Search the Site

Data Breaches Have Measurable Impact on Long-Term Stock Prices

Past SEC Comment Letter Interaction Predicted Equifax Data Breach Exactly Half a Decade Ago

When it comes to cybersecurity, there are two types of companies: those that have had a data breach and those that will have a data breach. It’s also been said that there are two types of companies: ones that have had a data breach and ones that don’t yet know they have had a data breach. It appears only one thing we know for certain: there are companies and there are data breaches.

Gartner Research estimates the number of data breaches in 2016 to be somewhere near 600 million with an average cost of $4 million. It was also estimated that information security spending reached $76.4 billion in 2015. Much has been said about the prevention of data breaches and the subsequent clean up and restructuring. Investors can easily tally these upfront and backend costs, but what about the impact on the company’s overall value?

Previously, analysts agreed that even the most egregious of breaches ultimately had little impact on a company’s stock price. A consensus developed: shareholders have simply become numb to the constant news of data breaches – rendering it just another in the long list of things deemed “the cost of doing business.”

However, recent research shows that there is indeed a measurable impact on short- and long-term stock value. A 2017 Ponemon research study of 113 companies found that the stock value those companies declined an average of 5% the day the breach was disclosed and experienced a customer turnover of up to 7%. The study also found that 120 days was the average rebound time to fully recover from the breach.

In another new study, conducted by Comparitech, researchers found that stocks suffer an average decrease of 0.43 percent, which is comparable to average daily volatility. However, a new technique was then used, applying the Nasdaq’s overall performance as a baseline to compare variations.

The real insights came when the new technique was applied to long-term growth. The 24 companies researched – including Adobe, Apple, Countrywide, Home Depot and Target – had experienced a stock growth rate of 45.6 percent in the three years before reporting a data breach. Over the next three years, that growth rate dropped to 14.6 percent. Relative to the Nasdaq, breached companies experienced an average day-of share drop of 2.38 percent. One year after a data breach, the companies underperformed by an average of 7.33 percent; three years out, 41.6 percent.

“While these companies didn’t experience a huge drop directly after a breach, their share prices did suffer in the long term,” the study said.

Although companies must disclose security breaches to those impacted, the full consequences of a cyberattack may not be fully realized until much later – it could be months until the company releases its quarterly shareholder report. Indeed, the aftermath of a data breach can mean declining sales or users or investors diverting funds to data security companies, or worse: other important information related to the breach that could ultimately cause investors to jump ship.

Related Articles

SEC Cracks Down on Corporate Hacking Victims

Need a break from all the Trump-Putin news? Take solace in this relatively simple story about the SEC’s stance on data breaches, including some bigg...

Clayton’s SEC Starts Meeting Trump-Era Expectations

Nearly a thousand publicly registered companies just learned that they’re not as big as they thought they were. The revelation had nothing to do ...

Supreme Court Term Review, Part II

When we posted the first part of our Supreme Court term review--all the way back on June 26--it was a simpler time in the history of our country. It w...