When news of a data breach breaks at a major organization, the aftermath can be chaotic.
Executives will offer their apologies and the promise of free credit monitoring to those impacted; staff may be issued their marching orders; cybersecurity teams need to be pulled in and systems repaired, law enforcement must be notified, and questions posed potentially by both regulators and consumers must be answered.
It is often the case that lawsuits will also be filed. These may come from regulators such as the US Federal Trade Commission (FTC) or they may be class-action complaints brought forward on behalf of impacted consumers.
Marriot was sued hours after disclosing a data breach in a class-action lawsuit seeking $12.5 billion. A seven-year class-action complaint was recently settled concerning Zappos, in which lawyers claimed $1.6 million — and impacted customers were promised 10 percent discounts.
IBM research suggests that the average cost of a data breach to the enterprise is up to $3.29 million, which has risen by 12 percent over the past five years.
Penalties, compensation claims, the cost of cyberforensics and system overhauls all contribute. However, businesses can also experience a swift and brutal shock caused by the impact of a data breach on their share price.
A drop in stock value can indicate broken investor trust and be caused by cybersecurity incidents, especially when they reveal a lack of adequate care or security practices.
On Wednesday, Comparitech published the results of an updated study into how Wall Street can react to an enterprise company that suffers a data breach.
The organization compared the closing prices of 28 companies listed on the New York Stock Exchange (NYSE) starting the day prior to disclosing a data breach, and what happened afterward.
Many of the enterprise players included in the study involved breaches of at least one million records, and some were breached more than once. In total, 33 separate security incidents were analyzed.
According to the team, the average share price of a company disclosing a data breach falls by 7.27 percent, but the full impact may not be felt until 14 market days or more have passed. The NASDAQ underperforms by roughly -4.18 percent.
Breached companies continue to underperform 12 months after disclosure. While share prices grew by 8.38 percent on average, they would underperform on the NASDAQ by -6.49 percent. Two years later, the stock price rises by approximately 12.78 percent, but underperforming continues by -13.27 percent.
After three years, share prices are up by 32.53 percent, but organizations underperform on the NASDAQ by -13.27 percent.
Share prices, therefore, may rebound in the short-term, but the financial health of an organization still suffers.
Comparitech notes that the sample size may bias the results, as there are not many enterprise companies that fit the criteria which have been breached at the right time to provide three years’ worth of data.
In addition, the firm has raised the point of “breach fatigue.” The market seemed to react more negatively to older data breaches, and this may be as time goes on, we now have unfortunately become accustomed to their frequency enough that investors do not react so strongly against them.
Either way, the value of an enterprise organization is no longer purely based on its size, investments, portfolio, or services. Cybersecurity postures, too, have become an important factor when it comes to the financial health — both present and future — of modern-day businesses.