Breached Companies Underperform In the Stock Market
Evidence gathered by a 2018 study conducted by Comparitech suggests that companies that suffer data breaches are likely to underperform on the stock market. Comparitech yielded its conclusions by conducting a multi-year analysis of the stock price developments of 24 companies listed on the New York Stock Exchange (NYSE) that experienced breaches. Each of the companies -- which included Apple (AAPL), Sony (SNE), JP Morgan Chase (JPM), and Yahoo (VZA) -- had their respective share prices analyzed over a six month period following the public disclosure of the breaches. Key findings of the study concluded:
- In the longer term (noted in the study as 6 months to 3 years), breached companies underperformed in the market.
- It’s important to note the impact of data breaches likely diminishes over time
- Share prices of breached companies hit a low point roughly 14 market days following a breach with share prices falling -2.89% on average, and underperform the NASDAQ by -4.6%.
- After about a month, share prices rebound and catch up to NASDAQ performance on average.
- Breaches that result in highly sensitive information like credit card and social security numbers see larger drops in share price performance on average than companies that leak less sensitive information.
While the study indicates that share prices, at least to some degree, eventually rebound in the post-breach phase, in the longer term, the growth in share prices doesn’t keep up with the NASDAQ. In short, findings indicate that breaches have an overall negative effect on the share price in the long-term.
Recent studies from ComputerWeekly.com, Bank Info Security, and Ponemon Institute, albeit with a degree of variation, are in agreement that cyber breaches can have a negative impact on stock value in the long-term. However, where these respective studies are most aligned in their conclusions is in the consensus of the rapid short-term decline in stock value following a breach. Take, for example, the Ponemon study, which sampled the largest sample size of breached companies (113, to be exact). The study concluded that companies experienced an average stock price decline of 5% immediately following the disclosure of their breach, a figure comparable to the other studies.
Explaining the short-term decline is simple enough. Organizations that discover a breach have to comply with breach notification laws and notify the businesses of many stakeholders. In the disclosure process the company’s reputation is tarnished, staff gets fired, and there is an often a post-breach shake-up of the corporate and security governance structures that guided the now breached system. Consumers, stakeholders, and the public lose confidence in the company and the accountability of the incident falls on, you guessed it, the board and c-suite of the organization. Once the breach occurs, it can be a stressful time to return to operational continuity. As put by Amy Pascal, Sony Pictures Entertainment’s pre-breach CEO, “there was this horrible moment where I realized there was absolutely nothing at all that I could do.”
A Divergence in Statistics, and Opinion
Where we see far less continuity and clarity in these studies, however, is how they derive their conclusions regarding the long-term share price and stock performance of organizations that experience a breach. Of the four, Comparitech’s study is the only one that, arguably, plausibly explains how companies that suffer a data breaches are likely to underperform on the stock market by way of comparing their long-term share price to underperformance in NASDAQ, which, readers can draw their own conclusions their own conclusions on as an adequate metric.
All of the studies, however, are both clear and correct to point out that the long-term implications of a breach are contingent on a variety of complex variables to include the organization’s security posture, response efforts, resources allocated to information security, the level of sensitivity of the data breached, and quantity of documents exposed. How these variables factor into analyses conducted by these studies matters. A Harvard Business Review study provides countervailing evidence and suggests “...even the most significant recent breaches had very little impact on the company’s stock price. Industry analysts have inferred that shareholders are numb to news of data breaches. A widely-accepted notion goes that there are only two types of companies: those that have been breached and those that don’t know they have.”
How CyberVista Can Help
The takeaway here is that the jury is split on any definitive long-term impacts of a cyber breach on long-term stock performance. But what isn’t up for debate are the immediate organizational, financial, and public relations nightmares that ensue after a breach. At the end of the day, accountability rests with the board of directors and c-suites of an organization, and while stock values might rebound, individual reputations and the resumes of those accountable during a catastrophic data breach, may not.
One of our main themes at CyberVista is that the tone for taking cybersecurity seriously starts at the top. Our suite of executive-level classes are here to help you do just that. CyberVista’s in-person or digital board and executive cybersecurity training will help take your understanding of cyber risk to the next level. By increasing your cyber literacy, this program will help contextualize and give actionable advice to addressing your organization’s cyber risk. We also offer awareness training for executives to enable senior leaders to understand how and why they are prime targets for cyber threat actors and provide numerous best practices executives can use to keep their data and access to company data safe. Give us a call and learn how you can be proactive about ensuring that your board and executives are prepared to address the cyber risk on the enterprise level.