How do data breaches affect organizations’ stock prices?

When we talk about the damage that data breaches cause, we often refer to falling stock prices. This seems pretty logical – data breaches have a negative effect on an organization, so its stock prices will go down.

Countless real-life breaches have proven this to be true. However, very little is known about just how responsible they are for subsequent stock price drops. An organization’s value is constantly fluctuating, and is affected by countless factors, so it’s impossible to give an exact figure when analyzing the financial effects of a breach.

But no matter how much an organization’s stock prices drop, the more important issue is how quickly it can recover its value. You’d imagine that a company that reacts to a data breach promptly and responsibly will suffer a brief hit and then bounce back, whereas a poorly managed response will lead to permanent damage. But this isn’t always the case. Eric Pinkerton, regional director for Sydney-based information security consultancy Hivint, recently investigated the relationship between stock prices and data breaches, and his findings might not be what you expect.

Short-term damage

Pinkerton examined some of the most egregious and well-publicized recent breaches, concluding that most will only cause stock prices to fall for a short period of time, while the real damage occurs in the boardroom.

Senior cybersecurity staff often lose their jobs after a data breach, as organizations clean house and announce a philosophical change in security outlook. This often involves offering customers complimentary security tools and investing heavily in new defenses.

Pinkerton cites the 2015 hack of Ashley Madison as an example. Millions of users’ names, email addresses, and other personal details were exposed, causing a furor. It led to Noel Biderman, the CEO of Ashley Madison’s parent company, Avid Life Media, stepping down, and the organization settling a class-action lawsuit for $11.2 million. But two years later, the site is reportedly adding 15,000 users per day and “is now doing far better than it ever was.”

Similarly, Uber has continued to thrive even after it was revealed that it has paid criminal hackers $100,000 to delete personal data belonging to its customers and drivers. Uber filed the payment as a ‘bug bounty’, and ignored its legal requirement to disclose the breach, only admitting its error when Bloomberg revealed the cover-up.

Other than the data subjects, the only real victim of the breach was Uber’s chief security officer, Joe Sullivan, who was fired.

More harm than good

For those in charge of cybersecurity, the prospect of losing your job – and damaging your own reputation – should be enough of an incentive to make sure your organization is doing its utmost to avoid data breaches. But what Pinkerton’s analysis omits is that, for smaller organizations, recovery isn’t as simple as firing staff and committing to better cybersecurity practices. Most won’t have the wherewithal to survive the initial financial damage caused by a data breach, and firing staff will probably do more harm than good. There’s a good chance the employee wasn’t responsible for the incident, and firing them means you need to go through the recovery process without their knowledge or experience.

That, along with the introduction of the EU General Data Protection Regulation (GDPR) and the potential for strict disciplinary action, makes it all the more important to do everything in your organization’s power to prevent data breaches.

Staff awareness training

One of the simplest and most effective ways to improve your organization’s cybersecurity posture is to invest in staff awareness. Staff are directly or indirectly responsible for the majority of data breaches, whether it’s because they’re falling for phishing scams, ignoring cybersecurity policies, or maliciously misappropriating information.

Enrolling your employees on a training course, such as our Information Security Staff Awareness E-learning Course, can ensure that they are aware of their responsibilities when handling sensitive information.

Our online courses are delivered in simple language, breaking down complex topics such as phishing and information security best practices into easy-to-understand sections.

Take a look at our training courses >>