Hack it – drop it! How stock prices are related to data breaches
It takes less time to commit a data security breach than it does to make a cup of coffee.
In fact, 93% of successful data breaches happen in less than one minute. Despite this, 80% of businesses take weeks to realize they've been hacked.
Cyber breaches impact a company's bottom line. There are material costs, such as replacing equipment that has been tampered with. There are personnel costs, such as overtime for security personnel working on resolutions.
Time costs, such as lost productivity and resources deferred until the issue is resolved. Beyond all of these financial liabilities, a cyber breach could have a negative impact on corporate stock prices, affecting not only the company but also the investors who help it survive.
Table of Contents
- Definition and Consequences of the Data Breach
- Do Cyberattacks Affect Stock Prices? An Exploration by a Security Researcher
- Consequences of a Company Hack in Terms of Stock Price
- Facebook's Scandals Caused its Share Price Tanking in 2018
- Findings of Companies that Experienced Data Breaches
- How to Deal with a Hack
A data breach is when confidential, protected, or sensitive information is stolen or accessed by an unauthorized person. Data breaches can involve a wide range of information, including financial information, health records, intellectual property, and personal information.
The data breach on Facebook in 2016 that gave Cambridge Analytica access to private information on 50 million Facebook users is an example of how large data breaches can be.
Because consumers expect their private information to be safely stored and not misused, the variety of information involved in a data breach highlights the reputational loss, reduced market value, lost business, customer turnover, and wide-ranging effects on the targeted firm.
In most cases, data breaches will severely harm a company's reputation, resulting in a significant loss of goodwill from customers and suppliers.
New customers may be hesitant to use the company's services, and existing customers may leave, resulting in an unusually high customer turnover rate.
Alejandro Hernández, a senior security consultant at IOActive, became interested in the correlation while working for another company that discovered a "huge" software vulnerability.
His coworkers began to speculate on how much the stock would fall — some predicted a 10% drop, while others predicted a 20% drop. The company's stock price fell only 3% that day, prompting him to conduct new research.
Hernández started looking into organizations with vulnerabilities, security incidents, espionage attacks, or were criticized for privacy concerns or misinformation.
In many of these cases, the price drop was minor, and the recovery time was less than two weeks. However, some have a greater impact.
For example, the 2017 Equifax breach sparked a price drop of 31% a week after it was revealed. According to Hernández, many people thought the company would never recover, but its stock rose in less than two years.
The more recent SolarWinds campaign, which Hernández classified as an espionage operation because a nation-state was involved. According to him, these attacks are among the most damaging to corporate stock prices, causing drops of 17% to 20% in some cases.
All of the issues relating to national security across the country are the most serious. The stock price drop that followed the disclosure of the SolarWinds attack, however, was short-lived: four months after the disclosure, the stock was on the rise again.
While it's reasonable to expect stock prices to fall due to these two high-profile breaches, Hernández says that logic can't be applied to all major incidents because some have a greater impact than others.
Incidents have a greater impact than vulnerabilities, with a drop of more than 5%. Recovery time depends on the amount and sensitivity of the data leaked.
He adds that 63% of businesses hit by an attack recover in less than a month, even if sensitive data like credit card numbers or personally identifiable information was compromised.
His research reveals that victim companies and their parent companies are impacted. Stock prices for parent company Verizon fell because of the Yahoo breach, and stock prices for parent company Facebook fell due to the disclosure of a vulnerability in WhatsApp in 2018. Similarly, when a security issue affects a company's suppliers, the stock price can be affected.
A data breach can have a big impact on a company's stock price, and how quickly it recovers may be determined by how seriously the company takes IT security.
The stock market performance of 113 companies that had suffered a data breach was measured by research commissioned by security firm Centrify.
All of them had lost over 50,000 records, including passwords and payment information, and had notified regulators and victims, as well as being publicly listed.
Image source – iStockphoto.com
According to the study, the value of the 113 companies fell by an average of 5% immediately after the breach was disclosed, which may help focus the attention of CEOs and boards who are dragging their feet on IT security investment.
Most businesses were able to recoup their losses over time. Those with better security policies, such as having a dedicated chief information security officer, regular audits, and participation in a threat-sharing program, recovered more quickly. According to the study, the stock prices of these companies recovered in just seven days.
Companies with poor security standing, such as those lacking incident response plans or having high IT security staff turnover, took much longer to recover, with an average of 90 days.
