Most companies underinvest in cybersecurity
If you look out for it, you can read a news story about some kind of major security breach at a company every couple of months. Most of the time, the story doesn’t make it on the front pages, but some, like the recent data breach at EasyJet, do.
For investors, it is really tricky to assess the impact of data breaches on the share price, because it essentially depends on how big the data breach is and how much attention the public pays to it. At least when it comes to public interest in the topic, there is a clear trend to take cyber risks seriously. Google trends show that in 2020, global searches for cyber risks are now on par with operational risks. As a result, we should expect that data breaches will have a greater and greater impact on the share price over time. In the past, this interactive collection of data breaches and their impact on share prices shows that only the most severe data breaches led to significant share price underperformance. In the future, the threshold of what counts as a severe data breach may well decline.
Google searches for operational and cyber risks
Source: Google Trends.
What is clear, though, are two things.
First, cyber-attacks and data breaches aren’t rare. A recent study by the Bank for International Settlement has examined 115,000 data breaches between 2002 and 2018. The industry that was most attacked was the financial services industry, with roughly a quarter of all cyber-attacks targeted at banks, insurance companies, and other financial services firms. That’s not too surprising since banks get robbed, because – well – that’s where the money is. On the other hand, transportation companies like EasyJet get attacked relatively rarely, with only 1% of all attacks targeted at this industry. Yet, losses to the company depend not only on the frequency and sophistication of the attack but also on the sophistication of the IT security system of the company. And this is where banks and other financial services providers excel. They know, they are a prime target, and thus they invest heavily in IT security. Transport companies, on the other hand, seem to save on their IT security spending. As a result, cyber-attacks on transportation companies tend to create the biggest average damage. No wonder EasyJet is now the target of a class-action lawsuit for neglecting its IT security.
Average damage to company from cyber-attacks
Source: Aldasoro et al. (2020).
Based on the frequency of the attacks and the average damage caused by successful ones, it is possible to calculate the optimal spending on IT security as a share of revenues. On average, companies spend c. 3% of revenues on IT (not just IT security, but all of it). Financial services companies spend the most with 6% of revenues, while construction, mining, and utilities spend the least on average with 2% of revenues. However, to minimise cyber risks, companies should spend c. 7% of revenues on IT. If we compare the actual level of IT spending with the optimal level of IT spending from a security perspective, financial services come out on top. Other industries that tend to spend enough on IT are the IT sector itself, but also mining and utilities. And then there are the sectors that are woefully underinvesting. The arts and recreational sector should spend seven times as much on IT as it currently does, and professional and scientific service companies should spend roughly eight times as much on IT as they currently do. Note that these companies typically have access to sensitive personal data like credit cards and bank accounts just like companies in other sectors. And while every company is different, it seems clear from this data, that hardly any company in these two sectors is likely to have sufficient IT security in place.
Actual vs. optimal IT spending
Source: Aldasoro et al. (2020).