Predicting cybersecurity nightmares
Posted on: 10 October 2023 in Research
Professor Chris Florackis’ research presents a new firm-level measure of cybersecurity risk for US publicly listed enterprises, and examines whether investors expect greater returns from firms that are more exposed to cyberthreats.
Developed alongside colleagues at the University of Hong Kong, Cyprus University of Technology and University of Chicago, the cybersecurity risk score compares language used in risk disclosures of firms that have been hacked, with those which have not.
According to the study's findings, companies that use similar language to that of corporate victims of "major" hacking attacks are more exposed to cybersecurity risk, and thus more likely to be targeted by cybercriminals.
The research also finds that, while performing poorly in periods of heightened concern over cybersecurity risk, portfolios of firms with high exposure to cybercrime, outperform those with lower cybersecurity risk scores.
The financial and reputational cost of cybercrime
Widespread cybercrime and cyber insecurity are viewed as the most important technological short- and long-term global risks, which is not surprising, given the rapid increase in major cyberattacks in recent years.
Between 2022-23, UK firms experienced 70,000 non-phishing cybercrimes, with an average cost of approximately £15,300 per victim, and despite substantial investments in security systems, most firms remain highly exposed to cybersecurity risk.
For businesses, a heightened cybersecurity risk means increased exposure to financial loss, disruption and reputational damage, due to a failure in their information technology (IT) systems caused by external attacks.
Cybercrime involving hacking, malware or Distributed Denial-of-Service (DDOS) attacks, can go unnoticed for months, as was the case with SolarWinds Orion, a software used by over 30,000 public and private organisations to monitor and manage their IT resources.
In one of the most sophisticated cyberattacks in history, Nobelium hackers (the most likely attackers according to Microsoft) perpetrated a supply chain attack, to illegally access thousands of organisations’ IT systems via the third-party software.
Rather than targeting companies and government agencies directly, all hackers had to do was to insert Trojan horse malware into a software update distributed by SolarWinds.
What is a Trojan horse virus?
A Trojan Horse is a type of malware which can disguise itself as a harmless file, but contains malicious code, aimed at disrupting, damaging or gaining unauthorised access to IT systems.
Once the Trojan has entered an organisation’s network, it lets hackers carry out actions that legitimate users could perform.
This includes exporting and deleting files, modifying data, altering the contents of devices, or extorting users into paying a ransom to restore infected devices and their contents.
Since March 2020 the malware took control of computers, and in some cases, stole highly important and sensitive files, from top level organisations including the European Parliament, UK Home Office, US Treasury Department, Boeing and AstraZeneca.
Until the attack was discovered in December 2020, hackers enjoyed nine months of unfettered access to over 100 organisations’ IT systems, while transfers were disguised as ordinary network traffic.
In addition to the reputational damage to SolarWinds, the attack cost companies 11% of their annual revenue, which translated into approximately over $12million (£10 million) per company, with the only fix often being to rebuild entire IT systems.
A novel firm-level measure of cybersecurity risk
Alongside hitting the headlines, and rushing IT departments across the world to improve their defences, the SolarWinds attack also caught the attention of Chris and professors Roni Michaely (HKU), Christodoulos Louca (CUT) and Michael Weber (UC).
With the help of a web-crawling algorithm, they undertook a textual analysis and a comparison of cybersecurity risk disclosures found in 10-K forms completed between 2007 and 2018.
Form 10-K is a comprehensive report on a company's financial performance (similar to an annual report, but often more detailed), the US Securities and Exchange Commission requires all publicly traded companies to file every year.
As well as presenting an overall picture of a firm’s financial health, Item 1A – “Risk Factors” of the Form 10-K outlines the most significant present and future risks faced by the company.
This includes references to cybersecurity risks such as: severity and frequency of prior incidents, probability and potential impact of future occurrences, operational risks, preventative actions, legal compliance, litigation and insurance costs and potential reputational harm.
After identifying a training sample of corporate victims of “major” cyberattacks, they estimated the similarity in the language used by these firms, and others, which had not been victims of an attack.
They discovered the higher the similarity score between a firm’s risk disclosure and those of companies in the training sample, the greater its general exposure to cybersecurity risk.
This means corporate cyber victims are more vulnerable to attacks before they happen, and use similar words to describe concerns over cyberthreats and how to manage them prior to the event, which materialises in:
- Higher emphasis on cybersecurity than firms with low scores
- Separate sections devoted to cybersecurity risk
- More comprehensive and precise cybersecurity risk disclosures, including discussions on legal consequences and preventive measures.
Amongst the sample, scores were higher in industries heavily reliant on IT systems to perform their operations (e.g. telecommunications, broadcasting, finance, etc), which in practice exhibit a higher cyberattack incident rate.
The study demonstrated how the new measure reliably captures exposure to cybersecurity risk and can predict upcoming attacks, as one-standard-deviation increase in the cybersecurity risk score increased the probability of a future cyberattack by 92.70%.
Higher cybersecurity risk means higher expected returns
Under the premise that investors may require higher expected returns from firms with high exposure to cybersecurity risk, the second part of the study examined whether cybersecurity is priced into stock returns.
After organising stocks into portfolios, based on cybersecurity risk scores, the team tracked returns over time and found portfolios of firms with high exposure to cybersecurity risk outperform other firms, on average, by up to 8.3% per year.
However, the study also showed high cybersecurity risk stocks perform significantly worse than low cybersecurity risk stocks, in times of heightened cybersecurity risk and investors’ concerns about data breaches
The results are evidence of cybersecurity risk being priced into stock returns, meaning the premium high cybersecurity risk stocks earn does compensate investors, despite poor performance in periods of high cybersecurity risk.
Better assessment and management of cybersecurity risks
The study findings, summarised in the paper ‘Cybersecurity Risk’, provide further insight into individual firms’ exposure to cybersecurity risk, its quantification, and effect on asset prices.
Chris’ cybersecurity risk measure, and its underlying methodology, enables a systematic analysis of cybersecurity risk and its implications for firm value, corporate policies and operations.
 |
Professor of Finance and Head of the Accounting and Finance Subject Group |
|
You can read Chris' paper here: Florakis, C., Louca, C., Michaely, R. and Weber, M. (2023). ‘Cybersecurity Risk’, The Review of Financial Studies, 36 (1):351-407
|
Keywords: Accounting and Finance, Cybersecurity, Hacking.