According to the study, it took an average of 45 days for share prices to return to normal after a breach. According to the research, it took 116 days for an unnamed UK retailer's share price to return to normal, while it took 85 days for a UK bank.
Centrify's research also revealed a less visible impact of a data breach: 27% of consumers who had been victims said they had ended their relationship with the company in question. Customers were less likely to leave companies with a better security posture.
These findings are consistent with another study conducted by security firm RSA on consumer attitudes toward data breaches.
A quarter of those polled by RSA said they have become desensitized to data breach headlines, and nearly one in ten said they are unconcerned about data loss.
Another third said they had lost faith in businesses' ability to protect their personal information but continued to use them anyway. Over half of respondents said they had no idea how many times businesses had lost data.
However, one out of every four people said they would boycott companies that mishandled data favor more secure alternatives.
- Newsfeed changes
- Zuckerberg accepted Washington's invitation
- Cambridge Analytica
- Facebook reveals its community standards
- Sheryl Sandberg's Senate hearing
- Instagram loses its founders
- The Security Breach
In the third week of November 2018, Facebook's stock closed at $132.43 on Tuesday, up slightly from $131.55 on Monday, which was the company's lowest closing share price in nearly 22 months.
In what has been a tumultuous year for Facebook, the decline came after yet another major scandal. The tech company's stock had dropped nearly 40% since its peak in July.
Here's a rundown of the numerous blunders, scandals, and other events that have dragged down Facebook's stock price in 2018.
The first significant drop in Facebook's stock price occurred in January when it announced major changes to one of its most popular products, the news feed. Content from users' friends and family was given precedence over content from brands they followed.
As a result, CEO Mark Zuckerberg predicted that users' time spent on Facebook would decrease their engagement with the service.
The company's stock price dropped more than 4% on January 12 due to those warnings, sending Wall Street into a panic. The drop reduced Facebook's market value by $24.5 billion, more than Twitter's total value.
When news broke on March 27 that Zuckerberg had decided to testify before Congress, Facebook's stock dropped nearly 5%.
Following the Cambridge Analytica scandal, Facebook was under increasing pressure to decide. The Federal Trade Commission had just announced that it would investigate Facebook's data practices the day before.
When the New York Times and The Guardian reported in March that Cambridge Analytica, a British political consulting firm, had exploited Facebook to collect the data of more than 50 million users without their permission, Facebook shares plummeted. In 2016, the Trump campaign used Cambridge Analytica to target voters.
Facebook attempted to prevent the reports by suspending the consulting firm on March 16, but the reports continued to impact.
The next day of trading, March 19, the company's stock price fell nearly 7%, and Facebook's market value dropped by more than $36 billion.
Image source – businessinsider.com
On April 24, Facebook's stock dropped nearly 4% after publishing its rules outlining what content is and is not permitted on its social network.
The Community Standards were released as Facebook removed harmful content from its services, such as misinformation, hate speech, and spam. One day before Facebook's first earnings report, the document was made public since the Cambridge Analytica scandal.
That day, Facebook's market value plummeted to nearly $18 billion, a little more than Dish Network's total value at the time.
The week after Facebook COO Sheryl Sandberg testified before the Senate Intelligence Committee, the stock dropped again. Sandberg was in attendance to discuss Facebook's response to Russian meddling and what the company is doing to prevent future abuse of its services.
Sandberg's testimony did not impress Wall Street because she frequently promised to follow senators' questions. Sandberg's exchange with Sen. Kamala Harris stood out as the senator pressed Sandberg on how Facebook might have profited financially from Russian trolls using the platform.
From the close on August 31, the trading day before Sandberg's opening statements, to the close on September 6, the day after the hearing, Facebook's stock dropped nearly 8%. The company's market value plummeted by $38 billion.
Kevin Systrom and Mike Krieger, co-founders of Instagram, abruptly resigned from Facebook on September 24. Since Facebook bought Instagram in 2012, the two had remained at the company, now the most popular social network among teenagers.
The company's stock dropped by 0.3 percent the next day.
On September 28, Facebook announced that it had experienced a security breach that could have affected up to 50 million users. That day, the company's stock dropped nearly 3%.
Only 30 million users were affected, but 14 million had their names, contact information, gender, relationship status, and other sensitive information exposed, the company clarified a few weeks later.
That day, Facebook's value plummeted by nearly $16 billion.
