A study looks at just how badly the news of a data breach impacts the company’s share price, revealing some surprising findings
When a data breach hits, the compromised company will scramble to minimize the after-effects of the incident. This includes overhauling security systems, notifying customers, and limiting damage not only to its bottom line, but also to some less tangible assets, notably brand reputation and consumer trust.
In many cases, the ripple effects of the security calamity may go as far as the company’s stock value. Indeed, you might be inclined to think that the share price inevitably takes a hit once the news breaks, but is that really the case? Apparently, the answer is ‘yes’, although the picture is blurrier than you might expect.
A recent study, conducted by technology site Comparitech, offers insight into precisely this – somewhat lesser-explored – area of post-breach consequences. The analysis draws on a sample of 28 big-name enterprises that are listed on the New York Stock Exchange (NYSE) and between them have suffered a total of 33 breaches since 2007, each of which exposed at least 1 million data records.
One notable finding is that the companies’ share prices tended to hit a low point around 14 market days, i.e. almost three weeks, after the incident was disclosed. Their stock value dropped by 7.27% on average, underperforming the overall NASDAQ market by -4.18%.
Interestingly enough, the share prices started to bounce back soon – so much so that six months after the breach the enterprises’ shares actually performed better (growth of 7.4%) than before the incident (4.1%). In a similar vein, the analysis found that “the companies underperformed the NASDAQ by -1.65% leading up to the breach, but managed to outperform it by 0.48% six months after”.
Before long, however, the stocks began to lose that surprising momentum. At the one-year mark, they failed to keep up with the overall NASDAQ market, growing ‘only’ 8.38% on average and underperforming NASDAQ by -6.49%. Similarly, the stock continued to rise two and three years after the incident, but not enough to keep pace with the overall market. On the other hand, the impact of a breach does appear to dwindle over time.
Obviously not all breaches are alike in terms of their effect on stock value. The consequences of incidents that compromise highly sensitive data, notably credit card and social security numbers, linger longer and inflict greater damage on share prices. Also, breaches weigh most heavily on finance and payment firms, whereas healthcare companies are more immune to such ‘side-effects’.
That being said, Comparitech acknowledges the limitations of its study. They include the small sample size as well as market forces that, too, may have affected the stock prices but couldn’t be accounted for, especially further away in time from the breach.