What should directors prioritise when deciding how much to invest in cyber?
New research from a trio of Australian universities provides an evidence base that boards have been missing. Ryan et al.'s 2025 study in the Australian Journal of Management analysed 44 extreme cyber incidents over 21 years and the findings are stark.
Companies that suffered a major cyber incident underperformed their market benchmarks by 7% at one year and 12% at two years. More concerning, the market's punishment is escalating: incidents occurring after 2020 showed average underperformance of 34%.
The iceberg beneath the incident costs
Direct incident costs, typically in the range of $10-20 million, are just the visible portion. For a $5 billion company, the average market capitalisation destruction sits between $350 million and $700 million. This gap between direct costs and total value destruction is where most board-level cyber investment discussions fall short.
Three findings from the research should reshape how directors think about cyber risk:
First, organisational recovery takes 24 months or longer, not the 12-18 months most boards plan for. Incident response plans that assume a return to normal within 18 months are underestimating the sustained drag on performance, reputation and stakeholder confidence.
Second, not all incidents are equal. Ransomware creates 23 times more market damage than data breaches. This distinction matters for risk appetite discussions and for how boards prioritise investment across prevention, detection and response capabilities.
Third, markets are becoming less tolerant, not more. Despite cyber incidents becoming more common, investors are punishing affected companies more severely with each passing year. The normalisation that some boards may have hoped for is not occurring.
The investment calculus needs to change
When a cyber incident can destroy 7-14% of your market value, prevention and response capabilities are not IT expenses. They are shareholder value protection. The February 2026 FIIG Securities penalty, where the Federal Court imposed a $2.5 million fine for cyber security failures under general AFS licensee obligations, reinforces this trajectory. Regulators and markets are aligned: the cost of inadequate cyber governance is rising on every front.
There is some good news
The research identified a small cohort of companies that performed so well in their incident response that they exceeded their previous market expectations in the long term. Effective response management can create competitive advantage. This is a powerful finding for directors: investing in response capability is not just about limiting downside, it is about positioning the organisation to emerge stronger.
Beyond listed companies
While the research focuses on publicly traded corporations, the findings apply directly to unlisted organisations. For SMEs, the 7-14% value destruction translates to enterprise value impacts affecting credit access, customer retention and sale valuations. A $50 million company faces approximately $6 million in destroyed value, far exceeding the direct costs of the incident itself.
For not-for-profits, the same mechanisms manifest through donor confidence erosion, funding withdrawal and beneficiary trust damage. The study's 24-month recovery timeline is particularly critical for organisations without deep financial reserves. And the finding that stakeholder intolerance is escalating applies equally to customers, donors and regulators regardless of listing status.
This research is a practical tool for CISOs, CEOs and directors seeking to put data-driven rigour behind cyber investment decisions.
The full study, "The impact of extreme cyberattacks on market valuations: An in-depth economic analysis" by Ryan, Withers and den Hartog, is published in the Australian Journal of Management (2025).