Comparitech looked at 28 companies that had experienced data breaches to see how stock prices were affected. The following are some of their key findings:
- Approximately 14 market days after a breach, breach share prices hit a low point. On average, stock prices fall 7.27%, underperforming the NASDAQ by -4.18%
- Finance and payment companies saw the biggest drop in share price performance following a data breach, while healthcare companies were the least affected.
- On average, companies that leak highly sensitive information such as credit card and social security numbers see their stock prices drop more than companies that leak less sensitive information.
All of the companies studied had breaches involving a million or more records, were publicly traded on the NYSE at the time of the breach, and the breach's details were made public.
While the affected companies' stock prices were rebounding six months after the breach, the initial impact of a data breach resulted in underperformance on the NASDAQ.
According to the report, while stock prices may recover, a company's long-term financial solvency may be severely harmed.
One of the primary determining factors for stock-health post-breach is the breached industry, with finance companies topping the list of those hardest hit.
Although the stocks performed better against the market post-breach than pre-breach, they still underperformed on the NASDAQ by a difference of 2% after six months, they suffered the largest initial downturn following breaches on average, sinking over 17 percent against the NASDAQ after 16 market days.
Said one analyst.
On its site, the firm Comparitech provides a detailed breakdown of share prices before, after, and how they compare to NASDAQ in graph form.
Image source – comparitech.com
Technology companies, such as Sony, Apple, and T-Mobile, experienced a slower decline in stock prices. However, despite outperforming the NASDAQ before the breach, they were still underperforming six months later.
Companies in the e-commerce and social media sectors, such as Yahoo, LinkedIn, and Facebook, experienced a sharp drop in stock prices immediately after a breach but showed a higher likelihood of outperforming the NASDAQ six months later.
- Start with the security measures that are already in place
- Shift your focus to planned improvements
- Prepare now
Let's start with the things you shouldn't do. First and foremost, don't try to hide the fact that it happened. Hiding the incident's existence or finding excuses to minimize the organization's responsibility can have even more serious consequences.
For instance, in 2016, Uber paid hackers through its bug bounty program to cover up a data breach. When the incident was made public in 2017, it damaged Uber's reputation and resulted in a $148 million fine from the Federal Trade Commission in 2018.
So, what are your options? There are two important pieces of advice to keep in mind:
- Begin by describing what you did well to prepare for this eventuality.
- Then move on to how you'll improve even more.
According to research, customers and the stock market are reassured by a CEO who communicates about the company's existing cybersecurity mechanisms quickly and effectively. The fact that a significant investment was made before a hack demonstrates that the company was concerned about security, particularly the privacy of its customers.
Even if these precautions didn't stop the attack, talking about them can help mitigate some damage: data encryption can ensure confidentiality, a backup system can help speed up recovery, and network segmentation can isolate the incident to reduce the impact.
If you're reading this and haven't already been hacked, now's a good time to double-check security measures like these.
Remedial actions should be taken and publicized as soon as possible after the breach, such as announcing a significant increase in budget to improve the company's cybersecurity capability.
Increasing the number of cybersecurity professionals on staff to improve internal cybersecurity capabilities can also help keep customers' trust. For example, after the JP Morgan Chase breach, the company released extensive information about the attack and doubled its security spending.
Aside from internal improvements, it's a good idea to publicly offer all customers a monitoring service, such as LifeLock, to help prevent data abuse, such as identity theft.
Doing so — and announcing that you're doing so — sends a strong message to customers that they're in good hands and will be well taken care of.
According to the analysis, these post-breach recovery strategies helped organizations reduce or eliminate short-term negative stock price drops.
These quick and well-thought-out responses are critical to regaining trust. Even if you can't always prevent a cyberattack, you can always prepare for one.
Importantly, a cyberattack is both a threat and an opportunity. Leaders should remember Winston Churchill's advice
Never waste a good crisis.
While a cyberattack draws attention to the targeted company, it also provides free publicity to demonstrate its responsibility and efforts to protect stakeholders, customers, suppliers, and the community. That's why having a well-practiced action plan and communication strategy is crucial.
Rather than blaming the cybersecurity team or gullible employees, businesses should use these incidents to improve and optimize their operations by increasing transparency, improving cybersecurity maturity, and improving their competitive position.
Through a systematic response strategy and proactive customer attitude, the best-case scenario is to reduce, if not eliminate, the cyber-short-term incident's negative impact (such as on stock price).
Then, to create a positive long-term impact and digital innovation, turn the experience into a trigger for expanded organizational learning. Every organization's mission statement should be this. If all of these things are done correctly, the company will be better, stronger, and smarter.