August 13, 2015 By Rick M Robinson 3 min read

Data security breaches are larger and more spectacular than ever before. Just in the last year, companies suffering from major hacks have ranged from retailers and financial firms to entertainment conglomerates. The data stolen ran the gamut from tens of millions of customer accounts — complete with credit card information — to embarrassing remarks about celebrities in what were intended to be private email messages.

However, a company’s stock price rarely shows much impact even from the largest data breach. Stocks sometimes dip briefly on initial news of a hack only to subsequently recover. So does this mean that data breaches are not such a big concern after all?

Why Stock Price May Not Tell the Whole Story

Unfortunately for businesses, stock prices may not reflect the real long-term effects of a data security breach for a variety of reasons.

As Elena Kvochko and Rajiv Pant wrote in Harvard Business Review, many analysts feel that investors have become numb to reports of data breaches. A widely held view is that when it comes to data security, there are only two kinds of firms: those that have been openly hacked and those that don’t yet know that they’ve been hacked. This encourages a sort of fatalism in the market.

Moreover, Kvochko and Pant suggested data breaches and their implications are complicated. They write, “Shareholders have neither enough information about security incidents nor sufficient tools to measure their impact.” A further complication for stockholders and their advisers is that reporting of breaches is often delayed, and existing “SEC regulation leaves leeway for public companies as to when to disclose cyber incidents.”

In short, the dynamics and effects of a security breach are complex — so much so that a company’s stock price is unlikely to register the effects in any measurable way. Public news of a data breach can generate negative publicity, but a company may be able to time the announcement so that it is followed swiftly by corrective action.

Put another way, the damage may well have been done already and the company poised for an upswing by the time news of a breach hits the market. And with so many other signals available for investors to act on, they appear to hold off on reacting to news of a data breach.

The Challenges of Dealing With Complexity

For business leaders, the complexities are just as great, but the stakes are a good deal higher. The costs of a data breach are substantial, whether or not they are reflected in the company’s stock price. Breaches have both direct and indirect costs, including the loss of business and reputational damage.

The most immediate direct cost, beyond what was lost in the breach itself, is the actions that must be taken to close the breach. Programmers and other security professionals must be put to work around the clock. New security technology may need to be procured. Alleviating the damage — by replacing customers’ credit cards, for example — is another cost likely to result from a breach.

Other downstream costs are more difficult to predict. Consumers, like stockholders, may be numb to data breaches until they are directly affected. And the reputational damage from a breach depends as much on the company’s subsequent response as on the breach itself. A prompt, vigorous response can go far to minimize such damage, while a sluggish, clumsy response might hurt more in the long run than the breach itself.

In short, business leaders who look at the effect on stock price alone to decide that data breaches are no big deal may be whistling past the graveyard. The right time for an organization to minimize the damage from a breach is before it happens, or at least before it is detected. Strong security measures, combined with an effective emergency response plan, will help a firm weather the data breach storm in both the long and short term.

More from Banking & Finance

PixPirate: The Brazilian financial malware you can’t see

10 min read - Malicious software always aims to stay hidden, making itself invisible so the victims can’t detect it. The constantly mutating PixPirate malware has taken that strategy to a new extreme. PixPirate is a sophisticated financial remote access trojan (RAT) malware that heavily utilizes anti-research techniques. This malware’s infection vector is based on two malicious apps: a downloader and a droppee. Operating together, these two apps communicate with each other to execute the fraud. So far, IBM Trusteer researchers have observed this…

New Fakext malware targets Latin American banks

6 min read - This article was made possible thanks to contributions from Itzhak Chimino, Michael Gal and Liran Tiebloom. Browser extensions have become integral to our online experience. From productivity tools to entertainment add-ons, these small software modules offer customized features to suit individual preferences. Unfortunately, extensions can prove useful to malicious actors as well. Capitalizing on the favorable characteristics of an add-on, an attacker can leverage attributes like persistence, seamless installation, elevated privileges and unencrypted data exposure to distribute and operate banking…

DORA and your quantum-safe cryptography migration

5 min read - Quantum computing is a new paradigm with the potential to tackle problems that classical computers cannot solve today. Unfortunately, this also introduces threats to the digital economy and particularly the financial sector.The Digital Operational Resilience Act (DORA) is a regulatory framework that introduces uniform requirements across the European Union (EU) to achieve a "high level of operational resilience" in the financial services sector. Entities covered by DORA — such as credit institutions, payment institutions, insurance undertakings, information and communication technology…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today