Stock prices typically drop after a breach is disclosed, but they tend to bounce back within a few weeks, suggesting that investors don’t punish companies for security mistakes. Analysis by UK-based Comparitech found that breaches can impact—but it's muted—the company's stock performance.
Even though the stock price went back up after the initial breach disclosure, the prices weren’t as high as they would have been if the breach hadn’t happened. Three years after the data breach was disclosed, the stock price for the companies on average had risen 28.71 percent, but was down 15.58 percent compared to the NASDAQ index, which Comparitech used as a proxy for the wider market.
“In the longer term, share prices continue to grow, but not fast enough to keep up with the NASDAQ,” said Comparitech analyst Paul Bischoff.
The analysis focused on the closing share prices on the New York Stock Exchange for 24 companies that reported a data breach with at least a million records lost: Apple, Adobe, Anthem, Community Health Systems, Dun & Bradstreet, eBay, Equifax, Experian, Global Payments, Home Depot, Health Net, Heartland Payment Systems, JPMorgan Chase, LinkedIn, Monster, T-Mobile, Sony, Staples, Target, TJ Maxx, Under Armour, Vodafone, and Yahoo. NASDAQ was the performance benchmark to balance out normal market activity. If the company’s stock fell 1 percent and NASDAQ rose 2 percent over that period, then the company was down 3 percent compared to NASDAQ in this analysis.
A data breach will have the greatest effect ... immediately following the incident.
Stock prices fluctuate in the weeks and months after news of the data breach becomes public, but the sharpest drop on average was 14 market days after disclosure. Actual stock price goes back up—8.53 percent on average a year after disclosure—but these stocks were down 3.7 percent on average compared to the NASDAQ. At the two year mark stock performance was down 11.35 percent compared to NASDAQ despite the fact that stock price was up 17.78 percent on average.
It's as if investors were a little spooked by the breach and still hadn't recovered all the way.
Comparitech noted that there wasn't enough data to develop a model on how companies settling class-action lawsuits impacted stock price. Companies can also take months to reveal details about the breach, including specifics on what information was exposed, how many victims were affected, the cost of remediation, and sales losses. The delay in releasing information means the impact on the stock price gets spread out, making it difficult to determine whether these later announcements affect stock performance. The impact of data breaches also diminish over time, so investors won't be thinking as much about the breach four, five years after the fact.
“[W]e assume a data breach will have the greatest effect on share price immediately following the incident, and that effect will diminish over time,” said Bischoff.
Comparitech analysis found that stock prices for financial services companies (top) and technology companies (bottom) underperformed against the NASDAQ after high-profile data breaches. (Source: Comparitech; https://www.comparitech.com/blog/information-security/data-breach-share-price-2018/)
Unexpectedly, stocks performed well in the short-term. While stocks were down by 4.6 percent on average compared to NASDAQ 14 days after the breach announcement, that drop was already smaller by the one-month mark, just 1.76 percent lower than NASDAQ. The differences are gone by the sixth month, as the stock performed 0.09 percent better than NASDAQ. The analyzed companies on average had better performance six-month period after the breach, up 7.02 percent compared to the NASDAQ index, than in the six months prior to the announcement, at 3.64 percent. This was the case for companies affected in 2011 or earlier, such as TJ Maxx and Countrywide, as well as for companies breached since 2015, such as Anthem, Experian, Equifax, Under Armour, and Yahoo.
Investors appear to be regaining confidence sooner, as well. Companies that were affected in 2011 or earlier saw its sharpest drop on the 14th day, down 11.91 percent compared to NASDAQ, but those that suffered breaches after 2015 hit the bottom on the ninth market day. In contrast, companies affected between 2012 and 2014, such as Target, Home Depot, Adobe, and Community Health Systems, never experienced a sharp price drop even though they experienced high-profile data breaches.
It appears investors no longer get as nervous after a breach.
The fact that older breaches, especially those before 2012, had a stronger initial reaction on the company stock price than newer breaches may have something to do with breach fatigue. It appears investors no longer get as nervous after a breach because the frequency of breaches have created the impression that everything is just busienss as usual.
It would be a mistake to downplay the impact of a data breach because the stock price doesn't seem to be affected in the short-term. There are costs associated with investigation, remediation, regulatory fines, and breach notification, as well as disruptions to the day-to-day operations. The fact that stocks are underperforming even two and three years after the breach reinforces the message that companies can't get complacent.
Also unexpectedly, bigger beaches don’t mean bigger drops in share price or worse financial performance. Companies with breaches where 100 million or more records were lost—eBay, Equifax, Heartland, LinkedIn, Under Armour, and Yahoo—had stock prices up 13.18 percent on average compared to NASDAQ six-months after disclosure. In contrast, companies with breaches of 99 million or fewer records were still underperforming against NASDAQ six months later. The biggest impact was felt by companies that lost between one and ten million records, Comparitech found.
“Companies that suffered bigger breaches were able to shake it off and ultimately outperform the market, whereas companies with smaller breaches lagged behind six months on,” Bischoff said.
Industry also affected stock performance post-breach. Payment companies and financial services companies in the analysis had the sharpest drops, with a 17.42 percent drop on the 16th market day compared to retailers and healthcare organizations, who, despite the large number of records lost, didn’t have that initial reaction drop. E-commerce and social media companies over-performed NASDAQ by over 10 percent six months after the breach.
“Stock prices suffer following a breach, but perhaps not as much as one might assume,” Bischoff said.
Header photo by Markus Spiske on Unsplash