The expenses that Sharbit will have to bear as a result of the cyber assault on it are impossible to quantify, but research investigating what happened to the businesses that were hacked show a startling fact – consumers do not leave en masse, and the company’s value is barely affected.
A wide universe of interesting scholarly studies often hides behind the great economic news, of which much of the population is ignorant. Today, we are happy to introduce a special column here that will connect current affairs with academic science. We would aim to make the related analysis knowledge available to managers, regulators and others involved in management, the financial market and the economy through the column, which will be published once every two weeks, all in plain and succinct language.
Via the guide attached to this column, anybody who wants to extend the canvas and delve into the studies themselves will be able to do so. Prof. Dan Amiram, CPA, Deputy Dean of Tel Aviv University’s Koller Faculty of Management, and Dr. Ari Ahiez, of the same faculty, are specialists in financial markets, economics and creativity, and may, from time to time, lead the column with researchers from other fields, if needed.
The cyber attack on the insurance firm Shirbit earlier this month exposed details about the company’s clients, and it was possible to assume that the company was in a deep crisis, due to the public and media noise produced around the incident.
Although the business is not public, it is very difficult to quantify the real costs of the attack – costs that include the immediate expense of coping with the crisis (defense consultants, logistics, etc as well as long-term costs, including improved data security, civil litigation, future penalties, and the largest of all costs, and the possible harm to credibility and customer departure
Answer to customers: Do not hurry to quit
There were some anonymous interviews with the company’s clients after the event in Shirbit. According to them, they will not continue to collaborate for the company in the future because details about them has been released. Except with businesses that have been cyber-attacked, are clients still fleeing en masse? A research conducted in the US and published by the Rand Corporation (Avalon & Co., 2016) conducted a survey to investigate precisely this topic.
The poll conducted by about 2,000 men and women in the U.S., showed that at some point in their lives, about 44 percent of respondents were notified of the possibility for personal data to leak about them.
In another study (Agrwal & Co., 2020), after around three separate cyber assaults between food and finance firms, researchers were able to collect information on real consumer behavior. The findings reveal that no impact of the cyber attack on consumers leaving or joining new customers was detected, and the drop in consumer behaviors (in one of the events) was only momentary and vanished after a couple of months.
Researchers investigated a cyber-attack event at a large fashion retail chain in another report (Janakirman & Co., 2018), in which only information about the credit card data of physical store consumers was disclosed. The analysis indicates that while there was a sharp drop in sales in the shops of the impacted consumers, those customers still raised their purchases on the web platform, and the amount of their purchases did not change at all for customers about whom information was not revealed.
Stock reaction: A fleeting, slight blast
Shirbit is an enterprise that is not listed on the stock exchange and as a result of the attack, it is not possible to predict the shifts in valuation. However through public companies that have reported similar attacks in the past, the costs of devastating cyber attacks can be learned more widely and representatively.
One of the underlying principles of stock market analysis is that the price of a public share in modern capital markets represents, on average, all the latest knowledge and predictions about the business. Therefore, when a company declares a cyber attack, following the release of the report, the stock price should quickly embody the bulk of the costs of the attack within it and constitute the best measure of the effect of the attack on the company’s valuation.
During the years , a new report (Richardson & Co., 2019) investigated 827 cyber accidents in the US. The report showed that banks and financial agencies, and department outlets, were the worst hit businesses. Loss of financial records such as account numbers and credit cards (53 percent of the sample) or personal consumer details are the most prevalent vulnerabilities (34 percent of the sample).
An analysis of the impact of the announcement on the value of the company reveals that there is a statistically significant drop in the share price of businesses impacted by the cyber attack in the amount of days after the release of the announcements surrounding the cyber attack, from the day before the announcement to three days after the announcement. This decline, though, is expressed by all accounts in a very slight negative shortfall return – just about 0.3 percent .
Furthermore, as the scope of the incident was increased to one month, three months or half a year after the release of the cyber-attack announcement, it was observed that there was no continuous drop in the rates of the companies affected, and that the companies affected were no longer substantially different from those of the uninjured companies. And if a slight negative momentary effect on yields has arisen, this effect passes over in a short time.
The impact of cyber-attacks on the potential financial performance of the targeted firms were also analyzed in this analysis relative to comparable companies which were not targeted. Here too, it seems that the firms that were targeted have not improved dramatically in terms of sales volume, growth rates and return on investment relative to comparable companies (ROA).
These findings, which confirm similar results obtained in other articles investigating the effect of cyber attacks on the value of businesses, are consistent with the relative indifference found as mentioned earlier in the consumer behaviour of businesses impacted by cyber attacks.
Of course, just what Shirbit’s clients will do or how the value of the business will be impacted can not be decided. But it can be learned from the studies presented above that the effect is very minimal on average, i.e. marginal withdrawal of consumers and negligible damage to the company’s valuation and its performance.