An economics professor researching the stock price impact of cyber incidents has made a startling discovery: only a minority of listed Australian companies suffering breaches between 2011 and 2021 were disclosed to the Australian Securities Exchange (ASX).
Professor Alex Frino of the University of Wollongong compiled a database of cyber security incidents from three sources: ASX announcements by companies affected by a breach, the Dow Jones Factiva news database, and the Webber Insurance Database (covering the period 2018 to 2021).
That provided Professor Frino with 36 cyber attacks covering 27 companies, with the communication services, IT, consumer, and financial services experiencing 80 percent of the attacks.
In a copy of the research paper seen by iTnews, Professor Frino wrote that “25 of the cyber attacks were only reported in the press, while only 11 were made public via ASX announcements.”
Professor Frino noted that while the ASX’s continuous disclosure rules require announcement of any price-sensitive information, “there is currently no specific rule for a company to report cyber attacks to the market either in Australia or the USA”.
In researching stock price movements associated with a breach, Frino also discovered evidence that some companies delay making breaches public.
The paper stated that “there is substantial evidence of leakage of the information in the announcement for up to 30 days before it is formally announced by the ASX or media.”
“This is not surprising, as cyber breaches can occur months before a company finds out, and companies may race to engage customers to rectify the impact of breaches before any announcement – hence there is significant opportunity for information leakage to occur.”
He also found that the mean average market value loss for companies announcing cyber attacks is six percent, which he said provided a guide to how much the market expects a breach to cost the victim company.
The unpublished paper is awaiting peer review.