Cybersecurity Risks in Valuation

A very valuable academic contribution to a question many executives and boards are currently facing: The impact of extreme cyberattacks on market valuations. Ryan et al. 2025 analyse the impact of extreme cyberattacks on the market valuation of publicly listed companies. The study covers severe cyber incidents disclosed since 2000 and examines their medium and long term effects on firm value. What the study looks at: Worldwide extreme cyberattacks and how capital markets react to them over time. What counts as an extreme cyberattack: Cyber events exceeding defined severity thresholds, such as losses above USD 10m, large scale operational disruption, ransomware, malware, major data breaches, DDoS or cyber espionage. Core results: After 1 year, affected companies underperform expected market valuations by around 9%. After 2 years, the cumulative underperformance deepens to around 14%. Key implication for companies: The financial impact of extreme cyber events is structural rather than temporary. Market value erosion continues long after systems are restored.   Further (important!) observations from the study · Market losses are often substantially higher than direct recovery and remediation costs. · Market intolerance towards cyber failures has increased over time · Ransomware and malware events show a materially stronger valuation impact than data breaches. · Companies suffering severe cyber incidents often become more vulnerable to acquisitions at depressed valuations. From a cyber insurance perspective, this is where the discussion becomes strategic. Cyber insurance is clearly designed to enable risk transfer. However, a major part of its value also lies in the 24/7 access to specialised resources across technical, legal, forensic and communication disciplines. Acting correctly and coherently during a cyber crisis, operationally and communicatively, can materially influence the financial outcome. This is why cyber insurance should not be viewed purely as a financial instrument, but as a strategic decision that deserves a place in the broader risk and resilience discussion at management level.

We are often asked about the impact of a cyber-attack on an organisation and tend to focus on operational disruption, brand and reputation, and harm to individuals. Yet, understanding the financial impact is much harder to determine, given the large number of factors that come into play. A new Australian study (The impact of extreme cyberattacks on market valuations: An in-depth economic analysis) by Ryan et al. (2025) reveals that extreme cyberattacks, those causing direct losses over $10 million or major operational disruption, have a profound and lasting impact on the market valuation of publicly traded companies. Analysing incidents from 2000–2021, the research found: - Market Value Declines: On average, affected companies underperformed by nearly 9% in the year following a major cyber event, and by 14% over two years. Recovery is slow, with many firms still lagging market benchmarks two years post-incident. - Severity Is Increasing: Since 2015, the market’s intolerance for cybersecurity failures has intensified, with more severe and persistent financial repercussions. - Attack Type Matters: Ransomware and malware attacks have a much greater negative impact on market value than data breaches, highlighting the need for tailored risk management. - Beyond Immediate Costs: The true financial impact extends far beyond remediation and compensation, opportunity costs, reputational damage, and increased operating expenses are significant. What does this mean for business and incident response? Boards and executive teams must treat cyber risk as a strategic priority. Effective incident response isn’t just about technical recovery, it’s about protecting long-term value, reputation, and stakeholder trust. Investing in robust prevention, rapid response, and transparent communication is essential to mitigate both immediate and downstream impacts. Reference: Ryan, M., Withers, G., & den Hartog, F. (2025). "The impact of extreme cyberattacks on market valuations: An in-depth economic analysis." Australian Journal of Management. https://lnkd.in/gjm2pF2f #CyberSecurity #IncidentResponse #RiskManagement #MarketValue #McGrathNicol

Recently, an executive at a publicly traded company asked me a simple but important question: “Is there a straightforward way to estimate how much a cyberattack could affect a company’s stock price?” At first, I shared what we already know: Target (2013): −10% Equifax (2017): −35% MGM Resorts (2023): −18% CrowdStrike (2024): −11.1% in a single day But the more I thought about it, the more I realized there isn’t a simple formula. So I did a bit of research. 📊 In the few pages I’m sharing below, you’ll find: ✅ Average stock price drop from four major studies: 7.27% from Comparitech 4.7% from Morningstar Sustainalytics 2.7% from MIT Sloan School of Management 1.12% from an NBER working paper ✅ A visual framework to assess the impact of a breach across key factors: Industry Data sensitivity Company size and visibility Response quality Pre-breach posture ✅ A quick overview of the Top 10 cyber incidents ranked by stock price drop ✅ A timeline-based case study on Equifax and how it lost over a third of its market value in just days One thing is clear: 💥 cyber risk = valuation risk A cyberattack is not just a cybersecurity problem. It is a financial problem. A trust problem. A boardroom problem. Richard Stiennon, Herbert Roitblat, Phil Venables what do you think? Everyone, help me out. - How should companies account for cyber risk when evaluating their market value or investment potential? - What would you expect to see as part of that calculation? #Hackonomics #Cybersecurity #StockMarket #RiskManagement #CISO #IncidentResponse #CyberEconomy #Finance #InformationSecurity