According to Statista, as of 2023, the average data breach cost in the United States amounted to 9.48 million U.S. dollars, up from 9.44 million U.S. dollars in the previous year. The global average cost per data breach was 4.45 million U.S. dollars in 2023.
These costs become a business liability and need to be tackled somehow. The rising risks and costs of cyberattacks have undoubtedly evolved into market stressors. The magnitude of the problem weaves a narrative of caution.
The research report by IBM states that 51% of organizations plan to increase security investments to avert breaches, including incident response (IR) planning and testing, employee training, threat detection, and response tools.
What do the numbers mean?
We can look at the numbers to measure the impact of data breaches on economic instability.
The UN Capital Development Fund (UNCDF) states that “the economic cost of information and technology asset security breaches in 2020 was a staggering USD 4-6 trillion, equivalent to about 4-6% of global GDP.” This translates into a $4.5 trillion impact in 2020. If the percentages stay roughly the same, the total cost can be extrapolated to approximately $5.2 trillion in 2022.
The National Bureau of Economic Research (NBER) goes a step further by saying that - After suffering a breach of customers' personal data, the average attacked firm loses 1.1 percent of its market value and experiences a 3.2 percentage point drop in its year-on-year sales growth rate.
Apart from short-term shocks and financial repercussions, these attacks can have long-term effects. For instance, the credit ratings of the victims of corporate cyberattacks remain downgraded for three years.
How do they affect the financial markets?
We know, and probably expect, that a cyber incident will batter an organization’s stock price, in the short term. According to the observed trend, publicly traded companies suffered an average decline of 7.5% in their stock values after a data breach. Even more concerning is that it took 46 days, on average, for these companies to recover their stock prices to pre-breach levels if they could.
Such an impact usually reverberates throughout the entire supply chain, creating a ripple effect that can cause up to 26 times the loss for a company’s business ecosystem. For example, a ransomware attack on ION Trading Technologies on January 31, 2023, sent financial institutions scrambling to confirm trades manually. Similarly, a security breach of a third-party supplier to Okta shaved about $6 billion off the company’s market cap during the week the incident was made public.
Although fluctuations in stock prices could be managed effectively by executives, the lasting effects of cyber incidents on companies are difficult to ignore.
The expenses of a data breach can include everything from ransom payments and lost revenues to business downtime, remediation, legal fees, and audit fees.
For example, the audit fees for companies following data breaches can be about 13.5% higher than those for firms without breaches. While millions of dollars in losses can bankrupt a small company but not have much effect on a public company, the attackers are generally “smart” enough to cause more problems for the bigger companies.
Companies tend to pass these costs on to customers and investors. For example, 60% of organizations that have experienced data breaches have raised their prices. On average, companies experiencing a significant data breach incident underperform the NASDAQ by 8.6% after one year, and this gap can widen to 11.9% after two years.
The company’s credit rating downgrade impacts its ability to secure financing. For instance, companies with weaker cybersecurity practices may face higher borrowing costs and increased financial risk, as Moody’s announced in 2018 that it would evaluate companies’ cybersecurity practices when assigning credit ratings. This was emphasized when Moody’s reduced Equifax’s credit rating in 2019 after Equifax’s data breach in 2017.
Developing a cybersecurity strategy
The ramifications of cyber incidents go beyond a short-term stock price reduction. Therefore, executives need to prepare for long-term impacts.
Businesses with better cybersecurity policies–such as those with a dedicated CISO, conduct regular audits, and participate in threat-sharing programs–can recover their stock prices within seven days. Conversely, those with poor security frameworks may take as many as 90 days to recover.
It is imperative to make cybersecurity an organization-wide priority. Employees are always on the front line for mitigating cybersecurity risks. Consider the Samsung semiconductor’s data breach incident, where employees submitted top-secret source code to ChatGPT for error fixing. This incident was not due to a lack of cybersecurity awareness but was rather a cultural issue. A strong cybersecurity culture can help employees avoid such an unintended cyber incident while allowing them to simultaneously capitalize on the benefits of cutting-edge digital innovations like ChatGPT.
The cybersecurity strategy goes beyond operational effectiveness and fortressing infrastructure. It needs to be an underlying foundation of the organization. The stronger the interweave of cybersecurity with the organization’s functioning, the healthier and more sustainable its business.
Sources:
National Bureau of Economic Research