Study Scope: 44 extreme cybersecurity incidents affecting publicly traded companies (2000-2021)
Critical Findings:
Bottom Line for Boards: The financial damage from extreme cyberattacks extends far beyond immediate response costs and persists for years, making cybersecurity a critical board-level strategic risk requiring quantified governance.
A recent academic study—The impact of extreme cyberattacks on market valuations: An in-depth economic analysis—examines a question most directors and investors care about but rarely see answered rigorously: how much shareholder value is impaired after a truly severe cyber incident, and for how long?
The research, conducted by Dr. M. Ryan, G. Withers, and F. den Hartog, and published in the Australian Journal of Management in 2025, provides compelling evidence that challenges the conventional wisdom that markets quickly "price in" and move past cybersecurity breaches.
Below is an executive walkthrough of the paper's purpose, dataset, key findings, and the practical actions boards and investors can take to both reduce the likelihood of attack and limit the post-incident valuation hit.
The paper's goal is straightforward and important: estimate the medium- to long-term impact of "extreme" cybersecurity events on publicly traded companies' market valuations, addressing a gap in prior work that tends to focus on short-term market reactions.
A core theme is that immediate remediation and compensation costs are only the visible portion of the loss. The researchers focus on whether markets price in broader, longer-lived consequences—reputational drag, growth disruption, elevated operating costs, and risk premia.
Study scope: Extreme cyber events affecting listed firms from 2000 to 2021.
Observed disclosure years: The disclosed incidents in the published event list run from 2006 through 2020.
Performance window per incident: The methodology evaluates market performance over approximately one year pre-event and up to two years post-event.
Who Is in the Sample (and What "Extreme" Means Here)
The study focuses on "extreme" cybersecurity incidents—events exceeding severity thresholds such as:
Events are identified from public reporting and validated using primary materials (e.g., releases, annual reports, filings) using triangulation. The authors note the sample is predominantly US-based, followed by Europe and Australia.
Sample size: 44 incident observations involving 42 distinct public companies.
Sample Breakdown by Geography and Sector
Headquarters (by country):
Primary Sectors:
The Headline Findings: The Market Impact Persists—and Is Material
The Long Road to Recovery: Timeline of Market Value Erosion
1) The Value Hit Is Not Just Immediate; It Lingers
The study reports statistically significant, durable underperformance after extreme cyber events, challenging the "markets digest it quickly" narrative.
2) The Magnitude Is Large Enough to Matter to Any Board or Long-Only Investor
Key reported results include:
3) The Market Has Become Less Forgiving Over Time
The authors report the market response worsened since 2010 and intensified post-2015, rather than fading as cyber incidents became more common.
Temporal analysis shows:
4) Not All Cyber Events Are Priced the Same
Attack type matters materially in their results. The paper reports:
What Boards and Investors Should Do Next
1. Make Cyber Risk Governance Explicit at Board Level
Cybersecurity frameworks like NIST Cybersecurity Framework 2.0 elevate governance with a dedicated "Govern" function tied to risk strategy, expectations, and policy monitoring.
This new function, introduced in February 2024, "establishes and monitors the organization's cybersecurity risk management strategy, expectations, and policy," according to NIST's official guidance.
Board Action: Schedule quarterly cybersecurity risk reviews that include quantified financial impact scenarios, not just technical status updates.
2. Use a Prioritized Control Baseline and Track Coverage
IEC 62443 is the leading international standard series for Industrial Automation and Control Systems (IACS) cybersecurity, designed to reduce the likelihood that cyber events translate into operational disruption, environmental harm, or safety impacts. It provides a risk-based framework spanning governance, secure architecture, and technical requirements—organized around “zones and conduits,” target security levels, and foundational security requirements—to systematically close common industrial attack paths.
Published as a multi-part series and actively maintained through updates across its component standards, IEC 62443 clarifies roles and accountability across asset owners, system integrators, and product suppliers, enabling measurable assurance from policy through implementation. It also supports alignment with safety and operational risk management by tying cybersecurity controls to consequence-driven risk assessment and segmentation.
Board Action: Request quarterly reporting on IEC 62443 adoption progress, including (1) completion status of zone/conduit modeling and security level targets, (2) maturity of the cybersecurity management system and supplier governance, and (3) implementation and verification of key technical requirements for critical OT environments, prioritizing high-consequence zones such as control centers and safety-related systems.
3. Harden Identity, Endpoints, and Vulnerabilities First
Multi-factor authentication (MFA), privileged access controls, secure configuration, and network segmentation are the "highest-leverage" technical controls in most environments.
These controls align well with both IEC 62443 and NIST CSF control families and directly address the attack vectors responsible for many of the incidents documented in the study.
Board Action: Establish clear metrics for MFA adoption (for example: target: 100% for privileged accounts, 95%+ for all users) and mean time to patch critical vulnerabilities.
4. Treat Third-Party and Supply-Chain Exposure as a First-Order Risk
NIST SP 800-161 Rev. 1 provides detailed guidance for integrating cybersecurity supply chain risk management into enterprise risk practices.
