Bullish on Breaches
Posted April 14, 2015
Why Don’t Data Breaches Drive Down Stock prices?
Maybe we should begin with a disclaimer. Okay, if you didn’t already know it (and chances are you did), the stock market is about as logical as a game of Russian roulette with an automatic pistol (Too violent?) How about a game of badminton with a bowling ball? The point is, while the market makes some people dollars, it doesn’t always make a whole lot of sense. A recent example is the sharp drop in the price of a barrel of oil. Stock market analysts said it would be good for the economy because what people were saving on energy would be spent on goods and services causing a sharp upturn. Market analysts said it would be bad for the economy because oil from shale would be priced out of the market and jobs lost in the energy sector would send the economy into a downturn.
Writing on hbr.org, Elena Kvochko and Rajiv Pant attempt to bring logic to bear as to why data breaches — even major ones that have cost organizations big bucks and cost senior executives (including at least one CEO) their jobs — seem to have no affect on how the stock market values the organization.
The following has been excerpted from Kvochko and Pant’s piece and edited to fit our format. You may find the full article by clicking on this link. After the Kvochko and Pant article, Alisdair Faulkner, chief products officer at ThreatMetrix®, explains why the stock market may not give breached organizations a free pass in the future.
[Even] the most significant recent breaches had very little impact on [a] company’s stock price. Industry analysts have inferred that shareholders are numb to news of data breaches.
It may not be today or tomorrow, but someday…
A widely accepted notion goes that there are only two types of companies: those that have been breached and those that don’t know they have. It is true that breaches are expected and have become a regular cost of doing business, but there are deeper reasons for the market’s failure to respond to these incidents.
Not enough info for an informed decision
Today, shareholders have neither enough information about security incidents nor sufficient tools to measure their impact…The long and mid-term effects of lost intellectual property, disclosure of sensitive data, and loss of customer confidence may result in loss of market share, but these effects are difficult to quantify. Therefore, shareholders only react to breach news when it has direct impact on business operations, such as litigation charges (for example, in the case of Target) or results in immediate changes to a company’s expected profitability.
Delays in disclosing information security incidents often contribute to shareholders’ hesitation and uncertainty with regard to how to factor in the effects of the breaches.
Taking stock of stock prices
Overall, stock prices during and following the high profile security data breaches in the past several years have decreased slightly or quickly recovered following the breach.
Some famous breaches and their effect on stock prices
Home Depot’s hack, compromised 65 million customer credit and debit card accounts. Breach-related costs are estimated to be around $62 million. The company’s stock price decreased slightly one week after the announcement. In the third quarter of 2014, Home Depot showed a 21% increase in earnings per share.
Target was the object of the then biggest cyber attack on a retailer. Credit and debit card data of 40 million customers and personal information of about 70 million were said to be affected by the breach. The stock experienced a 10% drop in price in the aftermath of the security breach, but by the end of February, Target had experienced the highest percentage stock price regain in five years.
Three years after the 2011 hack that compromised payment data of millions of Sony gaming users, Sony had to deal with a massive data breach targeting its pictures industry. The personal data of producers, actors, and current and former employees dating back to 2000 was compromised. Attackers have collected over a Terabyte of data and records of 47,000 employees. The stock price kept growing following the announcement, [then] decreased slightly three weeks after the breach. By now, it has long surpassed its one-year maximum.
In the beginning of October 2014, the largest U.S. bank in assets, JP Morgan Chase, announced that in August, hackers had accessed its security system and that approximately seven million small businesses and 76 million households had been affected by a data breach. The company unveiled that data that was compromised included contact information such as names, addresses, telephone numbers, and email addresses, but account numbers, passwords, dates of birth, and social security numbers were protected…. Stock prices for JP Morgan Chase were stable following the announcement and then rose by the beginning of November.
Almost impossible for shareholders to assess the impact of breaches
This mismatch between the stock price and the medium and long-term impact on companies’ profitability should be addressed through better data. Shareholders still don’t have good metrics, tools, and approaches to measure the impact of cyber attacks on businesses and translate that into a dollar value. In most cases, at the time a security breach is disclosed, it is almost impossible for shareholders to assess its full implications. Shareholders should look beyond short-term effects and examine the impact on other factors, such as overall security plans, profitability, cash flow, cost of capital, legal fees associated with the breach, and potential changes in management. .
Companies should improve protection
Now that major security breaches have become an inevitability in doing business, companies should put strong data security systems in place, just as they protect against other types of business and operational risks.
Alisdair Faulkner on changes in accountability and notifications that have kept stockholders “In the dark” about the affects of breaches
In a news release titled ThreatMetrix Shares Strategies for Businesses to Protect Privacy, Safeguard Data and Build Trust on the Internet in Alignment with Data Privacy Day, Faulkner notes, “Any company that uses some form of online user authentication is now going to be held accountable for at least a minimal level of protecting customer privacy. The proposed Privacy Bill of Rights requires customers be notified by businesses about a data breach within 30 days, but cybercriminals can take data in the blink of an eye. Thirty days gives cybercriminals an eternity to monetize that information. Ideally, businesses need to be able to measure unauthorized access in real time, address the problem and notify customers immediately.”