Stock Price May Not Tell the Whole Story About Security Breaches

Data security breaches are larger and more spectacular than ever before. Just in the last year, companies suffering from major hacks have ranged from retailers and financial firms to entertainment conglomerates. The data stolen ran the gamut from tens of millions of customer accounts — complete with credit card information — to embarrassing remarks about celebrities in what were intended to be private email messages.

However, a company’s stock price rarely shows much impact even from the largest data breach. Stocks sometimes dip briefly on initial news of a hack only to subsequently recover. So does this mean that data breaches are not such a big concern after all?

Why Stock Price May Not Tell the Whole Story

Unfortunately for businesses, stock prices may not reflect the real long-term effects of a data security breach for a variety of reasons.

As Elena Kvochko and Rajiv Pant wrote in Harvard Business Review, many analysts feel that investors have become numb to reports of data breaches. A widely held view is that when it comes to data security, there are only two kinds of firms: those that have been openly hacked and those that don’t yet know that they’ve been hacked. This encourages a sort of fatalism in the market.

Moreover, Kvochko and Pant suggested data breaches and their implications are complicated. They write, “Shareholders have neither enough information about security incidents nor sufficient tools to measure their impact.” A further complication for stockholders and their advisers is that reporting of breaches is often delayed, and existing “SEC regulation leaves leeway for public companies as to when to disclose cyber incidents.”

In short, the dynamics and effects of a security breach are complex — so much so that a company’s stock price is unlikely to register the effects in any measurable way. Public news of a data breach can generate negative publicity, but a company may be able to time the announcement so that it is followed swiftly by corrective action.

Put another way, the damage may well have been done already and the company poised for an upswing by the time news of a breach hits the market. And with so many other signals available for investors to act on, they appear to hold off on reacting to news of a data breach.

The Challenges of Dealing With Complexity

For business leaders, the complexities are just as great, but the stakes are a good deal higher. The costs of a data breach are substantial, whether or not they are reflected in the company’s stock price. Breaches have both direct and indirect costs, including the loss of business and reputational damage.

The most immediate direct cost, beyond what was lost in the breach itself, is the actions that must be taken to close the breach. Programmers and other security professionals must be put to work around the clock. New security technology may need to be procured. Alleviating the damage — by replacing customers’ credit cards, for example — is another cost likely to result from a breach.

Other downstream costs are more difficult to predict. Consumers, like stockholders, may be numb to data breaches until they are directly affected. And the reputational damage from a breach depends as much on the company’s subsequent response as on the breach itself. A prompt, vigorous response can go far to minimize such damage, while a sluggish, clumsy response might hurt more in the long run than the breach itself.

In short, business leaders who look at the effect on stock price alone to decide that data breaches are no big deal may be whistling past the graveyard. The right time for an organization to minimize the damage from a breach is before it happens, or at least before it is detected. Strong security measures, combined with an effective emergency response plan, will help a firm weather the data breach storm in both the long and short term.

Rick Robinson is a writer and blogger, with a current 'day job' focus on the tech industry and a particular interest in...