The Myth of Stock-Busting Breaches

The security industry likes to tout the horrible fates that befall companies under cyberattack. We pepper our marketing with flair like cybercriminals in ominous hoodies and “it’s not if, it’s when.” It seems like every single breach and malware discovery is worse than the one before it, so every day we fight the cybercriminals is the worst day ever. To paraphrase the movie “Office Space,” the industry has a case of the Mondays when it comes to cybersecurity.

When we have studies that show the actual cost of a data breach is in the millions of dollars for companies, is the myth of the stock-busting breach true? What is the impact on top-line growth and stock performance? As you may have surmised from the title, major breaches don’t always mean major loss in market cap.

Potential Rounding Error

Let’s look at four breach examples from the last few years:

  • Company A: A clothing retailer, one of the original big breaches;
  • Company B: A homewares retailer;
  • Company C: A home improvement retailer;
  • Company D: A media and entertainment company.

Let’s set the day before their public disclosure of the breach as day zero. Each of these companies disclosed publicly on different days, and they all had different starting stock prices. To show them on a consistent timeline with relative measures, I’ve set their day zero stock price as their base and looked at fluctuations as a percent change to that price.

Since Company A’s breach occurred when multimillion-record leaks weren’t quite so common, we would expect to see a big dip in their stock performance after the announcement. Based on Figure 1 below, we see the company’s stock price dipped almost 12 percent about seven weeks after the breach was made public. In this particular instance, that coincided with an SEC filing that disclosed additional details about the incident, but the stock had been on the decline even before that formal disclosure.

Stock performance for a large clothing retailer after a large breach disclosure

Figure 1: The relative change in stock price for Company A, the large clothing retailer.

Although the stock appears to rebound about six months after the disclosure, to get all our paperwork and TPS cover sheets in order, we’ll compare it to one of the major stock indices, the Dow Jones Industrial (DJI). I use the DJI because this example is a U.S.-based retailer that trades primarily in the U.S. stock exchange, and we know that general market performance can particularly impact the performance of consumer-based industries like retail.

Using the same timeline and relative stock performance from day zero for the DJI, we can see that the market managed to grow over that six-month period following the disclosure, when the clothing retailer’s stock did not. We can’t entirely blame the stock performance on the breach disclosure, but we’ll keep this example in mind as we move on to more recent incidents.

Normalized stock price against major industrial average

Figure 2: The relative change in stock price for Company A, the large clothing retailer, as compared to the relative change in performance of the DJI.

Don’t Jump to Conclusions

Adding in the three more recent breach victims to the relative stock price chart, we see mixed results. In some cases, like the entertainment company and the home improvement retailer, the stock prices rebounded and grew over 20 percent from before their disclosure in the six months following. In others, like the homewares retailer, prices remained slightly down. Myth: not confirmed.

Stock performance for a subset of four large companies suffering from security breaches

Figure 3: The relative change in stock price for Companies A, B, C and D compared.

So many factors can affect stock price, but let’s focus on a more personal level. For the executives in charge at the time of the incident, the chaos of disclosure and remediation is the top priority, and the dust appears to settle around three to five months after disclosure. Adding in changes to the executive staff — mostly in the CIO or CISO role — to the stock performance graph above draws out a couple things of note.

A comparison of stock performance and the timing of executive staffing changes after a major breach disclosure

Figure 4: The relative change in stock price for Companies A, B, C and D compared, displaying notable changes in executive staffing.

In three of the companies, executive changes followed the disclosure, compared to half of the companies suffering in stock price. Granted, it’s a small sample size, but three-quarters is still statistically significant for the executive affected.

The second thing to note is that the announcement of the staffing changes didn’t affect the stock price significantly. Market confidence, as reflected in stock price, was not impacted by the public scapegoating of a particular executive. The stock price for the entertainment company and the homewares retailer did not change drastically in the four weeks between the resignation announcement and the new hire announcement of the CIO role.

As Perplexing as ‘PC Load Letter’

The stock data busts the myth that a major breach means major loss of market capital or top-line growth. Despite potential lawsuits from affected customers, investigation and cleanup costs and brand repercussions (particularly if the affected company touts secrecy as a core tenant, as in one recent breach), companies are still rolling the dice on their security posture since a lot of the long-term repercussions for a breach are relatively nebulous. In looking at the SEC filings of the various companies I’ve cited as examples, we can certainly quantify some of the hard dollar costs reported as pretax gross expenses.

Sample set of stock performance and gross expense associated with a major breach

Figure 5: Estimated hard costs for each breached organization. Note: Entertainment company is not a U.S.-owned entity. Estimate based on a news story.

In addition to hard costs, a U.S. appellate court reaffirmed that the U.S. Federal Trade Commission (FTC) has the authority to sue breached companies if it deems those companies engaged in unfair or deceptive practices that led to the breach. The outcome doesn’t necessarily mean more fines, but rather long-term oversight from the FTC into the privacy practices of the affected company — a sort of privacy probation with potential for future fines if certain conditions aren’t met.

The threat of a layer of oversight similar to “The Bobs” efficiency consultants in “Office Space,” combined with the hard-dollar cost to pay for lawsuits, new security products and credit monitoring for affected customers, may be the incentive needed for companies to bolster their security posture.

So, yeah, if they could go ahead and get on that… That’d be great.

Contributor'photo

Pamela Cobb

Market Segment Manager, IBM X-Force and Security Intelligence

Pamela Cobb directs product marketing activities for the IBM X-Force and Threat Protection offerings developing...