2023 Cyber Resilience Report
This is article 2 of 18 in this Report.
August 01, 2023 / 5 min Read
Build a Plan to Address the Perils of Reputational Risk
Aon's reputation research demonstrates that a major attack can have a long-term impact on a company's share price – negative or positive.
Key Takeaways
- On average, a major cyber incident resulted in a 9 percent decrease in shareholder value* in the year following the event.
- Companies that fared worse realized an average value impact of -21 percent*.
- 17 companies successfully navigated a cyber attack, realizing an average increase in value of 18 percent over and above the market.
*Over and above the market.
The intangible nature of reputational risk means that it is one of the most challenging risks to assess and quantify. According to Aon’s bi-annual Global Risk Management Survey, reputation has consistently ranked as a top-five concern for over ten years.1
Organizations can approach reputational risk in two ways: they can proactively manage it or they can react to a reputational event when it occurs. Reactive management potentially leads to the loss of control over the event’s narrative, exposing an organization — and its valuation — to global opinions via media channels.
Reputational crises often trigger financial markets to reassess their projections of future cash flows, leading to an adjustment in a company’s valuation. The market receives new information about the company and its management at times of crisis and typically forms a consensus on whether the impact on long-term future cash flows will be positive or negative. Central to this valuation is the reputational premium, which is the surplus of market capitalization over the company’s book and brand values. It reflects the company’s earning power that is valued by investors but not captured in either the brand or net assets.2
Once shareholder value is affected, scrutiny intensifies and regulatory and personal liability risks to directors and officers can arise. The former chief information security officer (CISO) of a well-known transportation mobility company was convicted of federal charges for covering up payments related to a 2016 data breach in which the personal information of 57 million users were stolen3, and more recently the UK Prudential Regulatory Authority fined a former FinTech chief information officer (CIO) for breaching senior manager conduct rules.4
As this spiral of impact from a mishandled breach deepens, trust in a company can and will diminish. Trust, or the emotional brain state that an organization is dependable and delivers a feeling of confidence and security, is central to reputation premium. A significant cyber attack, if successful, can swiftly erode trust, negatively impact customer sentiment, depreciate brand value, and affect a company’s reputational premium. While the event itself might be limited in time, the longtail effects can impact a company for far longer. Organizations must manage a company’s reputation like any other core asset. Proactive businesses that plan for adverse events and communicate in a genuine manner may find that the market not only can forgive but may also reward those who embrace and respond effectively.
Aon Findings: Reputational Risk
Aon’s reputation research2 highlights the increasing severity of today’s cyber attacks. Significantly, a major cyber attack can have a long-term impact on a company’s share price. An analysis of 47 prominent cyber events reveals that, on average, these incidents resulted in a 9 percent decrease in shareholder value over and above market effects in the year following the event. This translates to an overall negative value impact of $225 billion. Companies that fared worse (30) realized an average value impact of -21 percent, over and above the market, or a total value loss of $670 billion.
However, not all companies lost value in the wake of an attack. Some saw reputation capital increase over the course of the event. Our research identified 17 companies that successfully navigated these challenges, realizing an average increase in value of 18 percent above market trends, resulting in a combined value gain of $445 billion. These winners responded swiftly and effectively to minimize damage from the event and seized the opportunity that existed to control the Reputational narrative and minimize damage to their overall brand.
Cyber Events
| Cyber | Quantity | Terminal Value Impact ($) | Terminal Value (%) |
|---|---|---|---|
| Aggregate | 47 | -228B | -6 |
| Winners | 17 | 437B | 19 |
| Losers | 30 | -666B | -20 |
Ransomware, typically discussed as an operational threat, can also greatly damage reputational capital and impact shareholder value. When we compare the impact of data breaches to ransomware attacks, our long-term study of 12 significant ransomware events shows that, on average, ransomware attacks had a 12 percent lower impact than data breaches.
Cyber Years
| Data Breach | Quantity | Terminal Value ($) | Terminal Value (%) |
|---|---|---|---|
| 2010-2015 | 16 | -147B | -0.74 |
| 2016-2021 | 31 | -81B | -8.54 |
Overall, cyber attacks are more damaging today and our research shows a discernible increase on value impact. The average value impact from 31 cyber attacks between 2016-2021 was 8 percent down on the average impact of 16 cyber attacks that occurred between 2010-2015.
Cyber Events Types
| Data Breach | Quantity | Terminal Value ($) | Terminal Value (%) |
|---|---|---|---|
| Data Breach | 31 | -356B | -5.73 |
| Ransomware | 12 | -93B | -12.32 |
The management of cyber risk and procurement of cyber insurance is generally viewed favorably by stakeholders. It can deliver protection against financial volatility and erosion of shareholder value (EPS), and it can help protect employees, customers, and partners. Five hallmarks of reputational value recovery can help companies mitigate risk of reputational fallout post breach: preparedness, leadership, communication, action, and change. Companies must be deeply committed to cyber loss prevention and mitigation, enabled by a strong recovery or incident response plan. Strong and visible CEO leadership and accurate and well-coordinated disclosures are part of the critical response plan. Action should be instant and global. And above all, genuine remorse and an honest commitment to meaningful change are required.
References
Research note: Impact percent and $ figures are modelled figures that have removed market-wide movements.
1 “2021 Global Risk Management Report.” Aon. Report. 2021.
3 “Former Chief Security Officer of Uber Convicted of Federal Charges for Covering Up Data Breach Involving Millions of Uber User Records.” United States Attorney’s Office. Press Release. October 5, 2022.
4 “Former CIO of TSB Bank Fined £81k by PRA over 2018 IT disruption.” FinTech Futures. Article. April 18, 2023.
Insurance products and services are offered by Aon Risk Insurance Services West, Inc., Aon Risk Services Central, Inc., Aon Risk Services Northeast, Inc., Aon Risk Services Southwest, Inc., and Aon Risk Services, Inc. of Florida, and their licensed affiliates.
The information contained herein and the statements expressed are of a general nature, not intended to address the circumstances of any particular individual or entity and provided for informational purposes only. The information does not replace the advice of legal counsel or a cyber insurance professional and should not be relied upon for any such purpose. Although we endeavor to provide accurate and timely information and use sources we consider reliable, there can be no guarantee that such information is accurate as of the date it is received or that it will continue to be accurate in the future.
Managing cyber across six featured risk themes.
This year’s report is a guide for leaders to benchmark their organization’s risk maturity against peer companies and to help make better decisions around managing cyber across six featured risk themes: cyber, operational, supply chain, insider, reputational, and systemic.
