Data security breaches are larger and more spectacular than ever before. Just in the last year, companies suffering from major hacks have ranged from retailers and financial firms to entertainment conglomerates. The data stolen ran the gamut from tens of millions of customer accounts — complete with credit card information — to embarrassing remarks about celebrities in what were intended to be private email messages.

However, a company’s stock price rarely shows much impact even from the largest data breach. Stocks sometimes dip briefly on initial news of a hack only to subsequently recover. So does this mean that data breaches are not such a big concern after all?

Why Stock Price May Not Tell the Whole Story

Unfortunately for businesses, stock prices may not reflect the real long-term effects of a data security breach for a variety of reasons.

As Elena Kvochko and Rajiv Pant wrote in Harvard Business Review, many analysts feel that investors have become numb to reports of data breaches. A widely held view is that when it comes to data security, there are only two kinds of firms: those that have been openly hacked and those that don’t yet know that they’ve been hacked. This encourages a sort of fatalism in the market.

Moreover, Kvochko and Pant suggested data breaches and their implications are complicated. They write, “Shareholders have neither enough information about security incidents nor sufficient tools to measure their impact.” A further complication for stockholders and their advisers is that reporting of breaches is often delayed, and existing “SEC regulation leaves leeway for public companies as to when to disclose cyber incidents.”

In short, the dynamics and effects of a security breach are complex — so much so that a company’s stock price is unlikely to register the effects in any measurable way. Public news of a data breach can generate negative publicity, but a company may be able to time the announcement so that it is followed swiftly by corrective action.

Put another way, the damage may well have been done already and the company poised for an upswing by the time news of a breach hits the market. And with so many other signals available for investors to act on, they appear to hold off on reacting to news of a data breach.

The Challenges of Dealing With Complexity

For business leaders, the complexities are just as great, but the stakes are a good deal higher. The costs of a data breach are substantial, whether or not they are reflected in the company’s stock price. Breaches have both direct and indirect costs, including the loss of business and reputational damage.

The most immediate direct cost, beyond what was lost in the breach itself, is the actions that must be taken to close the breach. Programmers and other security professionals must be put to work around the clock. New security technology may need to be procured. Alleviating the damage — by replacing customers’ credit cards, for example — is another cost likely to result from a breach.

Other downstream costs are more difficult to predict. Consumers, like stockholders, may be numb to data breaches until they are directly affected. And the reputational damage from a breach depends as much on the company’s subsequent response as on the breach itself. A prompt, vigorous response can go far to minimize such damage, while a sluggish, clumsy response might hurt more in the long run than the breach itself.

In short, business leaders who look at the effect on stock price alone to decide that data breaches are no big deal may be whistling past the graveyard. The right time for an organization to minimize the damage from a breach is before it happens, or at least before it is detected. Strong security measures, combined with an effective emergency response plan, will help a firm weather the data breach storm in both the long and short term.

More from Banking & Finance

Kronos Malware Reemerges with Increased Functionality

The Evolution of Kronos Malware The Kronos malware is believed to have originated from the leaked source code of the Zeus malware, which was sold on the Russian underground in 2011. Kronos continued to evolve and a new variant of Kronos emerged in 2014 and was reportedly sold on the darknet for approximately $7,000. Kronos is typically used to download other malware and has historically been used by threat actors to deliver different types of malware to victims. After remaining…

Why Cybersecurity Risk Assessment Matters in the Banking Industry

When customers put money in a bank, they need to trust it will stay there. Because of the high stakes involved for the customer, such as financial loss, and how long it takes to resolve fraud and potential identity theft, customers are sensitive to the security of the bank as well as fraud prevention measures. Banks that experience high volumes of fraud are likely to lose customers and revenue. The key is to protect customers and their accounts before problems…

Cost of a Data Breach: Banking and Finance

The importance of cybersecurity has touched almost every industry. Beyond that, robust cybersecurity is table stakes for several sectors, particularly health care and the banking and finance industry. Not only is financial data at risk, but so is customer trust. In banking and finance, trust means everything. Yet, consumers are hesitant to share their confidential data. A recent McKinsey survey revealed that no industry achieved a trust rating of 50% for data protection. Here’s the most sobering stat: 87% of…

What Do Financial Institutions Need to Know About the SEC’s Proposed Cybersecurity Rules?

On March 9, the U.S. Securities and Exchange Commission (SEC) announced a new set of proposed rules for cybersecurity risk management, strategy and incident disclosure for public companies. One intent of the rule changes is to provide “consistent, comparable and decision-useful” information to investors. Not yet adopted, these new rules – published in the Federal Register on March 23 – could change reporting requirements. Take a look at some of the big-ticket items and what your organization needs to know.…