Blog

Extreme Cyberattacks Don't "Blow Over" Quickly: What a 2-Year Market Study Found

DeNexus | December 30, 2025

Executive Summary: Key Research Findings at a Glance 

img1

Study Scope: 44 extreme cybersecurity incidents affecting publicly traded companies (2000-2021) 

 

Critical Findings: 

  • 1-Year Impact: –8.9% average market value loss  
  • 2-Year Impact: –14% average market value loss  
  • Market-Adjusted Performance: –18% below comparable market peers by year two 
  • Trend: Market intolerance is increasing, not decreasing—post-2015 incidents show >50% negative differential 

Bottom Line for Boards: The financial damage from extreme cyberattacks extends far beyond immediate response costs and persists for years, making cybersecurity a critical board-level strategic risk requiring quantified governance. 

 

Introduction 

A recent academic study—The impact of extreme cyberattacks on market valuations: An in-depth economic analysis—examines a question most directors and investors care about but rarely see answered rigorously: how much shareholder value is impaired after a truly severe cyber incident, and for how long? 

The research, conducted by Dr. M. Ryan, G. Withers, and F. den Hartog, and published in the Australian Journal of Management in 2025, provides compelling evidence that challenges the conventional wisdom that markets quickly "price in" and move past cybersecurity breaches. 

Below is an executive walkthrough of the paper's purpose, dataset, key findings, and the practical actions boards and investors can take to both reduce the likelihood of attack and limit the post-incident valuation hit. 

 

What the Researchers Set Out to Test 

The paper's goal is straightforward and important: estimate the medium- to long-term impact of "extreme" cybersecurity events on publicly traded companies' market valuations, addressing a gap in prior work that tends to focus on short-term market reactions. 

 
A core theme is that immediate remediation and compensation costs are only the visible portion of the loss. The researchers focus on whether markets price in broader, longer-lived consequences—reputational drag, growth disruption, elevated operating costs, and risk premia. 

 

Study Methodology and Scope 

Study scope: Extreme cyber events affecting listed firms from 2000 to 2021. 

Observed disclosure years: The disclosed incidents in the published event list run from 2006 through 2020. 

Performance window per incident: The methodology evaluates market performance over approximately one year pre-event and up to two years post-event. 

Who Is in the Sample (and What "Extreme" Means Here) 

The study focuses on "extreme" cybersecurity incidents—events exceeding severity thresholds such as: 

  • >$10M direct loss 
  • >1M records compromised 
  • Material operational disruption 

Events are identified from public reporting and validated using primary materials (e.g., releases, annual reports, filings) using triangulation. The authors note the sample is predominantly US-based, followed by Europe and Australia. 

Sample size: 44 incident observations involving 42 distinct public companies. 

Sample Breakdown by Geography and Sector 

Headquarters (by country): 

  • United States: 23 | United Kingdom: 3 | Denmark: 3 | Japan: 2 | Spain: 2 | France: 2 | Australia: 2 
  • Ireland, Taiwan, Italy, Norway, Canada, South Korea, Switzerland: 1 each 

Primary Sectors: 

  • Technology & IT: 14 | Industrial & business services: 8 | Consumer & retail: 7 | Defense & aerospace: 4 
  • Healthcare & life sciences: 3 | Financial services: 3 | Telecom/media: 2 | Transport & logistics: 2 | Hospitality: 1 

 

The Headline Findings: The Market Impact Persists—and Is Material 

The Long Road to Recovery: Timeline of Market Value Erosion 

img2-1

1) The Value Hit Is Not Just Immediate; It Lingers 

The study reports statistically significant, durable underperformance after extreme cyber events, challenging the "markets digest it quickly" narrative. 

 
2) The Magnitude Is Large Enough to Matter to Any Board or Long-Only Investor 

Key reported results include: 

  • 1-year CAR: about –8.9% on average 
  • 2-year CAR: about –14% on average 
  • Market-adjusted underperformance: roughly 18% below comparable market performance by the end of year two 

 
3) The Market Has Become Less Forgiving Over Time 

img3

The authors report the market response worsened since 2010 and intensified post-2015, rather than fading as cyber incidents became more common. 

