Recent high-profile data breaches like those at Target and Home Depot have exposed the private sensitive information of millions of employees and consumers. While consumers are rightfully worried that their personal information may be compromised, shareholders and companies’ management have a wider set of concerns, including loss of intellectual property, operational disruption, decreased customer trust, tarnished brand, and loss of investor commitment. Companies are spending millions in litigation costs, efforts to restore brand loyalty, and refunds.
However, even the most significant recent breaches had very little impact on the company’s stock price. Industry analysts have inferred that shareholders are numb to news of data breaches. A widely accepted notion goes that there are only two types of companies: those that have been breached and those that don’t know they have. It is true that that breaches are expected and have become a regular cost of doing business, but there are deeper reasons for the market’s failure to respond to these incidents.
Today, shareholders have neither enough information about security incidents nor sufficient tools to measure their impact. As every company is becoming a digital company, every leader (who is also becoming a digital leader) is realizing that breaches may negatively affect profitability and the company’s long-term ability to do business. The long and mid-term effects of lost intellectual property, disclosure of sensitive data, and loss of customer confidence may result in loss of market share, but these effects are difficult to quantify. Therefore, shareholders only react to breach news when it has direct impact on business operations, such as litigation charges (for example, in the case of Target) or results in immediate changes to a company’s expected profitability.
Delays in disclosing information security incidents often contribute to shareholders’ hesitation and uncertainty with regard to how to factor in the effects of the breaches. For instance, current SEC regulation leaves leeway for public companies as to when to disclose cyber incidents: “To the extent a cyber incident is discovered after the balance sheet date but before the issuance of financial statements, registrants should consider whether disclosure of a recognized or nonrecognized subsequent event is necessary”.
Overall, stock prices during and following the high profile security data breaches for the in the past several years have decreased slightly or quickly recovered following the breach. Let’s look in some more detail at a few cases.
Home Depot’s hack, compromised 65 millioncustomer credit and debit card accounts. Breach-related costs are estimated to be around $62 million. The company’s stock price decreased slightly one week after the announcement. In the third quarter of 2014, Home Depot showed a 21% increase in earnings per share.
During the 2013 holiday season shopping period, Target was the object of then the biggest cyber attack on a retailer. Credit and debit card data of 40 million customers and personal information of about70 million were said to be affected by the breach. The stock experienced a 10% drop in price in the aftermath of the security breach, but by the end February, Target had experienced the highest percentage stock price regain in five years.
Three years after the 2011 hack that compromised payment data of millions of Sony gaming users, Sony had to deal with a massive data breach targeting its pictures industry. The personal data of producers, actors, and current and former employees dating back to 2000 was compromised.