A study looks
at just how badly the news of a data breach impacts the company’s share price,
revealing some surprising findings
When a data
breach hits, the compromised company will scramble to minimize the after-effects of the incident. This includes overhauling
security systems, notifying customers, and limiting damage not only to its bottom line, but also to some less tangible assets, notably
brand reputation and consumer trust.
In many
cases, the ripple effects of the security calamity may go as far as the
company’s stock value. Indeed, you might be inclined to think that the share
price inevitably takes a hit once the news breaks, but is that really the case?
Apparently, the answer is ‘yes’, although the picture is blurrier than you might
expect.
A recent
study, conducted by technology site Comparitech, offers insight into precisely this – somewhat
less-explored – area of post-breach consequences. The analysis draws on a
sample of 28 big-name enterprises that are listed on the New York Stock
Exchange (NYSE) and between them have suffered a total of 33 breaches since
2007, each of which exposed at least 1 million data records.
One notable
finding is that the companies’ share prices tended to hit a low point around 14
market days, i.e. almost three weeks, after the incident was disclosed. Their
stock value dropped by 7.27% on average, underperforming the overall NASDAQ
market by -4.18%.
Interestingly
enough, the share prices started to bounce back soon – so much so that six
months after the breach the enterprises’ shares actually performed better
(growth of 7.4%) than before the incident (4.1%). In a similar vein, the
analysis found that “the companies underperformed the NASDAQ by -1.65% leading
up to the breach, but managed to outperform it by 0.48% six months after”.
Before long,
however, the stocks began to lose that surprising momentum. At the one-year
mark, they failed to keep up with the overall NASDAQ market, growing ‘only’
8.38% on average and underperforming NASDAQ by -6.49%. Similarly, the stock
continued to rise two and three years after the incident, but not enough to
keep pace with the overall market. On the other hand, the impact of a breach
does appear to dwindle over time.
Obviously not
all breaches are alike in terms of their effect on stock value. The
consequences of incidents that compromise highly sensitive data, notably credit
card and social security numbers, linger longer and inflict greater damage on
share prices. Also, breaches weigh most heavily on finance and payment firms,
whereas healthcare companies are more immune to such ‘side-effects’.
That being
said, Comparitech acknowledges the limitations of its study. They include the
small sample size as well as market forces that, too, may have affected the
stock prices but couldn’t be accounted for, especially further away in time
from the breach.