Temporal analysis shows: 

  • 2010–2014 period: –12% mean differential 
  • 2015–2019 period: –45% mean differential 
  • 2020+ period: >–50% mean differential 

 
4) Not All Cyber Events Are Priced the Same 

img4

Attack type matters materially in their results. The paper reports: 

  • Ransomware: 23x more severe market impact than data breaches 
  • Malware (without extortion): Estimated 45% reduction in market value (limited sample) 
  • Data breaches: Comparatively modest impact on market valuations 

 

What Boards and Investors Should Do Next 

img5

A. Reducing the Probability of a Successful Cyberattack

1. Make Cyber Risk Governance Explicit at Board Level 

Cybersecurity frameworks like NIST Cybersecurity Framework 2.0 elevate governance with a dedicated "Govern" function tied to risk strategy, expectations, and policy monitoring. 

This new function, introduced in February 2024, "establishes and monitors the organization's cybersecurity risk management strategy, expectations, and policy," according to NIST's official guidance. 

Board Action: Schedule quarterly cybersecurity risk reviews that include quantified financial impact scenarios, not just technical status updates. 

2. Use a Prioritized Control Baseline and Track Coverage 

IEC 62443 is the leading international standard series for Industrial Automation and Control Systems (IACS) cybersecurity, designed to reduce the likelihood that cyber events translate into operational disruption, environmental harm, or safety impacts. It provides a risk-based framework spanning governance, secure architecture, and technical requirements—organized around “zones and conduits,” target security levels, and foundational security requirements—to systematically close common industrial attack paths. 

Published as a multi-part series and actively maintained through updates across its component standards, IEC 62443 clarifies roles and accountability across asset owners, system integrators, and product suppliers, enabling measurable assurance from policy through implementation. It also supports alignment with safety and operational risk management by tying cybersecurity controls to consequence-driven risk assessment and segmentation. 

Board Action: Request quarterly reporting on IEC 62443 adoption progress, including (1) completion status of zone/conduit modeling and security level targets, (2) maturity of the cybersecurity management system and supplier governance, and (3) implementation and verification of key technical requirements for critical OT environments, prioritizing high-consequence zones such as control centers and safety-related systems. 

3. Harden Identity, Endpoints, and Vulnerabilities First 

Multi-factor authentication (MFA), privileged access controls, secure configuration, and network segmentation are the "highest-leverage" technical controls in most environments. 

These controls align well with both IEC 62443 and NIST CSF control families and directly address the attack vectors responsible for many of the incidents documented in the study. 

Board Action: Establish clear metrics for MFA adoption (for example: target: 100% for privileged accounts, 95%+ for all users) and mean time to patch critical vulnerabilities. 

4. Treat Third-Party and Supply-Chain Exposure as a First-Order Risk 

NIST SP 800-161 Rev. 1 provides detailed guidance for integrating cybersecurity supply chain risk management into enterprise risk practices. 

Notable case from the study: The SolarWinds supply-chain attack demonstrated how vendor compromises can have devastating downstream effects—SolarWinds remained in the dataset as an instructive example of extended market impacts. 

Board Action: Require annual third-party risk assessments for all critical vendors, with contractual security requirements and right-to-audit clauses. 

 

B. Minimizing the Post-Incident Financial and Valuation Impact

1. Operationalize Incident Response with a Tested Lifecycle 

NIST SP 800-61 Rev. 3 emphasizes: 

  • Preparation: Plans, playbooks, and team training 
  • Detection & Analysis: Rapid triage and scoping 
  • Containment, Eradication & Recovery: Surgical response 
  • Post-Incident Activity: Lessons learned and continuous improvement 

The updated revision aligns with NIST CSF 2.0 functions for a more integrated approach. 

