Security Breaches Don't Affect Stock Price, Study Suggests

Computer security professional Bruce Schneier highlights the key findings of a study that suggests security breaches don't affect stock price. The study has been published in the Journal of Information Privacy and Security. From the report: -While the difference in stock price between the sampled breached companies and their peers was negative (1.13%) in the first 3 days following announcement of a breach, by the 14th day the return difference had rebounded to + 0.05%, and on average remained positive through the period assessed.

-For the differences in the breached companies' betas and the beta of their peer sets, the differences in the means of 8 months pre-breach versus post-breach was not meaningful at 90, 180, and 360 day post-breach periods.

-For the differences in the breached companies' beta correlations against the peer indices pre- and post-breach, the difference in the means of the rolling 60 day correlation 8 months pre- breach versus post-breach was not meaningful at 90, 180, and 360 day post-breach periods.

-In regression analysis, use of the number of accessed records, date, data sensitivity, and malicious versus accidental leak as variables failed to yield an R2 greater than 16.15% for response variables of 3, 14, 60, and 90 day return differential, excess beta differential, and rolling beta correlation differential, indicating that the financial impact on breached companies was highly idiosyncratic.

-Based on returns, the most impacted industries at the 3 day post-breach date were U.S. Financial Services, Transportation, and Global Telecom. At the 90 day post-breach date, the three most impacted industries were U.S. Financial Services, U.S. Healthcare, and Global Telecom.

Why would it?

There's no serious penalties in the US for allowing them, so why would the stock price change?

Re:Why would it?

[Immerman]

Exactly what I came to say. Stock price (should) reflect the value of the company - the only way a breach affects the value is if it
(A) causes the company to incur major financial penalties, or
(B) causes the company to lose a lot of business

At present, neither is the case in the US, though in a better world both would be.

Re:Why would it?

[Lunix+Nutcase]

Also they likely made many times more in profit what the data breach cost so why care?

Re:Why would it?

[omnichad]

And you expect B - it's apparently not happening.

Re:Why would it?

[Immerman]

I see no reason to expect any such thing. What's the alternative? Doing all your business in cash and in person? It's not like there's a whole lot of businesses making a point of seriously protecting (much less not collecting) customer information - and in fact the few niche ones that *do* make those claims seem to as often as not do an especially bad job of delivering.

Re:Why would it?

[omnichad]

What's the alternative? Doing all your business in cash and in person?

The alternative is to buy from a competitor that hasn't had such a major breach in recent history. Sure, their security practices may not actually be that good and it's luck more than anything - but it at least puts incentivizing good practices on the table in the first place.

No Responsibility

[mentil]

That means executives responsible for IT budget aren't financially impacted by their security budgeting decisions. One could make their bonuses affected by security breaches, but then that might just lead to cover-ups of breaches rather than disclosure, particularly if the disclosure laws don't pierce the corporate veil.
I'd like to see how effect on stock price correlates to effect on profitability, particularly years down the road when the associated breach lawsuits play out.

Did PRISM?

[AHuxley]

What did the PRISM (surveillance program) https://en.wikipedia.org/wiki/... result in?
The buddy system to ensure contractors stayed loyal and domestic collect it all kept working?
The brands that failed to understand who was in their own internal networks?
Who else followed the security services into the big brand networks?
Did other random nations, groups get the encryption keys like the gov did? Plain text for everyone.

stupid study

[sxpert]

this study is already obsolete, it doesn't take GDPR into account, which will increase the level of fun and popcorn eating

no big surprise

Should we be surprised since profitability doesn't seem to affect stock prices either. A billion dollar company with almost no resources that doesn't make any money is absurd but people buy.

Of course it doesn't.

[Rick+Schumann]

All the people who control the majority of the wealth have it all safely tucked away in offshore accounts that nobody is going to hack into (if not for reasons of technical insufficiency, then for reasons of knowing damned well they'll be found dead within 24 hours if they even try), and they don't give a damn about all of us peasants, the government, or anything else, so of course why should they care?

Re:Why should it?

[AHuxley]

They pretend to be secure, we pretend to shop with them.

Actually it is because no one knows...

[cjmnews]

There is too much "news" to pay attention to every detail, so people tend to focus on the news that might be of interest to them. So, a technical weakness that was exploited doesn't really make it into the financial news of people that own the stock. Or if it does, the information is so watered down that there is no sense of the impending impact of the breach.

Really, only those of us that pay attention to computer security news are the ones that know about the breaches and the severity of them. How many of us own enough stock that when we move it, the price gets affected? Probably none of us. Try a poll with your neighbors and non-work friends and ask if they have heard of the latest breach. My findings is none of them, not even non-security software engineers have heard of the problem.

If security was valued, which it is obviously is not, then breaches would have an impact on stock price.