The security industry likes to tout the horrible fates that befall companies under cyberattack. We pepper our marketing with flair like cybercriminals in ominous hoodies and “it’s not if, it’s when.” It seems like every single breach and malware discovery is worse than the one before it, so every day we fight the cybercriminals is the worst day ever. To paraphrase the movie “Office Space,” the industry has a case of the Mondays when it comes to cybersecurity.

When we have studies that show the actual cost of a data breach is in the millions of dollars for companies, is the myth of the stock-busting breach true? What is the impact on top-line growth and stock performance? As you may have surmised from the title, major breaches don’t always mean major loss in market cap.

Potential Rounding Error

Let’s look at four breach examples from the last few years:

  • Company A: A clothing retailer, one of the original big breaches;
  • Company B: A homewares retailer;
  • Company C: A home improvement retailer;
  • Company D: A media and entertainment company.

Let’s set the day before their public disclosure of the breach as day zero. Each of these companies disclosed publicly on different days, and they all had different starting stock prices. To show them on a consistent timeline with relative measures, I’ve set their day zero stock price as their base and looked at fluctuations as a percent change to that price.

Since Company A’s breach occurred when multimillion-record leaks weren’t quite so common, we would expect to see a big dip in their stock performance after the announcement. Based on Figure 1 below, we see the company’s stock price dipped almost 12 percent about seven weeks after the breach was made public. In this particular instance, that coincided with an SEC filing that disclosed additional details about the incident, but the stock had been on the decline even before that formal disclosure.

Figure 1: The relative change in stock price for Company A, the large clothing retailer.

Although the stock appears to rebound about six months after the disclosure, to get all our paperwork and TPS cover sheets in order, we’ll compare it to one of the major stock indices, the Dow Jones Industrial (DJI). I use the DJI because this example is a U.S.-based retailer that trades primarily in the U.S. stock exchange, and we know that general market performance can particularly impact the performance of consumer-based industries like retail.

Using the same timeline and relative stock performance from day zero for the DJI, we can see that the market managed to grow over that six-month period following the disclosure, when the clothing retailer’s stock did not. We can’t entirely blame the stock performance on the breach disclosure, but we’ll keep this example in mind as we move on to more recent incidents.

Figure 2: The relative change in stock price for Company A, the large clothing retailer, as compared to the relative change in performance of the DJI.

Don’t Jump to Conclusions

Adding in the three more recent breach victims to the relative stock price chart, we see mixed results. In some cases, like the entertainment company and the home improvement retailer, the stock prices rebounded and grew over 20 percent from before their disclosure in the six months following. In others, like the homewares retailer, prices remained slightly down. Myth: not confirmed.

Figure 3: The relative change in stock price for Companies A, B, C and D compared.

So many factors can affect stock price, but let’s focus on a more personal level. For the executives in charge at the time of the incident, the chaos of disclosure and remediation is the top priority, and the dust appears to settle around three to five months after disclosure. Adding in changes to the executive staff — mostly in the CIO or CISO role — to the stock performance graph above draws out a couple things of note.

Figure 4: The relative change in stock price for Companies A, B, C and D compared, displaying notable changes in executive staffing.

In three of the companies, executive changes followed the disclosure, compared to half of the companies suffering in stock price. Granted, it’s a small sample size, but three-quarters is still statistically significant for the executive affected.

The second thing to note is that the announcement of the staffing changes didn’t affect the stock price significantly. Market confidence, as reflected in stock price, was not impacted by the public scapegoating of a particular executive. The stock price for the entertainment company and the homewares retailer did not change drastically in the four weeks between the resignation announcement and the new hire announcement of the CIO role.

As Perplexing as ‘PC Load Letter’

The stock data busts the myth that a major breach means major loss of market capital or top-line growth. Despite potential lawsuits from affected customers, investigation and cleanup costs and brand repercussions (particularly if the affected company touts secrecy as a core tenant, as in one recent breach), companies are still rolling the dice on their security posture since a lot of the long-term repercussions for a breach are relatively nebulous. In looking at the SEC filings of the various companies I’ve cited as examples, we can certainly quantify some of the hard dollar costs reported as pretax gross expenses.

Figure 5: Estimated hard costs for each breached organization. Note: Entertainment company is not a U.S.-owned entity. Estimate based on a news story.

In addition to hard costs, a U.S. appellate court reaffirmed that the U.S. Federal Trade Commission (FTC) has the authority to sue breached companies if it deems those companies engaged in unfair or deceptive practices that led to the breach. The outcome doesn’t necessarily mean more fines, but rather long-term oversight from the FTC into the privacy practices of the affected company — a sort of privacy probation with potential for future fines if certain conditions aren’t met.

The threat of a layer of oversight similar to “The Bobs” efficiency consultants in “Office Space,” combined with the hard-dollar cost to pay for lawsuits, new security products and credit monitoring for affected customers, may be the incentive needed for companies to bolster their security posture.

So, yeah, if they could go ahead and get on that… That’d be great.

More from Threat Research

Operational Technology: The evolving threats that might shift regulatory policy

Listen to this podcast on Apple Podcasts, Spotify or wherever you find your favorite audio content. Attacks on Operational Technology (OT) and Industrial Control Systems (ICS) grabbed the headlines more often in 2022 — a direct result of Russia’s invasion of Ukraine sparking a growing willingness on behalf of criminals to target the ICS of critical infrastructure. Conversations about what could happen if these kinds of systems were compromised were once relegated to “what ifs” and disaster movie scripts. But those days are…

Patch Tuesday -> Exploit Wednesday: Pwning Windows Ancillary Function Driver for WinSock (afd.sys) in 24 Hours

‘Patch Tuesday, Exploit Wednesday’ is an old hacker adage that refers to the weaponization of vulnerabilities the day after monthly security patches become publicly available. As security improves and exploit mitigations become more sophisticated, the amount of research and development required to craft a weaponized exploit has increased. This is especially relevant for memory corruption vulnerabilities.Figure 1 — Exploitation timelineHowever, with the addition of new features (and memory-unsafe C code) in the Windows 11 kernel, ripe new attack surfaces can…

When the Absence of Noise Becomes Signal: Defensive Considerations for Lazarus FudModule

In February 2023, X-Force posted a blog entitled “Direct Kernel Object Manipulation (DKOM) Attacks on ETW Providers” that details the capabilities of a sample attributed to the Lazarus group leveraged to impair visibility of the malware’s operations. This blog will not rehash analysis of the Lazarus malware sample or Event Tracing for Windows (ETW) as that has been previously covered in the X-Force blog post. This blog will focus on highlighting the opportunities for detection of the FudModule within the…

Defining the Cobalt Strike Reflective Loader

The Challenge with Using Cobalt Strike for Advanced Red Team Exercises While next-generation AI and machine-learning components of security solutions continue to enhance behavioral-based detection capabilities, at their core many still rely on signature-based detections. Cobalt Strike being a popular red team Command and Control (C2) framework used by both threat actors and red teams since its debut, continues to be heavily signatured by security solutions. To continue Cobalt Strikes operational usage in the past, we on the IBM X-Force…