Why we impair for cyber risk
April 30, 2025
Have you watched what has happened to the M&S share price?
As Spain and Portugal reboot their power grids (does anyone know the full reason why there was such a dramatic outage?), here at Athla we are now working out how to address that type of issue in our adjustments to valuations (greater impairment of course for an internet dependent company, but surely also airports, transport etc etc!).
However what is more interesting is the evidence that has emerged about how a cyber-attack can damage the value of a business.
Since the announcement on 22 April that M&S had suffered a cyber-attack bringing down its online sales capability and now with empty shelves in some stores, the share price is down 6.14%, following a recovery from a low of -9.6% on 28 April. Surely we can now use this as a precedent for the amount by which we can impair a private company for cyber risk if it does not have the systems in place to mitigate an attack quickly.
But is this right? I am not so sure. M&S is a £7.9bn company; it can throw money and resources at solving a problem like this and if it cannot solve the problem quickly, what hope is there for a small private retailer or indeed any other small company. Pre Covid-19 I remember attending a dinner (who was hosting or even speaking I remember not) but I do remember hearing a cyber expert speak on the subject of what the cost of a cyber attack could be.
I recollect that he said that suffering a cyber attack may well be indicative of generally very weak management controls. Swathes of businesses not actually brought down by an attack do not fail immediately, but there is a very high correlation with failure within a year of so of it taking place.
I need the team to dig around the research banks to find more evidence to prove these anecdotal comments, but for the purpose of this email, I hope you will understand what I am getting at.
For the sake of cyber insurance (did you know that if a company has Cyber Essentials, cyber insurance comes for free?) you can somewhat mitigate the costs of an actual attack, but it will not help mitigate a company that at its core is poorly controlled/governed. At least it is something.
It surprises me how many companies are not really on top of this issue. Typically, where the company is operating in a low-risk environment from the perspective of cyber attackers, we may impair for the cost of a couple of years of cyber insurance. Where the risks are higher we take it much more seriously.
This is an apposite example of why you cannot perform a valuation of a company or a share class or even a share using just the P&L, balance sheet or even the cash flows. Where does the quantum of cyber risk sit in any of those statements?
When I look at the M&S share price over 20 years, the hit to the share price from the cyber attack appears to be a mere blip. But it still knocked £700m off the company’s market cap.
As you know context is everything. You need to look at value today in relation to the past as well as the future. Significant events which impacted on or even set a price need to be drawn out and discussed. They are either relevant to today’s valuation or they are not and each case will be unique.
We keep a book of information on key pieces of data, case law and more so each of our analysts can work to the same levels of quality and apply a consistent approach. This is essential to underpin a valuation report. It does not distract from the critical layer which is treating each case as unique and applying the right analysis to the facts each time. As you can guess we are busy updating our evidence on cyber risk!
Whether your client is small or large, operating mainly in the real world only or is doing something on the information superhighway, we will treat a valuation with exactly the same levels of attention and respect. Being highly responsive matters, but so does speed. That is why we keep our book up to date!
By the way, we have also been doing some useful analysis of quotes for work versus the real cost. Interestingly, the vast majority of final invoices we raise come in at or below our quotes. It’s always pleasing to make a client happy by sending an invoice for 10-20% less than they had budgeted for!
