When discussing the consequences of a data breach for organizations, we usually consider three types of damage: financial, legal, and, somewhat more tenuously, reputational. But what about stock prices? One would assume that stock price—an indicator of a business’s overall health and investor confidence—would plummet after a breach, but is this really the case?
Do Stock Prices Fall After Data Breaches?
In short, yes, data breaches do negatively impact stock prices. But this statement oversimplifies the issue. For example, the impact of a data breach on stock price varies depending on the breached organization’s sector, the size of the breach, and the type of stolen data. Research from Comparitech gives us the full picture.
The tech research company’s study of the closing share prices of 118 companies, all of them listed on the New York Stock Exchange, starting the day before the public disclosure of their respective data breaches, found that data breaches do bring stock prices down, but not by much: stock prices of breached companies bottomed out at a mere -1.4% 41 days after a breach.
But that’s not to say there aren’t outliers. In the wake of Equifax’s highly publicized breach in 2017, the company’s stock price fell by 60% at its worst. Even then, however, the credit bureau had almost wholly recovered a year later.
Does Wall Street Understand Data Breaches?
Somewhat unsurprisingly, sectors that handle large amounts of sensitive data suffer more than those that don’t. Healthcare businesses, for example, underperformed the NASDAQ by a massive -10.6% in the six months following a breach. Retail companies, however, managed to outperform the NASDAQ by 7.29% in the same period. Clearly, investors in the retail sector don’t care about data breaches.
Bizarrely, however, breaches involving highly sensitive data like Social Security numbers had less of an impact on share prices than those involving less sensitive data such as email addresses. Companies that reported breaches of highly sensitive information saw share prices outperform the market by +1.0%, compared to -3.8% for medium-sensitivity breaches and -7.93% for low-sensitivity breaches.
This contradiction suggests that Wall Street may not really understand or research data breaches properly. Suppose investors hear a healthcare organization has suffered a breach. In that case, they perhaps assume sensitive healthcare data has been stolen. In contrast, when a retail organization discloses a breach, they may assume it only involved email addresses and don’t delve into the specifics of disclosure statements.
Similarly, the size of breaches has a somewhat inconsistent impact on stock prices. According to Comparitech: “share prices following breaches of more than 100 million records underperformed the NASDAQ by -1.2%. Companies with 10 million to 99 million records breached underperformed by -1.5%. For 1 million to 9.9 million records, prices actually outperformed the market by +3.6%. And for less than 1 million records, share price performance didn’t deviate much from the NASDAQ.” Again, this suggests that investors perhaps aren’t doing their due diligence on data breaches.
How Have the Impacts Changed Over Time?
Comparitech’s research stretches back to 2007 and shows how investor perceptions of data breaches have changed over time. Breaches disclosed prior to 2015 had the least impact on stock prices, with companies suffering breaches in this timeframe falling 13.4% versus the NASDAQ in the six months following disclosure. The impact of data breaches on stock prices in this period is likely so high because such incidents were far less common, and, as a result, investors cared more.
We can use the same reasoning to explain why data breaches disclosed between 2015 and 2019 had little impact on share prices (companies that disclosed a breach during this time outperformed the NASDAQ by +4.92%). By this time, many prominent organizations (including eBay, Target, and JP Morgan Chase) had suffered and ultimately survived massive data breaches, easing investor anxieties.
However, things changed again in 2020. Companies that disclosed breaches in 2020 or later saw prices underperform the market by -6.6%. Comparitech argues that this about-face could result from the rise of ransomware, which involves not just data theft but also disrupting company operations by locking target systems, which can result in significant financial losses. It’s also worth noting that attack rates spiked in 2020 amidst the COVID-19 pandemic, which may have spooked investors.
Conclusion
All in all, it’s clear that data breaches do impact share prices, but not in a predictable or even logical way. Essentially, companies that disclose a breach will likely see a fall in their share price but are likely to recover—provided they can withstand the legal and, ultimately, financial consequences of a breach.
Editor’s Note: The opinions expressed in this and other guest author articles are solely those of the contributor and do not necessarily reflect those of Tripwire.