When it comes to cybersecurity, there are two types of companies: those that have had a data breach and those that will have a data breach. It’s also been said that there are two types of companies: ones that have had a data breach and ones that don’t yet know they have had a data breach. It appears only one thing we know for certain: there are companies and there are data breaches.
Gartner Research estimates the number of data breaches in 2016 to be somewhere near 600 million with an average cost of $4 million. It was also estimated that information security spending reached $76.4 billion in 2015. Much has been said about the prevention of data breaches and the subsequent clean up and restructuring. Investors can easily tally these upfront and backend costs, but what about the impact on the company’s overall value?
Previously, analysts agreed that even the most egregious of breaches ultimately had little impact on a company’s stock price. A consensus developed: shareholders have simply become numb to the constant news of data breaches – rendering it just another in the long list of things deemed “the cost of doing business.”
However, recent research shows that there is indeed a measurable impact on short- and long-term stock value. A 2017 Ponemon research study of 113 companies found that the stock value those companies declined an average of 5% the day the breach was disclosed and experienced a customer turnover of up to 7%. The study also found that 120 days was the average rebound time to fully recover from the breach.
In another new study, conducted by Comparitech, researchers found that stocks suffer an average decrease of 0.43 percent, which is comparable to average daily volatility. However, a new technique was then used, applying the Nasdaq’s overall performance as a baseline to compare variations.
The real insights came when the new technique was applied to long-term growth. The 24 companies researched – including Adobe, Apple, Countrywide, Home Depot and Target – had experienced a stock growth rate of 45.6 percent in the three years before reporting a data breach. Over the next three years, that growth rate dropped to 14.6 percent. Relative to the Nasdaq, breached companies experienced an average day-of share drop of 2.38 percent. One year after a data breach, the companies underperformed by an average of 7.33 percent; three years out, 41.6 percent.
“While these companies didn’t experience a huge drop directly after a breach, their share prices did suffer in the long term,” the study said.
Although companies must disclose security breaches to those impacted, the full consequences of a cyberattack may not be fully realized until much later – it could be months until the company releases its quarterly shareholder report. Indeed, the aftermath of a data breach can mean declining sales or users or investors diverting funds to data security companies, or worse: other important information related to the breach that could ultimately cause investors to jump ship.