Slashdot Mirror

← Back to Stories (view on slashdot.org)

Security Breaches Don't Affect Stock Price, Study Suggests (schneier.com)

Posted by BeauHD on from the short-term-vs-long-term-implications dept.

Computer security professional Bruce Schneier highlights the key findings of a study that suggests security breaches don't affect stock price. The study has been published in the Journal of Information Privacy and Security. From the report: -While the difference in stock price between the sampled breached companies and their peers was negative (1.13%) in the first 3 days following announcement of a breach, by the 14th day the return difference had rebounded to + 0.05%, and on average remained positive through the period assessed.

-For the differences in the breached companies' betas and the beta of their peer sets, the differences in the means of 8 months pre-breach versus post-breach was not meaningful at 90, 180, and 360 day post-breach periods.

-For the differences in the breached companies' beta correlations against the peer indices pre- and post-breach, the difference in the means of the rolling 60 day correlation 8 months pre- breach versus post-breach was not meaningful at 90, 180, and 360 day post-breach periods.

-In regression analysis, use of the number of accessed records, date, data sensitivity, and malicious versus accidental leak as variables failed to yield an R2 greater than 16.15% for response variables of 3, 14, 60, and 90 day return differential, excess beta differential, and rolling beta correlation differential, indicating that the financial impact on breached companies was highly idiosyncratic.

-Based on returns, the most impacted industries at the 3 day post-breach date were U.S. Financial Services, Transportation, and Global Telecom. At the 90 day post-breach date, the three most impacted industries were U.S. Financial Services, U.S. Healthcare, and Global Telecom.

28 comments

  1. BREACH! by Anonymous Coward · · Score: 0

    Imprecise name is why. It's a fucking looting.

    1. Re:BREACH! by Anonymous Coward · · Score: 0

      Nothing of value is lost. Looting it ain't. Copying, maybe, but simple electrons. No law against copying electrons, not even in USA. Yet.

    2. Re:BREACH! by Anonymous Coward · · Score: 0

      Actually there are laws against breaking into computer systems and “copying the electrons.” Or have you not head about the CFAA which has been used repeatedly to prosecute people “copying electrons.” Lay off the bong, brah.

  2. Why would it? by Anonymous Coward · · Score: 1

    There's no serious penalties in the US for allowing them, so why would the stock price change?

    1. Re:Why would it? by Immerman · · Score: 3, Interesting

      Exactly what I came to say. Stock price (should) reflect the value of the company - the only way a breach affects the value is if it
      (A) causes the company to incur major financial penalties, or
      (B) causes the company to lose a lot of business

      At present, neither is the case in the US, though in a better world both would be.

      --
      --- Most topics have many sides worth arguing, allow me to take one opposite you.
    2. Re:Why would it? by Lunix+Nutcase · · Score: 1

      Also they likely made many times more in profit what the data breach cost so why care?

    3. Re:Why would it? by Anonymous Coward · · Score: 0

      This is not even (should), it is not. From a (should) you cannot conclude anything. And from a not even a (should) do not even try.

      > Stock price (should) reflect the value of the company

    4. Re:Why would it? by Anonymous Coward · · Score: 0

      Also they likely made many times more in profit what the data breach cost so why care?

      Your of course correct. We get the government/corporation/schools/etc we deserve.

      1. Run better people for office, and insist on better laws, such as requiring transparency first of all for every edit to every law via distributed source control with the lawmaker responsible for particular edit linked to the edit. Link that against a database of significant contributions.

      2. Don't buy from super mega corporations. This costs money and is easier said than done. Perhaps don't buy from the worst one? (Which is that these days?)

      3. Teach your kids yourself, including critical thinking skills. Do it early before it is too late. Teach them to value things like privacy. Don't put so much crap on facebook and such.

    5. Re:Why would it? by omnichad · · Score: 1

      And you expect B - it's apparently not happening.

    6. Re:Why would it? by Immerman · · Score: 1

      I see no reason to expect any such thing. What's the alternative? Doing all your business in cash and in person? It's not like there's a whole lot of businesses making a point of seriously protecting (much less not collecting) customer information - and in fact the few niche ones that *do* make those claims seem to as often as not do an especially bad job of delivering.

      --
      --- Most topics have many sides worth arguing, allow me to take one opposite you.
    7. Re:Why would it? by omnichad · · Score: 1

      What's the alternative? Doing all your business in cash and in person?

      The alternative is to buy from a competitor that hasn't had such a major breach in recent history. Sure, their security practices may not actually be that good and it's luck more than anything - but it at least puts incentivizing good practices on the table in the first place.

  3. Nobody cares about breaches by Anonymous Coward · · Score: 0

    People are used to getting bent over and buttfucked by private businesses and public offices alike. It's hard to get worked up about somebody not being careful with your data and being the victim of a criminal stealing it. We're used to going to the DMV for chrissakes. Companies that get breached are way better.

