Investor data breach 'fatigue' reduces Wall Street punishment for cybersecurity failures

As data breaches are now common, acceptance now lessens the impact on share prices.
Written by Charlie Osborne, Contributing Writer

Wall Street's acceptance of data breaches and investor "fatigue" has numbed the reaction of traders following a cybersecurity incident, new research suggests.

Over the past decade, the rush to harness data to improve business operations, management, and customer relationships did not occur in tandem with improving cybersecurity hygiene in order to protect this data -- and organizations are still courting huge risks to their share prices to this day as a result. 

According to IBM's latest Cost of a Data Breach report, the enterprise sector can expect an average bill of $3.86 million -- but in the case of large security incidents involving consumer records, this may rise to up to $392 million -- to remedy a breach. 

Some companies will hide their head in the sand when told of a data breach, whether caused by open buckets, intrusion, insider operations, or accidental information loss. 

However, for businesses trading on public stock market platforms, failing to recognize a data breach has occurred or trying to hide it can have real, long-term repercussions. 

This week, Comparitech published its annual report on how data breaches can impact share prices which revealed that cybersecurity incidents do not have the same ramifications for the stock market as they did close to a decade ago.

This year's research has tracked 34 companies and 40 publicly disclosed data breaches. The companies were chosen based on data breaches involving at least one million records, subsequent public disclosure, and an active listing on the NYSE. 

There are some limitations of the study, including possible sample sizes based on Comparitech's criteria, as well as the impact of financial reports and the issue of class-action settlements. 

"If a data breach leaks particularly damaging information that ultimately incurs financial damages to a company's customers, and the company was shown not to have adequately protected the information leaked in that breach, then customers often sue [..]," the researchers note. "These usually result in settlements, in which the company forks out millions of dollars to reimburse customers for damages. This does not always happen and the amount paid out varies, so we simply don't have enough data to fit a practical model that shows how these settlements affect stock prices."

However, the study still reveals some interesting trends. The share price of a breached company now falls by an average of 3.5% within 14 days of disclosure and will hit its lowest point after roughly 110 market days. A prior analysis conducted in 2019 suggested that stock prices would drop by an average of 7.27%.

Underperformance on the Nasdaq is within the range of -3.5% on average, and 21 out of 40 breaches caused worse stock performance in the six months following a breach in comparison to six months prior. On average, share prices grew by 2.6% prior to a breach and dropped 3% afterward.

One notable trend is that "older breaches" were once met with a more immediate, negative reaction by Wall Street. Share prices fell more substantially and according to the research, stocks took an average of 109 days to recover when a breach occurred in 2012 and earlier. 

For data breaches occurring between 2013 and 2016, drops in share price were "less severe" than in the earlier category, and there was less than 1% difference in value between the sixth months prior to and after a security incident's disclosure. 

When it comes to breaches reported in 2017 and after, it took roughly 100 days for prices to recover and general performance was only "slightly poorer" in the six months after a breach. 

In today's marketplace, technology and financial services companies suffered the most after a data breach, whereas e-commerce and social media companies are "the least affected," according to Comparitech. 

"Breaches that leak highly sensitive information like credit card and social security numbers see more immediate drops in share price performance on average than companies that leak less sensitive info, but in the long-term, they do not necessarily suffer more," the researchers noted. 

Data breach impacts on company stock prices do, it seems, diminish over time as memory fades and there are many other factors that can also negatively influence an organization's stock price -- such as the disruption caused by COVID-19, unrelated lawsuits, and management changes.

Previous and related coverage

Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0

Editorial standards