The Impact of Cyber Attacks on the Stock Markets

Today, many companies offer their shares to the public, allowing them to be traded on the stock exchange. This provides several advantages for companies, such as meeting their financing needs, increasing their growth potential, enhancing their corporate visibility, and reaching a broad investor base. An IPO is also an important step for a company to diversify its ownership structure and increase its liquidity.

Financial exchanges are undergoing a major transformation in terms of integrating with technology. This transformation includes the shift from traditional physical trading halls to digital platforms. Digitalization has enabled faster access to a wider range of investors while increasing transaction speed. However, this digitalization also brings cybersecurity requirements.

With the advantages of digitalization, transactions are faster, costs are reduced and investors can easily invest in more financial instruments. However, this new digital ecosystem is becoming vulnerable to cyber-attacks. Exchanges must meet some basic cybersecurity requirements to successfully navigate this digitalization process and provide a trusted environment.

In a report published in 2022 by Sustainalytics, a company that rates the sustainability of publicly traded companies, a time series analysis was conducted examining the impact of news of 69 high-risk cyber attacks on stock prices. It is explained that stocks fell 2.3% within four days after the attacks, and this decline reached 4.6% at the end of 60 days. At the end of the post-attack year, the return of the cyber-attacked stocks group was -0.65%, a significant decline from the average return of 8.47% before the event.

The company conducted an analysis focusing on the stock market’s response to major cybersecurity incidents. It collected 69 incidents with a criticality score of 5 out of 10 or higher, placed them at t=0, and traded them at t=20, 20 days before the event became public. The drop in the first 4 days was -2.3%.

The effects of cyber-attacks on markets also vary across countries and markets. In the 2019 “Cogent Economics & Finance” article, cyber-attacks’ impact on the stock market is analyzed for different markets, and some statistical results are obtained.

For British companies, cyber-attacks generally had a negative impact of 0.77% on stock prices immediately after the incident.

For French companies, cyber-attacks caused a decline in stock prices, and average total returns went to a negative value immediately after the incident.

For German companies, the cyber-attacks caused a decline in stock prices, and average total returns went negative immediately after the incident.

The British, French, and German financial markets reacted differently to the news of the cyber-attacks, and these reactions varied depending on the event’s date and the announcements’ content.

Published in 2020 by New York University, “The Impact of Data Breaches on Stock Performance” states that methods used to predict stock prices and stock returns show that data breach announcements often have little or no impact on stock prices. However, this is not the case for companies that have suffered major data breaches, such as Equifax and ADP. Companies that have suffered major data breaches are more likely to have negative stock price impacts. These effects are due to a variety of factors, ranging from customer losses to regulatory sanctions. Therefore, companies that experience big data breaches are more likely to have a negative impact on the markets.

We have already mentioned that not every company that suffers a data breach has the same impact on its activity in the stock market. While this situation goes through scales such as customer losses and sector, the sector factor can also be taken into consideration because the sector can also make a big difference in this situation. In an article published by Comparitech, Comparitech stated that companies suffered high losses in a short period of time after the Ransomware attack, but then recovered. However, the situation is different for technology companies, which have suffered a larger decline in value than other companies and need a longer time to recover than other sectors.

Following the announcement of the ransomware breach, market capitalization fluctuated dramatically. The drop in market capitalization and subsequent recovery statistics also vary depending on the impact of the cyber-attack and the cybersecurity measures taken by the company.

Attacks on stock exchanges have the power to affect the economy of a country while having an impact on individual companies. In February 2023, a ransomware attack, said to use the LockBit methodology and potentially by the LockBit group itself, targeted software vendor Ion and threw the UK stock market into turbulent chaos. The ransomware attack targeting ION Trading UK took days to fix and many brokers were unable to execute trades.

Firms’ stocks can face cyber-attacks not only against the firms themselves but also against the exchanges themselves. These attacks are aimed at disrupting the functioning of exchange platforms and manipulating trading systems. In such a situation, chaos and uncertainty in the stock market undermine investor confidence, which in turn leads to declines in stock prices.

In August 2020, a DDoS attack targeted the NZX exchange in New Zealand. As a result of this attack, NZX took its services offline for three days on the exchange, where every second counts. This damaged the company’s reputation and brought other technology-related problems, including trading volume issues and the inability to cover debt securities trades in August. NZX was also subjected to various negative comments, including a report by the FMA, which said it lacked sufficient technology resources and had inadequate IT security, including poor network design and unprotected infrastructure.

Not Just Data Breaches

In addition to data breaches, companies’ share values are also affected by some manipulative strategies. Manipulative trading strategies are methods used by individuals or organizations to influence or control prices in financial markets in misleading ways. Such strategies often seek to profit by providing misleading information to investors or by influencing the market with deceptive trades.

