monetise attacks on health companies, yet."

He added, "Companies that perform financial transactions tend to be targeted because of the potential for cyber criminals to make money out of them."

Recent attacks had more severe impacts

The study also found that the severity of negative impact on firms' share prices has escalated in attacks that occurred in the last 18 months.

Over the past few years, UK businesses have suffered significant breaches, affecting thousands of customers' data, with payday lender Wonga being the latest victim.

McAfee's Samani added, "Corporations cannot afford to dismiss cyber security as a problem which just belongs to the IT department. The financial future of a corporation – and often that of its customers – can hinge upon the security of its business and user information.

"It is crucial for executives, including the CFO and CEO, to take an active role in understanding the level of cyber risk they're exposed to in order to implement an appropriate, effective cyber security strategy. This process should include assessing the value of the company's data assets and implementing mitigation strategies appropriately proportioned to the level of risk involved."