Board Action: Conduct annual tabletop exercises simulating extreme scenarios (ransomware, data breach, supply chain compromise) with C-suite and board participation. 

2. Engineer Recoverability (Especially for Ransomware) 

Given the study's finding that ransomware has 23x the market impact of data breaches, recovery capabilities are critical business resilience investments. 

Align backup and recovery strategy to business targets and resilience patterns (e.g., "3-2-1" rule: 3 copies, 2 different media types, 1 offsite), and test restores regularly. 

Board Action: Request quarterly reporting on backup success rates, restore test results, and time-to-recovery metrics for critical systems. 

3. Be Disclosure-Ready (Public Companies) 

The SEC's 2023 cybersecurity disclosure rule added Form 8-K Item 1.05, requiring disclosure of a material cybersecurity incident within four business days after materiality determination. 

This rule became effective December 18, 2023, and has already generated significant filings in its first years of operation. 

Board Action: Establish a pre-approved materiality assessment framework and disclosure decision tree to enable rapid, compliant reporting without sacrificing accuracy. 

4. Pre-Negotiate the "Response Supply Chain" 

Maintaining pre-vetted panels for breach counsel, digital forensics, crisis communications, and insurance claims support reduces decision latency during high-pressure incident response—critical when the study shows long-term valuation penalties can be substantial. 

Board Action: Review and approve annual retainer agreements with incident response partners, ensuring 24/7 availability and clear escalation paths. 

 

Where Cyber Risk Quantification fits and why it helps with Both (A) Reducing the Probability of a Successful Cyberattack and (B) Minimizing the Post-Incident Financial and Valuation Impact) 

Cyber risk quantification (CRQ) is the bridge between security activity and financial decision-making—transforming technical vulnerabilities into business language that boards and executives can act upon. 

The Academic Foundation for CRQ 

The study explicitly acknowledges the importance of risk quantification frameworks: 

"Notably, the Factor Analysis of Information Risk (FAIR) framework pioneered a model for understanding, analysing, and quantifying both cyber and operational risk in financial terms. Building on FAIR, the Secure Cyber Risk Aggregation and Measurement (SCRAM) methodology extends these concepts, linking problematic cyber risk control areas to those requiring additional investment." 
— Dr. M. Ryan et al. 

How CRQ Supports Risk Reduction (Section A) 

CRQ enables boards to: 

  • Compare investments by expected loss reduction (not just control maturity scores) 
  • Set risk appetite in business terms (e.g., "accept no more than $50M annual aggregate loss exposure") 
  • Prioritize mitigations that demonstrably reduce probable loss exposure—consistent with NIST's emphasis on integrating cyber risk into enterprise risk management (ERM) and governance 

How CRQ Minimizes Post-Incident Impact (Section B) 

CRQ supports critical decisions on: 

  • Insurance limits and retentions sized to modeled loss distributions 
  • Liquidity planning for business interruption scenarios 
  • Readiness investments (incident response capability, backup architecture, response vendor retainers) proportionate to quantified risk 

These capabilities directly address the study's finding that extreme cybersecurity incidents result in an average 14% market valuation loss over two years—far exceeding immediate remediation costs. 

Practical Implementation: DeNexus DeRISK Platform 

Given the study's compelling evidence that cyber risk represents a material, persistent threat to shareholder value, organizations need practical tools to operationalize risk quantification. 

 

For strategic risk oversight and financial planning: Solutions like DeNexus' Cyber Risk Quantification (CRQ) translate cyber threats into financial impact metrics that boards and executives can integrate into enterprise risk management frameworks. This enables data-driven decisions about insurance limits, reserve planning, and strategic risk appetite—directly addressing the long-term valuation impacts documented in the research. 

 

Learn More About Cyber Risk Quantification 

Ready to implement the risk quantification strategies recommended by this research? 

DeRISK CRQ | 15-min Demo

DeRISK QVM | 15-min Demo


FAQ: Common Board Questions About Cyber Risk and Market Valuation

Q1: Why does the market impact persist for 2+ years instead of recovering quickly?