  4. No Responsibility by mentil · · Score: 4, Interesting

    That means executives responsible for IT budget aren't financially impacted by their security budgeting decisions. One could make their bonuses affected by security breaches, but then that might just lead to cover-ups of breaches rather than disclosure, particularly if the disclosure laws don't pierce the corporate veil.
    I'd like to see how effect on stock price correlates to effect on profitability, particularly years down the road when the associated breach lawsuits play out.

    --
    Corruption is convincing someone that the selfless ideal is the same as their selfish ideal.
    1. Re:No Responsibility by Anonymous Coward · · Score: 0

      Realistically, what can a company do? The hackers will get in anyway, be it an AD brute force, or through some 0 day. It isn't the fault that OS makers and software makers make such shitty products that there is nothing can be done. Companies are doing their best, but when you have a Roman shield while your enemies have handheld GAU-8s, there isn't much you can do, regardless of funding.

      Plus, lets be real here: Security has no ROI. It is far easier to toss people a year's sub to LifeLock than it is to waste money on precautions which never can work anyway.

  5. Did PRISM? by AHuxley · · Score: 1

    What did the PRISM (surveillance program) https://en.wikipedia.org/wiki/... result in?
    The buddy system to ensure contractors stayed loyal and domestic collect it all kept working?
    The brands that failed to understand who was in their own internal networks?
    Who else followed the security services into the big brand networks?
    Did other random nations, groups get the encryption keys like the gov did? Plain text for everyone.

    --
    Domestic spying is now "Benign Information Gathering"
  6. stupid study by sxpert · · Score: 1

    this study is already obsolete, it doesn't take GDPR into account, which will increase the level of fun and popcorn eating

    1. Re:stupid study by Anonymous Coward · · Score: 0

      The only thing the GDPR will be used for is to rake non-European over the coals with jingoistic, protectionistic trade practices, while European companies get free reign to do whatever they please. Just like in years past, where Google and Microsoft were dragged for kangaroo court action, while nothing is done to clean their own house.

  7. no big surprise by Anonymous Coward · · Score: 1

    Should we be surprised since profitability doesn't seem to affect stock prices either. A billion dollar company with almost no resources that doesn't make any money is absurd but people buy.

  8. Of course it doesn't. by Rick+Schumann · · Score: 2

    All the people who control the majority of the wealth have it all safely tucked away in offshore accounts that nobody is going to hack into (if not for reasons of technical insufficiency, then for reasons of knowing damned well they'll be found dead within 24 hours if they even try), and they don't give a damn about all of us peasants, the government, or anything else, so of course why should they care?

  9. Why should it? by Anonymous Coward · · Score: 0

    Please explain why it should?

    There's zero consequences for these corporations and they operate as business as usual even after the most egregious data breaches. What's more, users don't seem to care one bit, in the slightest.

    To me, that would not seem to be something that affects a stock price, but what do I know?

    1. Re:Why should it? by AHuxley · · Score: 1

      They pretend to be secure, we pretend to shop with them.

      --
      Domestic spying is now "Benign Information Gathering"
  10. Class Action Lawsuits do! by Anonymous Coward · · Score: 0

    "We do find that, overall, all securities class action filings have a negative impact at the filing date, and there is a statistically significant decline in value before filing occurs." https://digitalcommons.law.msu.edu/cgi/viewcontent.cgi?article=1002&context=jbsl

  11. Markets are efficient. by Anonymous Coward · · Score: 0

    Since markets are efficient, companies should stop worrying and forget about keeping secrets. Post everyone's information. The stock market mandates it!

  12. stupid by Anonymous Coward · · Score: 0

    - the timeframe studied is too short, there is not enough data available to draw his conclusions

    - the study is done during the biggest bull market ever

    - i wouldn't trust a computer security researcher with my money

  13. Disagree by BabyAndTheButterfly · · Score: 0

    I think they do influence the price but only make the price higher (look at the initial reaction on AMD stock) in this ridiculous melt-up we are witnessing #BTFD

  14. It isn't a conspiracy by Anonymous Coward · · Score: 0

    It is because institutional investors don't trade frequently and they don't trade on news.

    Retail investors holding loose stocks trade on news but they don't represent a large portion of shareholders of large cap stocks.

  15. Actually it is because no one knows... by cjmnews · · Score: 1

    There is too much "news" to pay attention to every detail, so people tend to focus on the news that might be of interest to them. So, a technical weakness that was exploited doesn't really make it into the financial news of people that own the stock. Or if it does, the information is so watered down that there is no sense of the impending impact of the breach.

    Really, only those of us that pay attention to computer security news are the ones that know about the breaches and the severity of them. How many of us own enough stock that when we move it, the price gets affected? Probably none of us. Try a poll with your neighbors and non-work friends and ask if they have heard of the latest breach. My findings is none of them, not even non-security software engineers have heard of the problem.

    If security was valued, which it is obviously is not, then breaches would have an impact on stock price.

    --
    You can lose something that is loose, so tighten the loose item so you don't lose it.