The security industry likes to tout the horrible fates that befall companies under cyberattack. We pepper our marketing with flair like cybercriminals in ominous hoodies and “it’s not if, it’s when.” It seems like every single breach and malware discovery is worse than the one before it, so every day we fight the cybercriminals is the worst day ever. To paraphrase the movie “Office Space,” the industry has a case of the Mondays when it comes to cybersecurity.

When we have studies that show the actual cost of a data breach is in the millions of dollars for companies, is the myth of the stock-busting breach true? What is the impact on top-line growth and stock performance? As you may have surmised from the title, major breaches don’t always mean major loss in market cap.

Potential Rounding Error

Let’s look at four breach examples from the last few years:

  • Company A: A clothing retailer, one of the original big breaches;
  • Company B: A homewares retailer;
  • Company C: A home improvement retailer;
  • Company D: A media and entertainment company.

Let’s set the day before their public disclosure of the breach as day zero. Each of these companies disclosed publicly on different days, and they all had different starting stock prices. To show them on a consistent timeline with relative measures, I’ve set their day zero stock price as their base and looked at fluctuations as a percent change to that price.

Since Company A’s breach occurred when multimillion-record leaks weren’t quite so common, we would expect to see a big dip in their stock performance after the announcement. Based on Figure 1 below, we see the company’s stock price dipped almost 12 percent about seven weeks after the breach was made public. In this particular instance, that coincided with an SEC filing that disclosed additional details about the incident, but the stock had been on the decline even before that formal disclosure.

Figure 1: The relative change in stock price for Company A, the large clothing retailer.

Although the stock appears to rebound about six months after the disclosure, to get all our paperwork and TPS cover sheets in order, we’ll compare it to one of the major stock indices, the Dow Jones Industrial (DJI). I use the DJI because this example is a U.S.-based retailer that trades primarily in the U.S. stock exchange, and we know that general market performance can particularly impact the performance of consumer-based industries like retail.

Using the same timeline and relative stock performance from day zero for the DJI, we can see that the market managed to grow over that six-month period following the disclosure, when the clothing retailer’s stock did not. We can’t entirely blame the stock performance on the breach disclosure, but we’ll keep this example in mind as we move on to more recent incidents.

Figure 2: The relative change in stock price for Company A, the large clothing retailer, as compared to the relative change in performance of the DJI.

Don’t Jump to Conclusions

Adding in the three more recent breach victims to the relative stock price chart, we see mixed results. In some cases, like the entertainment company and the home improvement retailer, the stock prices rebounded and grew over 20 percent from before their disclosure in the six months following. In others, like the homewares retailer, prices remained slightly down. Myth: not confirmed.

Figure 3: The relative change in stock price for Companies A, B, C and D compared.

So many factors can affect stock price, but let’s focus on a more personal level. For the executives in charge at the time of the incident, the chaos of disclosure and remediation is the top priority, and the dust appears to settle around three to five months after disclosure. Adding in changes to the executive staff — mostly in the CIO or CISO role — to the stock performance graph above draws out a couple things of note.

Figure 4: The relative change in stock price for Companies A, B, C and D compared, displaying notable changes in executive staffing.

In three of the companies, executive changes followed the disclosure, compared to half of the companies suffering in stock price. Granted, it’s a small sample size, but three-quarters is still statistically significant for the executive affected.

The second thing to note is that the announcement of the staffing changes didn’t affect the stock price significantly. Market confidence, as reflected in stock price, was not impacted by the public scapegoating of a particular executive. The stock price for the entertainment company and the homewares retailer did not change drastically in the four weeks between the resignation announcement and the new hire announcement of the CIO role.

As Perplexing as ‘PC Load Letter’

The stock data busts the myth that a major breach means major loss of market capital or top-line growth. Despite potential lawsuits from affected customers, investigation and cleanup costs and brand repercussions (particularly if the affected company touts secrecy as a core tenant, as in one recent breach), companies are still rolling the dice on their security posture since a lot of the long-term repercussions for a breach are relatively nebulous. In looking at the SEC filings of the various companies I’ve cited as examples, we can certainly quantify some of the hard dollar costs reported as pretax gross expenses.

Figure 5: Estimated hard costs for each breached organization. Note: Entertainment company is not a U.S.-owned entity. Estimate based on a news story.

In addition to hard costs, a U.S. appellate court reaffirmed that the U.S. Federal Trade Commission (FTC) has the authority to sue breached companies if it deems those companies engaged in unfair or deceptive practices that led to the breach. The outcome doesn’t necessarily mean more fines, but rather long-term oversight from the FTC into the privacy practices of the affected company — a sort of privacy probation with potential for future fines if certain conditions aren’t met.

The threat of a layer of oversight similar to “The Bobs” efficiency consultants in “Office Space,” combined with the hard-dollar cost to pay for lawsuits, new security products and credit monitoring for affected customers, may be the incentive needed for companies to bolster their security posture.

So, yeah, if they could go ahead and get on that… That’d be great.

More from Threat Research

RansomExx Upgrades to Rust

IBM Security X-Force Threat Researchers have discovered a new variant of the RansomExx ransomware that has been rewritten in the Rust programming language, joining a growing trend of ransomware developers switching to the language. Malware written in Rust often benefits from lower AV detection rates (compared to those written in more common languages) and this may have been the primary reason to use the language. For example, the sample analyzed in this report was not detected as malicious in the…

Defending Education from Cyber Threat Attackers

Threat actors — and particularly ransomware attackers — have education institutions in their crosshairs. From Vice Society’s September attack on schools in California to Snach’s late October assault on schools in Wisconsin, threat actors are not holding back when it comes to preying on schools. K-12 schools are the most vulnerable within the education industry, with many having only small staffs and even smaller budgets for defending against attacks. In addition, attacks have trickle-down effects on school staff, students and…

What Hurricane Preparedness Can Teach Us About Ransomware

Each year between June and November, many parts of the U.S. become potential targets for hurricanes. In October 2022, we had Hurricane Ian devastate Florida. To prepare for natural disasters like hurricanes, organizations are encouraged to build out and test business continuity, disaster recovery, and crisis management plans to use in the response efforts. Millions of dollars each year are spent on natural disaster preparation, but natural disasters are not the only disruption businesses face. While we can’t equate the…

Charles Henderson’s Cybersecurity Awareness Month Content Roundup

In some parts of the world during October, we have Halloween, which conjures the specter of imagined monsters lurking in the dark. Simultaneously, October is Cybersecurity Awareness Month, which evokes the specter of threats lurking behind our screens. Bombarded with horror stories about data breaches, ransomware, and malware, everyone’s suddenly in the latest cybersecurity trends and data, and the intricacies of their organization’s incident response plan. What does all this fear and uncertainty stem from? It’s the unknowns. Who might…