Definition: “Investment Contagion Effect,” the reputation loss an organization could suffer if a similar organization gets hit with a data breach; investors could lose confidence in organization B because organization A got breached. Now, academic researchers have tested the concept on a group of investors and concluded that the contagion effect is real but can be mitigated by disclosing cyber risk before the breach.
It’s validation from another direction of the message regulators such as the SEC have been pushing that investors must get a full disclosure – meaning, in financial terms – of cyber risk.
Researchers from North Carolina State University and Middle Tennessee State University told 120 non-professional investors to rate as a stock investment a fictitious Company A. Some of the investors were told about Company A’s cybersecurity program, some weren’t.
Then the investors were told that one of Company A’s competitors had been breached, and given post-breach news releases from A – but some releases discussed A’s cybersecurity program, some did not.
The net finding: Investors who received the disclosures before and after the breach rated Company A the highest. “I think the takeaway here is that there are very real advantages to voluntarily disclosing cybersecurity risk management efforts,” said Robin Pennington of North Carolina State. “…This is not a purely theoretical exercise – it can affect your company’s appeal to investors.”
While we haven’t seen Company A’s fictitious disclosure document, if it followed the guidance issued in 2018 by the Securities and Exchange Commission, it would give a detailed account of cybersecurity risk, including:
- Frequency of cyber events, based on past experience
- Probability and magnitude of incidents (costs, in financial terms)
- Adequacy of controls
- Third party suppliers that might create material risks
- Amount of insurance coverage
- Potential reputational harm
- Relevant laws and regulations
- Potential fines and judgements from cybersecurity incidents
That essentially calls for the kind of thorough, quantified analysis achievable with the RiskLens Platform, based on Factor Analysis of Information Risk (FAIR), the international standard for cyber risk quantification. We’re happy to discuss a FAIR program with Company A any time, if they contact us.
See the abstract of the research paper: