How much shareholder value drops after a cyber breach

Major cyber incidents disrupt more than a corporation’s operations.

Shareholder value, a key measure of a company’s financial health, was shown to fall an average 9% in the year following an event, a recent Aon report showed.

With that, C-suite clients are waking up the fact that cyber breaches have potential to impact all areas of their businesses even after a breach is resolved, Aon explained in its Cyber Resilience Report.

This is especially crucial for clients in the financial services, healthcare or manufacturing industries, which are most vulnerable to cyber threat actors, according to the survey, which collected results from over 2,000 Aon clients across industries and regions, including Canada.

After about four years of a challenging market, where insurers saw extreme loss ratios and a rise in the size and severity of cyber-attacks, underwriting requirements became more stringent.

As a result, organizations across all industries and revenues improved their cyber maturity from ‘basic’ to ‘managed,’ according to client data.

Mid-market clients reported the most significant improvements in overall cyber maturity.

Incident response planning, data protection, endpoint logging and monitoring, and remote work vulnerability and monitoring drove the major improvements in mid-market security levels.

On the other hand, however, global and enterprise segment organizations reported improvements, but remained at a ‘managed’ level of security.

The insurance industry isn’t in the clear, either. In finance and insurance, ransomware claims increased by 38% from 2022’s fourth quarter to 2023’s first quarter.

Healthcare clients’ overall cyber risk improved from 2.6 to 2.8 (on a scale of 1-to-4). For enterprise and global clients in healthcare, the overall risk profile improved from ‘basic’ to “managed.”

In manufacturing, mid-market clients’ scores improved from 2.2 to 2.5. However, 56% still reported low risk scores. Fortunately, manufacturing clients are taking security seriously, with companies reporting 8.5 percent of their IT budget dedicated to security.

Across all organizations, the average information technology spend for security is 10% — an increase from 2020 to 2022, the report said.

In terms of controls, data security, application security, remote work, access control, and endpoint and systems security showed the most significant risk profile improvements.

But there’s still room to do better.

Third-party risk management, including contract diligence and inventory management, remains flat, and no organization scored a ‘managed’ level of cyber maturity.

“While this result is not surprising, it tends to validate a rising theme within the cyber industry that the risk introduced across a company’s supply chain is complex, and the deepening interconnection across technology stacks exponentially increases third-party risk,” the report read.

Third-party risk management is a focus for the industry itself.

Canada’s financial solvency regulator published its final revised guideline for managing risks associated with third-party contracts and arrangements this spring.

Insurers will be required to manage and understand the risks of their outsourced third-parties, which includes brokers, cloud service providers and technology companies that deliver financial services, to name a few.

Feature image by iStock.com/Feodora Chiosea