Below is an excerpt from ISS-Corporate’s recently released paper “Discerning Cyber Risk: The Sustained Negative Impacts of Cyber Incidents on Shareholder Value”. The full paper is available for download from ISS-Corporate’s resources page.
Introduction
It is well known that cyber security incidents can have an immediate and meaningful impact on the share values of publicly traded companies. What’s less understood is the depth and duration of that damage and what kind of companies suffer the most.
While a handful of studies have been put forward on the impact of cyber incidents on the shareholders of publicly traded firms, these analyses have largely been anecdote-driven rather than broad-based assessments.
A new study conducted jointly by ISS STOXX and ISS-Corporate examined the impact of reported cyber incidents on share values across the U.S. Russell 3,000 index over a three-year time period from 2022 through 2024.
The study shows that firms reporting significant cyber incidents underperform the market (as measured by share price) by nearly 5% on average. It also
demonstrates that this underperformance is sustained over a year or more.
The results underscore the importance of maintaining an ongoing program of cyber risk measurement, cyber risk management, and continuous improvement. Diligence in managing technical risks and in ensuring sound governance oversight are critical to protecting equity stakeholders from the most negative outcomes.
Key Takeaways
- While share price underperformance manifests quickly, it is also sustained and builds over time.
- This study confirms continued share price underperformance at one full year after incidents are first reported, with a peak negative average impact of nearly -4.9% after 250 trading days.
- The Finance and Banking sector, as well as the Health Care sector, show higher negative average impacts to relative share price in the months following a reported cyber incident (peaking at -8.5% and -8.3%, respectively).
By:
Douglas Clare, Managing Director, Cyber Solutions, ISS-Corporate
Jim Coggeshall, Executive Director, Cyber Risk Research, ISS STOXX
