Security Breaches Don't Affect Stock Price, Study Suggests

Computer security professional Bruce Schneier highlights the key findings of a study that suggests security breaches don't affect stock price. The study has been published in the Journal of Information Privacy and Security. From the report: -While the difference in stock price between the sampled breached companies and their peers was negative (1.13%) in the first 3 days following announcement of a breach, by the 14th day the return difference had rebounded to + 0.05%, and on average remained positive through the period assessed.

-For the differences in the breached companies' betas and the beta of their peer sets, the differences in the means of 8 months pre-breach versus post-breach was not meaningful at 90, 180, and 360 day post-breach periods.

-For the differences in the breached companies' beta correlations against the peer indices pre- and post-breach, the difference in the means of the rolling 60 day correlation 8 months pre- breach versus post-breach was not meaningful at 90, 180, and 360 day post-breach periods.

-In regression analysis, use of the number of accessed records, date, data sensitivity, and malicious versus accidental leak as variables failed to yield an R2 greater than 16.15% for response variables of 3, 14, 60, and 90 day return differential, excess beta differential, and rolling beta correlation differential, indicating that the financial impact on breached companies was highly idiosyncratic.

-Based on returns, the most impacted industries at the 3 day post-breach date were U.S. Financial Services, Transportation, and Global Telecom. At the 90 day post-breach date, the three most impacted industries were U.S. Financial Services, U.S. Healthcare, and Global Telecom.

No Responsibility

[mentil]

That means executives responsible for IT budget aren't financially impacted by their security budgeting decisions. One could make their bonuses affected by security breaches, but then that might just lead to cover-ups of breaches rather than disclosure, particularly if the disclosure laws don't pierce the corporate veil.
I'd like to see how effect on stock price correlates to effect on profitability, particularly years down the road when the associated breach lawsuits play out.

Of course it doesn't.

[Rick+Schumann]

All the people who control the majority of the wealth have it all safely tucked away in offshore accounts that nobody is going to hack into (if not for reasons of technical insufficiency, then for reasons of knowing damned well they'll be found dead within 24 hours if they even try), and they don't give a damn about all of us peasants, the government, or anything else, so of course why should they care?

Re:Why would it?

[Immerman]

Exactly what I came to say. Stock price (should) reflect the value of the company - the only way a breach affects the value is if it
(A) causes the company to incur major financial penalties, or
(B) causes the company to lose a lot of business

At present, neither is the case in the US, though in a better world both would be.