FTSE 100 companies that suffer serious cyber attacks risk taking a £120m hit to their market value, according to the first study to establish a link between hacks and falling share prices.
Oxford Economics, which studied 65 severe breaches at listed companies, found that they tend to lead to share prices falling by an average of 1.8pc.
The report, commissioned by the IT giant CGI, also found that investors had started punishing companies more harshly for cyber attacks in recent years. While disclosing a hack in 2013 would have led to a 0.2pc share price fall, by last year this had risen to 2.7pc.
The research follows a string of high-profile attacks on companies including TalkTalk, Yahoo and Tesco Bank. Yahoo, which revealed last year that more than 1bn accounts had been compromised, was forced to cut the price of its $4.8bn (£3.9bn) sale to Verizon by $350m earlier this year.
Oxford Economics compared the long-term effect of a company hit by a “severe” or “catastrophic” data breach, as defined by Gemalto, a company that tracks cyber attacks. It found that over a week, a hacked company’s share price would fall by an average of 1.8pc compared to its peers – roughly £120m for a FTSE 100 group – although shares fell as much as 15pc.
“The markets are now starting to become aware that a cyber attack destroys value in the company,” said Andrew Rogoyski, head of cyber security at CGI. “We are beginning to see City analysts, venture capital firms and credit ratings agencies factor cyber security readiness into the way they assess firms.”
A new European data protection regime is due to come into force in May of next year that will force companies to disclose more cyber attacks and give regulators the power to enforce much higher fines than the current £500,000.
The General Data Protection Regulation, which is being adopted in the UK despite plans to leave the EU, will mean companies facing a fine of up to €20m (£17m) or 4pc of turnover, whichever is larger.