Cyberattacks lead to lower shareholder value: Aon

Airlines, hydro companies, and school boards — those are just a few sectors in Canada that faced high-profile cyberattacks in recent weeks. 

Typically, cybersecurity teams are working hard to resolve the nature, cost, and impact of a breach. But companies are also experiencing reputational damage, which in turn shakes shareholder confidence in the company, a new Aon report finds. 

In fact, cyber events causing reputational damage can lower a company’s share value by an average of 27%, the commercial brokerage’s 2025 Cyber Risk Report finds. 

That decline is three times larger than in 2023, when major cyber incidents led to an average 9% decline in shareholder value over the following year, according to previous Aon data. 

Top attack vectors 

Certain cyberattack techniques are much more likely to become reputational risk events than others, Aon finds. 

Malware and ransomware attacks are most likely to trigger reputational damage. They accounted for 60% of all reputation risk events, despite being a defining factor in only 45% of total cyber incidents, Aon’s report says. 

CAIB New Edition 1.0 – a New Standard for Broker Education Image

Insights Paid Content

CAIB New Edition 1.0 – a New Standard for Broker Education

Preparing brokers to navigate an increasingly complex insurance landscape.

By 

Sponsor Image

“For cyber events, as for other types of events, there is most likely to be large-scale media pickup where there are emotive issues at stake, or issues that could be deemed to be in the public interest,” the Aon report reads. “Malware [and] ransomware attacks fall squarely into these categories,” leading to a higher degree of reputational damage.  

Interestingly, though, ransomware payouts declined globally in 2024, even though cyber claims frequency is growing, according to Aon. 

Other types of cyberattacks can evolve into reputational risk events, including: 

• Unauthorized access and credential attacks 

• Human factor/social engineering attacks 

• System exploits 

• Network and system attacks 

In terms of the biggest impact, however, malware and ransomware pale in comparison to network and system attacks, despite being the most likely reputational risk events. 

Network and system attacks were typically the most damaging, causing a 51% decline in shareholder value. At the lowest end, unauthorized access and credentials attacks showed an average drop in shareholder value of 25%. 

“As these results show, there is a fairly weak correlation between the types of attack that are most likely to evolve into a reputation risk event and the types that, once they become a reputational risk event, are likely to have the most severe impact on shareholder value,” the Aon report reads. 

“This is because it is media attention that determines whether an issue breaks through, while the level of shareholder value destruction will typically depend on the magnitude of the direct impact on the customer,” it adds. “Network and system attacks, for example, can often result in a rupture of service, which can severely inconvenience — or even harm — customers.” 

Recovering reputation 

Aon cites five ways for companies to redeem themselves when facing negative public sentiment: 

• Preparedness: Companies should ensure they have access to the analytical insights required to develop a full understanding of reputation risks and take appropriate steps to help prevent and mitigate potential losses. 

• Leadership: When events do occur, strong and visible leadership is essential. 

• Action: Companies must take rapid, targeted, and credible action in response to any event. 

• Communication: Affected companies need to communicate quickly, openly, and honestly about both what has transpired and their response. 

• Change: Following the event, companies will need to demonstrate true remorse and a commitment to meaningful change. 

Alyssa DiSabatino

Alyssa Di Sabatino has been a reporter for Canadian Underwriter since 2021, covering industry trends, market developments, and emerging risks.