Data breaches bring a slew of bad consequences for the victim, not the least of which are the costs of lost business, remediation, and, possibly, litigation. But for publicly held entities, there’s an additional risk: a lasting hit to the share price.
For 24 companies whose shares are traded on the New York Stock Exchange and which sustained a breach in recent years, the average slump in share price was 4.6% 14 market days after the theft was disclosed, according to a study released Thursday. That’s compared to a NASDAQ composite index used as a proxy for the wider market. Fully three years after the disclosure, the firms’ average share price had risen 28.71% but was still down 15.58% compared to the NASDAQ index.
By this measure, companies related to payments and finance have been hardest hit. Their shares plunged 17% against the index 16 market days after the intrusions were made public, and were still down 2% to the index six months later even though their post-breach performance was better than their pre-breach run, according to the study, prepared by Comparitech, a United Kingdom-based research firm that analyzes technology.
The companies examined in this category are JPMorgan Chase, Heartland Payment Systems, Countrywide, Experian, Global Payments, and Equifax. Among these breach victims, the most severe cases were those of Equifax, at 143 million records, and Heartland, at 130 million. The former case involved a variety of credit bureau data and came to light only a year ago. The latter involved mostly credit card data and was disclosed in 2009, before the company’s 2016 acquisition by Global Payments.
If there’s any good news, it’s that while the risk of a hit to market value remains real over time, it diminishes as memories fade and other news intrudes. For the half dozen payments and finance firms, that 17.42% drop at day 16 represented on average the group’s deepest dive. “[T]he further away in time we get from the breach, the more difficult it is to reasonably attribute changes in share price to said breach. In other words, we assume a data breach will have the greatest effect on share price immediately following the incident, and that effect will diminish over time,” writes report author Paul Bischoff.
Curiously, companies can recover quicker from bigger breaches than from smaller ones. For those that sustained a loss of 100 million or more records (Yahoo, eBay, LinkedIn, and Under Armour are in this group along with Heartland and Equifax), shares were up on average 13.18% to the NASDAQ six months out from disclosure. This was despite the fact that their shares collectively had underperformed the index by 3.03% in the half year before disclosure.
By contrast, shares for the companies that sustained losses of 99 million or fewer records were negative to the index six months out. That result surprised even the researchers.
“Our hypothesis was simple: the bigger the breach, the bigger the drop in share price,” notes Bischoff in the study. “But the results actually surprised us. Companies that suffered bigger breaches were able to shake it off and ultimately outperform the market, whereas companies with smaller breaches lagged behind six months on.”