One of the biggest questions in cybersecurity now has an answer… and the implications are significant for investors, policymakers, corporate executives, and cybersecurity professionals alike.
In recent years, various researchers have demonstrated that significant cybersecurity breaches cause material, short term declines in stock price and market share. These analyses are based on reviewing publicly disclosed breaches and tracking stock price post-breach. But while these “event-driven” studies uncovered a critical link between data breach and stock price, a different question remained unanswered: is there a relationship between “ongoing” cybersecurity performance and financial performance? In other words -- would investing in companies with strong cybersecurity produce greater investment returns?
We now know that the answer to this question is a definitive “yes.”
BitSight and Solactive, a German index engineering firm, released new research demonstrating that a company’s ongoing, strong cybersecurity performance is an indicator of business performance. Analysis shows well-performing BitSight rated companies actually outperform the benchmark index by approximately 1% to 2% with lower volatility. For certain sectors, such as U.S. Technology, well-rated companies outperform the benchmark by 7%. The findings are an endorsement for the introduction of the Solactive BitSight Cyber Risk Index, a financial index that will enable investors to invest in companies who are top cybersecurity performers as measured by BitSight.
The findings from this research will have significant implications for the global marketplace of investors, policymakers, and companies themselves:
- For investors, knowing that cybersecurity presents not only a risk but a potential opportunity to achieve greater financial returns will likely result in greater attention to cybersecurity performance by the investor community and the widespread incorporation of security performance information into the investment decision-making process. These findings may also differentiate cybersecurity from other non-financial information in that cybersecurity performance is actually critical, material information to be used during the investment process. The Solactive BitSight Cyber Risk Index can be used as direct underlying or benchmarks of financial products such as ETFs or structured products across the following five index universe compilations: U.S. Market, European Market, Developed Markets, Asia-Pacific Market and U.S. Technology Market.
- For policymakers, understanding that there is clear, measurable market value in ongoing, strong cybersecurity performance should help validate “market-based” policy approaches to cybersecurity. There has long been a global debate about whether “the market” could help address cybersecurity challenges, or if new regulatory requirements were necessary to address market failures. Knowing that investors may achieve greater returns on their investments by investing in strong cybersecurity performers should encourage policymakers to focus more on market-based solutions to global cybersecurity issues, including encouraging greater disclosure and transparency to the investor community.
- For companies, knowing that cybersecurity is not only a risk but potentially a way of attracting investment will almost certainly result in significant changes in the way that senior executives, board members, and security professionals alike manage and measure cybersecurity performance inside of their organizations and communicate these initiatives to external stakeholders like investors. For example, security professionals should consider leveraging this research to justify security budgets and efforts to quantifiably, measurably improve security performance to the board and C-suite. With greater scrutiny of ongoing cybersecurity performance by investors, security professionals now have a chance to firmly establish their seat in the boardroom, making the business a more attractive investment opportunity by demonstrating the value of strong cybersecurity.
We believe that these findings are not only market-shaping… they firmly establish the value of BitSight’s measurements and analytics to the global marketplace. This is yet another independent, statistical validation of BitSight’s market-leading Security Ratings, further cementing the reason why the global marketplace -- investors, insurers, governments, and businesses -- trusts and uses the BitSight platform.