Pump and Dump: This strategy is usually used for stocks with low liquidity or low market capitalization. Fraudsters buy stocks at a cheap price and then start spreading misleading information to the public that these stocks promise a large potential gain. They encourage the public to buy these stocks, which inflates the price of the stocks. Then, the fraudsters make a profit by selling the stocks at a high price and the value of the stocks falls.

Spoofing and Layering: Spoofing involves misleading market participants by placing and withdrawing fake orders. Layering, on the other hand, involves overlaying fake orders with real orders to create market depth or mislead investors. Such manipulative strategies are mostly practiced through public Telegram, Twitter, and Instagram accounts. This is considered illegal by financial regulators and should be strictly regulated.

SOCRadar monitors your company’s keywords on surface platforms such as Twitter, where such commercial manipulations can be shared, and on platforms such as Telegram and ICQ, where threat actors talk and plan among themselves. These can be your brand name, slogan, or a specific nickname for your brand name.

In the event that any incident that may pose a threat to your company is mentioned (attack plans, data breaches, security vulnerabilities detected, etc.), SOCRadar detects these posts and ensures that you are notified.

To be aware of situations related to your company circulating on social media platforms: Brand Protection

Goals and Motivations

Financial gain is one of the main motivations behind many cyberattacks. Attackers aim to profit by manipulating the prices of stocks or other assets through stock market attacks. Small firms that are likely to underinvest in data security are more likely to be targeted by hackers and fraudulent behavior.

Attacks on stock markets can also be linked to political objectives. Attackers may carry out attacks to create economic instability or weaken a particular government.

Revenge can be a personal motivation. Attackers may attack stock exchanges to recoup previous financial losses or to harm competitors.

Attackers may organize stock market attacks to threaten or blackmail financial institutions or investors. This can often involve demanding a ransom.

Examples from Around the World

SolarWinds Shares Down 23% After Cyber Attack

A technology company called SolarWinds has suffered a major cyber attack against its customers serving the US government. Attackers used SolarWinds’ update software to infiltrate the email systems of the US Commerce and Treasury departments, and then infected key federal agencies. This incident damaged SolarWinds’ reputation and caused a huge drop in its shares. According to statistics, the company’s shares fell by 23%.

Dun & Bradstreet Shares Down 15.17% After Data Auction

In 2017, a 52 GB database of Dun & Bradstreet containing detailed information on 33.6 million people was leaked. After this data breach, the company lost 15.27% of its value.

How Can SOCRadar Help You?

Credentials & Data Leak Detection

Considering the potential attacks on companies in the stock exchange industry, access to sensitive employee data is very attractive to attackers. Attackers use attacks such as identity theft, financial fraud and CEO fraud to obtain this information. Cybercriminals can obtain employees’ personal information or credentials and use it for financial fraud or identity theft. They can also increase their level of access by infecting the organization’s network with malware once they gain access to sensitive data, and if left unaddressed, the attacker can gain full authority in the company.

This module protects organizations against data leaks by detecting threats of sensitive data being leaked early. SOCRadar monitors threats such as leaking or selling employee credentials and notifies the organization of these threats. This enables the organization to intervene early and helps it take preventive measures such as awareness training.

Dark & Deep Web Monitoring

SOCRadar’s Dark & Deep Web Monitoring module offers organizations the ability to proactively monitor malicious activity on the surface, deep and dark web. This module enhances threat hunting capabilities, helping to more effectively detect threats originating from hidden platforms. It also monitors different categories of malicious activity, which protects against threats ranging from botnets to malware and data leaks. The module offers a rapid response when threats are detected, so organizations can be ready for potential attacks.

SOCRadar’s Dark & Deep Web Monitoring module enables exchange companies to monitor malicious activity taking place on hidden platforms such as the dark web. For example, it tracks malicious activities such as the sale of botnets or the sharing of sensitive information. The module provides cyber threat intelligence and warns organizations early against potential dangers. Thanks to this module, exchange companies can recognize threats at the initial stage of cyberattacks and respond quickly.

When an attack plan is detected on the dark web, a rapid information transfer is provided to the target organizations.

Phishing Domain Detection

SOCRadar’s Phishing Domain Detection feature provides companies with effective protection against phishing attacks. This module detects fake and similar-looking domains by analyzing domain names registered worldwide. The module also protects the security of customers and the brand, detects potential fraud attempts and provides rapid response. Socradar’s Phishing Domain Detection feature helps companies protect their digital assets and customer security while providing a better pre-defense against phishing attacks.

The module is effective in the early detection of fake domains and phishing websites. When a phishing campaign targeting sensitive information belonging to a company’s employees and customers begins, this module quickly detects the threat. This allows the company to respond quickly to the attack.