Notable case from the study: The SolarWinds supply-chain attack demonstrated how vendor compromises can have devastating downstream effects—SolarWinds remained in the dataset as an instructive example of extended market impacts.
Board Action: Require annual third-party risk assessments for all critical vendors, with contractual security requirements and right-to-audit clauses.
1. Operationalize Incident Response with a Tested Lifecycle
NIST SP 800-61 Rev. 3 emphasizes:
The updated revision aligns with NIST CSF 2.0 functions for a more integrated approach.
Board Action: Conduct annual tabletop exercises simulating extreme scenarios (ransomware, data breach, supply chain compromise) with C-suite and board participation.
2. Engineer Recoverability (Especially for Ransomware)
Given the study's finding that ransomware has 23x the market impact of data breaches, recovery capabilities are critical business resilience investments.
Align backup and recovery strategy to business targets and resilience patterns (e.g., "3-2-1" rule: 3 copies, 2 different media types, 1 offsite), and test restores regularly.
Board Action: Request quarterly reporting on backup success rates, restore test results, and time-to-recovery metrics for critical systems.
3. Be Disclosure-Ready (Public Companies)
The SEC's 2023 cybersecurity disclosure rule added Form 8-K Item 1.05, requiring disclosure of a material cybersecurity incident within four business days after materiality determination.
This rule became effective December 18, 2023, and has already generated significant filings in its first years of operation.
Board Action: Establish a pre-approved materiality assessment framework and disclosure decision tree to enable rapid, compliant reporting without sacrificing accuracy.
4. Pre-Negotiate the "Response Supply Chain"
Maintaining pre-vetted panels for breach counsel, digital forensics, crisis communications, and insurance claims support reduces decision latency during high-pressure incident response—critical when the study shows long-term valuation penalties can be substantial.
Board Action: Review and approve annual retainer agreements with incident response partners, ensuring 24/7 availability and clear escalation paths.
Cyber risk quantification (CRQ) is the bridge between security activity and financial decision-making—transforming technical vulnerabilities into business language that boards and executives can act upon.
The Academic Foundation for CRQ
The study explicitly acknowledges the importance of risk quantification frameworks:
"Notably, the Factor Analysis of Information Risk (FAIR) framework pioneered a model for understanding, analysing, and quantifying both cyber and operational risk in financial terms. Building on FAIR, the Secure Cyber Risk Aggregation and Measurement (SCRAM) methodology extends these concepts, linking problematic cyber risk control areas to those requiring additional investment."
— Dr. M. Ryan et al.
How CRQ Supports Risk Reduction (Section A)
CRQ enables boards to:
How CRQ Minimizes Post-Incident Impact (Section B)
CRQ supports critical decisions on:
These capabilities directly address the study's finding that extreme cybersecurity incidents result in an average 14% market valuation loss over two years—far exceeding immediate remediation costs.
Practical Implementation: DeNexus DeRISK Platform
Given the study's compelling evidence that cyber risk represents a material, persistent threat to shareholder value, organizations need practical tools to operationalize risk quantification.
For strategic risk oversight and financial planning: Solutions like DeNexus' Cyber Risk Quantification (CRQ) translate cyber threats into financial impact metrics that boards and executives can integrate into enterprise risk management frameworks. This enables data-driven decisions about insurance limits, reserve planning, and strategic risk appetite—directly addressing the long-term valuation impacts documented in the research.
Learn More About Cyber Risk Quantification
Ready to implement the risk quantification strategies recommended by this research?
A: The researchers found that extreme cyberattacks create sustained damage beyond immediate costs:
As Dr. Ryan et al. note: "The impact of such cybersecurity incidents extends beyond immediate fiscal losses, encompassing long-term opportunity costs, reputational damage, elevated operating expenses and the diversion of critical resources."
A: Yes. The study analyzed only 44 extreme incidents over 15+ years across thousands of public companies—demonstrating that while truly extreme breaches are still relatively rare, when they happen, the consequences are severe and long-lasting.
The key finding for unbreached companies: Investment in prevention and recovery capabilities now is vastly cheaper than dealing with a 14% market value loss later.
A: Ransomware combines multiple negative factors:
The market appears to interpret ransomware success as a broader governance failure, not just a security incident.
A: Focus on three business-relevant questions:
Frameworks like FAIR and tools like DeNexus DeRISK translate technical vulnerabilities into these financial metrics, enabling board-appropriate governance conversations.
A: No. Cyber insurance covers direct costs (forensics, notification, legal, regulatory fines), but the study shows that market valuation losses (14% over 2 years) vastly exceed insurable direct costs.
Insurance is one component of a risk transfer strategy, but it cannot protect against:
Board implication: Cyber insurance should be sized based on CRQ modeling, but risk mitigation and recovery capabilities remain the primary defense against valuation erosion.
A: Several factors explain why post-2015 incidents face harsher market penalties:
As the researchers conclude: "The trend indicates an escalating intolerance in the market for such breaches, with the impacts of cyber events markedly intensifying since 2015."
A: Follow this 90-day action plan:
Immediate (30 days):
Near-term (60 days):
Medium-term (90 days):