The precise cost of the ransomware attack on the fitness company Garmin earlier this year is hard to determine, but reasonable guesstimates have put the ransom fee alone in the region of $10 million. The reputational damage over and above that is likely to have been considerable.
Research from the Cyentia Institute [pdf] suggests that roughly 60% of the Fortune 1000 had suffered at least one public breach in the last decade, with estimates that 24% of these firms will suffer some form of cyber loss event per year.
To put it another way, this represents an attack every 39 seconds, which underlines the prevailing sentiment in the cybersecurity profession that it’s less a case of if you’ll be attacked as it is when you’ll be attacked.
These attacks can have a devastating impact on the victim’s share price.
For instance, in 2019 when finance company Capital One was attacked, their share price slumped by around 6% in immediate trading, with a total loss over two weeks of nearly 14%. Similar events unfolded at Equifax after they were attacked in 2017, with their share price plunging by around $50 in a week in a fall the company has never really recovered from.
Such financial disasters are by no means certain, however, as JP Morgan Chase ably demonstrated in 2014, after a data breach coincided with their stock actually going up. It underlines both the complexity of market reaction to any cybersecurity incident and the various strategies companies can deploy to help mitigate the risk.
Research from MIT highlights some of these strategies after a review of a dozen or so different studies that collectively explored some of the consequences of data breaches for companies from numerous industries, firm sizes, attack types, and ultimately the response taken by the firm.
Firstly, the research highlights what companies should not do. By far the worst approach is to pretend the attack didn’t happen.
Attempts to hide any attacks or breaches, or even to pass the blame onto others, tends to result in negative consequences.
For instance, a prime example of this is when Uber notoriously paid hackers to try and cover up a data breach in 2016. Suffice to say, when the cover-up was made public the following year, not only did it result in considerable reputational damage for the firm, but also a $148 million fine from the Federal Trade Commission.
Start from where you are
In terms of effective responses, the start point is always the cybersecurity strategies and practices you already have in place. The best results (in stock market terms at least), appear to arrive when the CEO is able to effectively communicate the cybersecurity processes the company already has in place. This helps to show the market that the company takes cybersecurity, and subsequently the data and privacy of customers, seriously. This strategy is effective even if it’s clear that those measures weren’t ultimately successful in thwarting the attackers.
The next step is to then explain how you will build on what is already in place to ensure that the attack you’ve just suffered won’t happen again. This should be clearly communicated immediately after the breach, with your strategy publicized widely. For instance, you might announce an improvement in your cybersecurity budget or an expansion of your team. This was the strategy taken by JP Morgan Chase, who announced a doubling of their security budget in the immediate wake of their breach.
Another effective strategy was aimed at reassuring customers that their data is safe.
For instance, numerous companies offered customers a form of monitoring service to help them identify any potential theft and reassure them that their data isn’t going to be abused. What’s more, when such measures are well advertised, it highlights the strong data stewardship offered by your company.
Prepare for the attack now
So often in business continuity, companies fail to react until it's too late. With data from Atlas VPN showing that cyberattacks on companies in North America are up 93% this year, you should assume that your company will be among them, if they are not already, so now is the time to start preparing.
For instance, you might consider doing cybersecurity ‘fire drills’ that involve senior managers in a simulated cyberattack.
This will help finely tune and hone responses, both from a technical and also communications perspective. It’s a form of deliberate practice that ensures that senior leaders are not only aware of the potential issues they may face, but also on the best forms of response when those issues emerge.
This results in potential blindspots being thrust into the open, and crisis averted before they ever get a chance to become reality. Wargaming is an increasingly popular option in the cybersecurity community and can involve not only internal stakeholders but those in the wider supply chain too. This ensures that all involved are up to speed with the potential issues at stake, and what responses are needed to both mitigate the risk, and respond to any events that emerge.
It’s by no means guaranteed that cyberattacks must result in stock prices being affected, but to avoid this outcome, it’s important that companies do all they can to retain the confidence of customers, investors, and other stakeholders by being as prepared as possible for the attacks that will inevitably come.