Study finds evidence of ‘breach fatigue’ as more recent data breaches have less of an impact on stock performance
A data breach can have immediate and long-term implications for a company in terms of consumer trust and regulatory repercussions, but what does it mean for the company’s stock? An analysis by Comparitech.com found that cyber incidents have a relatively subdued impact on publicly traded companies’ stock.
Immediately following a data breach, stocks fell by an average 0.43%, about equal to their average daily volatility, the report found. Stocks continued to rise after disclosure of a breach, but at a much slower pace, according to the report.
In the three years prior to being hacked, share prices increased by an average 45.6%, the report found, but after an attack, average growth slowed to less than 15% in the following three years.
A comparison to the Nasdaq shows that breached companies tend to underperform the index by more than 40% after three years, despite initially recovering to the index level an average 38 days after the breach is disclosed.
The report examined stock performance of 24 companies hit by a data breach that resulted in at least 1 million customer records being lost or exposed. All the companies in the report were publicly listed on the New York, London or Hong Kong stock exchanges at the time they were hit. The resulting list includes companies from multiple sectors: Apple, Adobe, Anthem, BetFair, Countrywide, Community Health Systems, Dun & Bradstreet, Ebay, Experian, Global Payments, Home Depot, Health Net, Heartland Payment Systems, JPMorgan Chase, LinkedIn, Monster, T-Mobile, Sony, Staples, Target, TJ Maxx, Vodafone, VTech and Yahoo.
Not surprisingly, the more time that passes after a data breach, the less of an impact it appears to have on a stock’s performance, the report found. What is interesting, though, is that more recent hacks were not as much of a drag on companies than those that happened prior to 2011.
“Prior to 2010, a data breach was a relatively new concept and it scared people; the idea that company had your information stored somewhere and a hacker could access it,” Paul Bischoff, researcher and privacy advocate for Comparitech.com, and author of the report, told ThinkAdvisor. “It seems like pretty simple stuff now … , but back then it was still something that could scare investors off as well as scare customers off.”
He called public data breaches a “bed of nails effect, where one breach among many doesn’t have as much of an impact.”
While the study did measure some difference in data sensitivity, where breaches that affected credit card or Social Security number resulted in a deeper initial drop, even those companies recovered by an average 23 days later, with no significant impact on long-term growth. Companies that had less sensitive information compromised, such as passwords or email addresses and phone numbers, recorded no initial drop.
“There was no clear trend in the long term about whether data sensitivity has a greater or lesser impact” on those companies’ stock performance, Bischoff said.
What does this mean for clients the next time one of the companies they invest in announces a data breach?
“There’s no reason to panic,” Bischoff said. “You don’t need to dump your stocks the next day. It’s just going to mean that the stock is going to rise at a slower pace.”
However, he also pointed out that the dips in company stocks following a breach aren’t sufficient for opportunistic investors trying to get in at a low point.
“It only goes down on average about half a percent for these big companies,” he said. “They do recover about 38 days later, but because they don’t go down that much, the recovery isn’t really an opportunity to buy a stock shortly after [a company] is breached.”