A data breach can have a significant affect on a company's share price: how quickly it bounces back may depend on how seriously the organisation takes IT security.
Research commissioned by security company Centrify measured the stock market performance of 113 companies that had suffered a data breach. All lost more than 50,000 records, including passwords and payment details, had notified regulators and victims, and were publicly listed.
The bad news: the study found that the value of the 113 companies declined an average of five percent immediately following the disclosure of the breach -- a data point that may help to focus the attention of CEOs and boards that are dragging their heels on IT security investment.
The good news: most companies recovered the loss over time. Those deemed to have better security policies in place bounced back quicker -- that might include having a dedicated chief information security officer, regular audits, and participation in a threat-sharing programme. These companies' stock price recovered in just seven days, according to the research.
Companies with poor security standing -- lacking incident response plans or experiencing high IT security staff turnover, for example -- tended to take much longer to recover, the average being 90 days.
Overall, it took an average of 45 days for share price to return to normal after a breach, the research said. However, one unnamed UK retailer took 116 days for its share price to return to normal, while a UK bank took 85 days, according to the research.
Lose data, lose customers
Centrify's study also suggested a less visible impact of a data breach: 27 percent of consumers who had been victims said they had ended their relationship with the organization concerned. Companies deemed to have a better security posture were less likely to lose customers.
These findings are in line with another research from security company RSA into consumer attitudes to data breaches.
A quarter of those surveyed by RSA said they have become numb/immune to headlines around data breaches and nearly one in ten said that they don't care about data loss. Another third said they had lost trust in companies' ability to look after their data, but continue to use them anyway. Over half said they had no idea how many times companies have lost their data. However, one in four did say they would boycott companies that mishandle data, using more secure alternatives instead.
Data breaches aren't bad news for every company's share price: following the WannaCry ransomware chaos earlier this month the shares of tech security companies jumped up on the expectation that panic buying of security software would boost their profits.