Breaches Affect Short-Term Share Prices; Long Term, Not So Much

Breaches are not only bad for publicity they are detrimental to company’s value—for a relatively short time. A UK-based Comparitech.com study revealed share prices of 24 compromised companies underperformed.

Just 14 market days after a disclosed data breach, on average, the affected companies’ share prices underperformed the NASDAQ by 4.6%. Share prices of breached companies hit a low point approximately 14 market days following a breach. Share prices fall 2.89% on average, and underperform the NASDAQ by -4.6% Over a longer period, breached companies were shown to be down against the NASDAQ -15.58% three years following a data breach.

“Stock prices suffer following a breach, but perhaps not as much as one might assume,” Comparitech said.  After the first month share prices recover, and the companies examined performed better in the six months following a breach (+7.02%) than the six months prior (+3.64%).

In addition, other findings concluded:

• Finance and payment companies saw the largest drop in share price performance following a breach, while healthcare companies were least affected.
• Breaches that leaked highly sensitive information like credit card and social security numbers see larger drops in share price performance on average than companies that leak less sensitive info.

“A data breach incurs serious consequences no matter whether a company is big or small. Staff get fired, executives issue apologies, and entire systems are overhauled to ensure that it doesn’t happen again. They instill doubt in consumers, damage the company’s reputation, and the impact can last for years. A data breach can harm both public sentiment and a company’s competitive edge in the market,” Paul Bischoff, author of the report, “Analysis: How Data Breaches Affect Stock Market Share Prices,” and privacy advocate for Comparitech.com, said.

Included in the study are many of the largest data breaches in history; all of them resulted in at least 1 million records leaked, and some surpassed 100 million. Some companies were breached more than once, for a total of 28 breaches analyzed.

The companies included: Apple, Adobe, Anthem, Community Health Systems, Dun & Bradstreet, eBay, Equifax, Experian, Global Payments, Home Depot, Health Net, Heartland Payment Systems, JP Morgan Chase, LinkedIn, Monster, T-Mobile, Sony, Staples, Target, TJ Maxx, Under Armour, Vodafone, and Yahoo.

In the long term, breached companies underperformed the market. After 1 year, share price grew 8.53% on average, but underperformed the NASDAQ by -3.7%. After 2 years, average share price rose 17.78%, but underperformed the NASDAQ by -11.35%. And after three years, average share price is up by 28.71% but down against the NASDAQ by -15.58%. “It’s important to note the impact of data breaches likely diminishes over time,” Bischoff noted.

Two noteworthy factors Comparitech did not cover in this analysis stood out most they said. The first: payouts. If a data breach leaks particularly damaging information that ultimately incurs financial damages to a company’s customers, and the company was shown not to have adequately protected the information leaked in that breach, then customers often sue in class-action lawsuits. “we simply don’t have enough data to fit a practical model that shows how these settlements affect stock prices.”

The second is financial reports. “While a company might divulge what information was leaked and how many records were affected in that initial disclosure, other consequences might not be revealed until the company releases its requisite quarterly shareholder report. This could include loss of sales or users, diverting funds to invest in data security, or other important information related to the breach that could cause investors to jump ship.”

“These findings seem to indicate that breaches have an overall negative effect on share price in the long term,” Bischoff explained. However, two other important factors could influence the results. The companies analyzed were breached relatively recently, so they do not have a full three years’ worth of post-breach data for every company. Second, the further away in time we get from the breach, the more difficult it is to reasonably attribute changes in share price to a breach. “We assume a data breach will have the greatest effect on share price immediately following the incident, and that effect will diminish over time.”