A: The researchers found that extreme cyberattacks create sustained damage beyond immediate costs:

  • Reputational damage affects customer acquisition and retention
  • Opportunity costs as management focuses on incident response instead of growth initiatives
  • Elevated operating costs for enhanced security and compliance
  • Risk premia as investors demand higher returns due to demonstrated governance failures

As Dr. Ryan et al. note: "The impact of such cybersecurity incidents extends beyond immediate fiscal losses, encompassing long-term opportunity costs, reputational damage, elevated operating expenses and the diversion of critical resources."

Q2: Our company hasn't been breached. Should we still worry about this research?

A: Yes. The study analyzed only 44 extreme incidents over 15+ years across thousands of public companies—demonstrating that while truly extreme breaches are still relatively rare, when they happen, the consequences are severe and long-lasting.

The key finding for unbreached companies: Investment in prevention and recovery capabilities now is vastly cheaper than dealing with a 14% market value loss later.

Q3: Why is ransomware 23x worse than data breaches from a market perspective?

A: Ransomware combines multiple negative factors:

  • Operational disruption: Complete business stoppage vs. potential data exposure
  • Extortion and public pressure: High-profile ransom negotiations
  • Data theft + encryption: Modern ransomware often includes data exfiltration (double extortion)
  • Governance signal: Demonstrates failure to implement basic security hygiene (backups, patching)

The market appears to interpret ransomware success as a broader governance failure, not just a security incident.

Q4: How should boards discuss cyber risk quantification without getting too technical?

A: Focus on three business-relevant questions:

  1. What is our current expected annual loss from cyber risk? (in dollars, not "high/medium/low")
  2. How does that compare to our risk appetite? (board-approved threshold)
  3. Which investments most cost-effectively reduce that exposure? (ROI in risk reduction)

Frameworks like FAIR and tools like DeNexus DeRISK translate technical vulnerabilities into these financial metrics, enabling board-appropriate governance conversations.

Q5: Is cyber insurance sufficient to protect against the valuation impacts shown in this study?

A: No. Cyber insurance covers direct costs (forensics, notification, legal, regulatory fines), but the study shows that market valuation losses (14% over 2 years) vastly exceed insurable direct costs.

Insurance is one component of a risk transfer strategy, but it cannot protect against:

  • Reputational damage and customer churn
  • Opportunity costs and strategic delays
  • Market risk premium increases
  • Long-term competitive disadvantage

Board implication: Cyber insurance should be sized based on CRQ modeling, but risk mitigation and recovery capabilities remain the primary defense against valuation erosion.

Q6: The study shows market intolerance is increasing. What's driving this trend?

A: Several factors explain why post-2015 incidents face harsher market penalties:

  • Regulatory maturity: SEC disclosure rules, GDPR, and other frameworks increase transparency
  • Attribution clarity: Better threat intelligence makes it easier to assess governance failures
  • Known playbooks: Best practices (MFA, patching, backups) are well-documented; failures signal negligence
  • Systemic risk awareness: Boards and investors increasingly view cyber risk as existential, not just operational

As the researchers conclude: "The trend indicates an escalating intolerance in the market for such breaches, with the impacts of cyber events markedly intensifying since 2015."

Q7: What should our board do first after reading this research?

A: Follow this 90-day action plan:

Immediate (30 days):

  • Schedule a board-level cyber risk briefing focused on financial impact, not technical details
  • Request a quantified cyber risk assessment (expected annual loss in dollars)
  • Review current insurance limits against modeled loss scenarios

Near-term (60 days):

  • Conduct a tabletop exercise simulating an extreme incident
  • Assess backup/recovery capabilities against ransomware scenarios
  • Establish quarterly cyber risk reporting requirements

Medium-term (90 days):

  • Implement risk-based vulnerability prioritization
  • Align cyber budget to quantified risk reduction ROI
  • Establish board-level KPIs for cyber resilience (not just compliance)