Investors are learning to deal with cyber risks

I have written before how cyber risks are becoming more prevalent everywhere. But if cyber risks are increasing, do they create opportunities for investors, or are they simply a risk to avoid somehow?

It seems that institutional investors are learning to deal with cyber risks. A study of institutional holdings of US stocks showed that after a company is affected by a cyber-attack, institutional investors are selling their stocks in that company. On average, they found that between 2007 and 2017 the probability that a company would be the victim of a cyberattack was 0.44%. But the variation around that average is large, roughly 1.6%. What the study showed was that originally, when a company was hit by a successful cyberattack, institutional investors would sell down some of their holdings. But over time two things seemed to happen. First, institutional investors increasingly seemed to be aware of potential vulnerabilities, reacting not just to actual cyber-attacks but to an increased likelihood of a cyberattack. The researchers created a cyber risk index to measure this effect, but they also said that this cyber risk index can be approximated by a simple google trend search for the term ‘data breach’ which approximates the general awareness of investors to cyberattacks. 

What is interesting to see is that a one standard deviation increase in the cyber risk index, which equates roughly to the likelihood of a company being successfully attacked from 0.4% to 2.0%, led to more and more institutional investors selling their holdings in the stock. Between 2007 and 2012, such an increase in cyber risk triggered an average decline in institutional ownership of 1.5% of share capital. Between 2013 and 2017 that had risen to 3.5%.

And with that decline in institutional ownership comes a share price correction and, of course, the possibility of higher returns afterward. In effect, institutional investors, by becoming more attuned to cyber risks create an additional equity risk premium for companies that face elevated cyber risks. By 2017, the researchers estimated that risk premium to be in the order of 3.4% per year when correcting for other factors like valuation, size, etc. So, if you are getting news of a company being the victim of a large cyber-attack, you know what to do. Wait a little until the dust has settled (I’d suggest about one month, but that is just my guess), and then buy into that stock as it recovers.