In 2014, hackers breached the cybersecurity defences of JPMorgan Chase & Co. and stole data related to 76 million households and 7 million small businesses. At the time, the attack was the largest ever on a U.S. bank. Yet despite the scope of the breach, the bank's stock price barely budged.
To date, cybersecurity breaches have had relatively little impact on large companies' share value. This, however, is likely to change, according to Ian de Verteuil, equity strategist at CIBC World Markets Inc.
In a report published on Sunday, titled "The Known Unknown," Mr. de Verteuil suggests that, "it is likely we will have a major cyber-crime issue at one or more large public Canadian companies over the next year or two." The impact on those companies' stock prices will likely be more significant than in the past, he argues.
Mr. de Verteuil looked at five major cyberattacks on large companies over the past several years and found that stock prices dropped an average of only 2.4 per cent following a significant breach. In some of the cases there were extenuating circumstances. With JPMorgan, for example, the company made it clear the stolen information did not contain confidential data, such as passwords or account numbers.
In other cases, the attacks were significantly more costly to shareholders than the 2.4-per-cent average price decline. In the month following the 2015 cyberattack on Target Corp., the company's share price slid, underperforming the market by 400 basis points. When the 2013 and 2014 breaches at Yahoo Inc. were made public in 2016, the company was in acquisition talks with Verizon Communications Inc. "The acquisition price was adjusted lower by $350-million (U.S.) – representing a 7 per cent drop in value," Mr. de Verteuil noted.
Still, the 2.4-per-cent average decline is significantly less than what Mr. de Verteuil said he would have otherwise expected. That doesn't mean that investors should be lulled into a false sense of security. According to a 2017 survey by IBM Security and the Ponemon Institute, over the past four years, cybersecurity breaches cost Canadian companies an average of $4.56-million per breach.
"The impact is a long-term brand issue more than a short-term expense issue," Mr. de Verteuil said in an interview. "That's tougher for the market to evaluate." He added that it's hard to measure the impact of cyberattacks on share price because companies are measured relative to their sector, and a cyberattack on one company can hurt investor confidence in others like it.
"Whatever the evidence to date, we believe that the frequency and severity of cyber-attacks will increase over time," Mr. de Verteuil wrote in the report. "Shrewd investors will need a series of questions that provide insight into how seriously the c-suite of a company takes cyber-risk."
In all, Mr. de Verteuil lists 19 questions portfolio managers and investors need to start thinking about, including: How many cyberattacks did the company see in the last quarter? Has the company done any independent cybersecurity tests? What's the annual cybersecurity budget? How much would it cost the company if it lost all its IT systems for a day?
"We understand that investment professionals (like us) also struggle to truly comprehend the full extent and implications of a cyber-breach. However, we believe asking a handful of these questions would provide investors insight as to how seriously this risk is taken at certain companies," he wrote.
While the vast majority of cyberattacks have been on U.S. companies, Canadian companies may be particularly exposed because of their close corporate ties with American companies. As a percentage of total attacks, "Canada ranks quite high, i.e. poorly, materially higher than its share of global GDP," Mr. de Verteuil wrote.
Some industries are more susceptible than others. In 2016, 44.2 per cent of cyberattacks targeted the service sector, with business services and health care hit most frequently, according to data from software company Symantec Corp. cited by Canadian Imperial Bank of Commerce.
Financial services, listed as a separate category, made up a further 22.1 per cent of attacks. Manufacturing and retail companies, by contrast, made up up 11.4 and 8.2 per cent of targets, respectively.