Recent high-profile data breaches like those at Target and Home Depot have exposed the private sensitive information of millions of employees and consumers. While consumers are rightfully worried that their personal information may be compromised, shareholders and companies’ management have a wider set of concerns, including loss of intellectual property, operational disruption, decreased customer trust, tarnished brand, and loss of investor commitment. Companies are spending millions in litigation costs, efforts to restore brand loyalty, and refunds.
However, even the most significant recent breaches had very little impact on the company’s stock price. Industry analysts have inferred that shareholders are numb to news of data breaches. A widely accepted notion goes that there are only two types of companies: those that have been breached and those that don’t know they have. It is true that that breaches are expected and have become a regular cost of doing business, but there are deeper reasons for the market’s failure to respond to these incidents.
Today, shareholders have neither enough information about security incidents nor sufficient tools to measure their impact. As every company is becoming a digital company, every leader (who is also becoming a digital leader) is realizing that breaches may negatively affect profitability and the company’s long-term ability to do business. The long and mid-term effects of lost intellectual property, disclosure of sensitive data, and loss of customer confidence may result in loss of market share, but these effects are difficult to quantify. Therefore, shareholders only react to breach news when it has direct impact on business operations, such as litigation charges (for example, in the case of Target) or results in immediate changes to a company’s expected profitability.
Delays in disclosing information security incidents often contribute to shareholders’ hesitation and uncertainty with regard to how to factor in the effects of the breaches. For instance, current SEC regulation leaves leeway for public companies as to when to disclose cyber incidents: “To the extent a cyber incident is discovered after the balance sheet date but before the issuance of financial statements, registrants should consider whether disclosure of a recognized
nonrecognized subsequent event is necessary”.
Overall, stock prices during and following the high profile security data breaches for the in the past several years have decreased slightly or quickly recovered following the breach. Let’s look in some more detail at a few cases.
Home Depot’s hack, compromised 65 million customer credit and debit card accounts. Breach-related costs are estimated to be around $62 million. The company’s stock price decreased slightly one week after the announcement. In the third quarter of 2014, Home Depot showed a 21% increase in earnings per share .
During the 2013 holiday season shopping period, Target was the object of then the biggest cyber attack on a retailer. Credit and debit card data of 40 million customers and personal information of about 70 million were said to be affected by the breach. The stock experienced a 10% drop in price in the aftermath of the security breach, but by the end February, Target had experienced the highest percentage stock price regain in five years.
Three years after the 2011 hack that compromised payment data of millions of Sony gaming users, Sony had to deal with a massive data breach targeting its pictures industry. The personal data of producers, actors, and current and former employees dating back to 2000 was compromised. Attackers have collected over a Terabyte of data and records of 47,000 employees. The stock price kept growing following the announcement, decreased slightly three weeks after the breach. By now, it has long surpassed its one-year maximum.
Sears announced in October 2014 that one of its companies, Kmart, was the target of a data security breach and that credit/debit cards and personal information were compromised by hackers. The company did not reveal how many cards were affected. In the midst of the announcement, stock prices increased. The Sears stock price steadily rose during the month after the announcement. The company later announced loss in sales, but this has been tied more to a pattern of low profits in the last few years since the company’s merging with Kmart, than to the October data breach.
In the beginning of October, 2014, the largest U.S. bank in assets, JP Morgan Chase, announced that in August, hackers had accessed its security system and that approximately seven million small businesses and 76 million households had been affected by a data breach. The company unveiled that data that was compromised included contact information such as names, addresses, telephone numbers, and email addresses, but account numbers, passwords, dates of birth, and social security numbers were protected. While no unlawful transactions were made in the aftermath of the data breach, JP Morgan Chase warned its customers of potential phishing attacks. Stock prices for JP Morgan Chase were stable following the announcement and then rose by the beginning of November.
While companies’ stock prices were largely not affected, security breaches had other consequences. Target, for example, pledged to spend $100 million upgrading its security. The company lost a total of about $236 million in breach-related costs, $90 million of which were offset by insurance. A judge recently ruled that Target will have to defend itself against accusations of negligence by banks, credit unions and consumers when it came to preventing the 2013 security breach. The stock price declined 0.3% after the judge stated Target would have to face civil suits. Several banks are suing the company claiming that its negligence cost them tens of millions. At Sony the aftermath of the revelation of sensitive employee information included a management shake-up and box office losses. And while customers and shareholders might forgive the first wave of data breaches and might be too apathetic to change brands or loyalty to their stores, they might be less tolerant of future attacks.
This mismatch between the stock price and the medium and long-term impact on companies’ profitability should be addressed through better data. Shareholders still don’t have good metrics, tools, and approaches to measure the impact of cyber attacks on businesses and translate that into a dollar value. In most cases, at the time a security breach is disclosed, it is almost impossible for shareholders to assess its full implications. Shareholders should look beyond short-term effects and examine the impact on other factors, such as overall security plans, profitability, cash flow, cost of capital, legal fees associated with the breach, and potential changes in management. .
Now that major security breaches have become an inevitability in doing business, companies should put strong data security systems in place, just as they protect against other types of business and operational risks. However, companies whose assets are primarily non-digital have less incentive to invest in prevention if they know their stock price will survive — and that takes a toll on the overall economy and consumer privacy.