- After the Home Depot hack that compromised 65 million customer credit and debit card accounts, stock prices showed a 21% increase in earnings per share in the third quarter of 2014.
- After 40 million customers had their card data stolen and 70 million had their personal information compromised in Target’s cyber attack in December 2013, Target experienced the highest percentage stock price regain in five years.
- Although Sears announced in October 2014 that Kmart, which Sears bought in 2005, suffered a data breach, stock prices steadily rose after the announcement.
- Following the JPMorgan Chase data breach, which affected 76 million households and seven million small businesses, stock prices remained stable.
After a data breach, consumers are rightfully worried about what is happening with their personal information, but for the companies’ management and shareholders, they have a wider set of concerns including loss of intellectual property, operational disruption, decreased customer trust, tarnished brand, and loss of investor commitment.
Harvard Business Review sheds light on why data breaches don’t seem to have affected stock prices:
Data breaches becoming the norm
There are two types of organizations – those that have been breached and those that don’t know they have. Industry analysts have inferred that shareholders are numb to news of data breaches. According to Harvard Business Review, “breaches are expected and have become a regular cost of doing business.”
Shareholders unaware of security incidents
Any IT professional could tell you that data breaches will negatively affect your profitability and the company’s ability to do business in the long-term, but shareholders only react to breach news when it has a direct impact on business operations (short-term). The long- and mid-term effects of lost intellectual property, disclosure of sensitive data, and loss of customer confidence may result in loss of market share, but these effects are difficult to quantify and do not concern shareholders.
Shareholders still don’t have good metrics, tools, and approaches to measure the impact of cyber attacks on businesses and to translate that into a dollar value. When a data breach is disclosed it is almost impossible for shareholders to assess its full implications, which is why they often focus on the short-term effects.
Delays in disclosure
Companies can take several days, weeks, or even months to disclose an information security incident, which often results in a shareholder’s hesitation and uncertainty as to how to factor the effects of the breaches.
Increased brand awareness
“There’s no such thing as bad publicity”
With such big brands, suffering such big data breaches, affecting such large numbers of customers, this makes really hot news. You can’t search for ‘Target’ or ‘Anthem’ in Google without getting a news story on a million-dollar lawsuit against them. The significant media coverage around these brands will have no doubt boosted their brand awareness, whether good or bad.
It’s not all sunshine and roses for companies that have suffered a data breach – not by a long shot. Their stock prices may be stable, but the million-dollar class-action lawsuits against them and the hundreds of million dollar breach-related costs are very real and very heavy prices to pay for lax security. And while customers and shareholders might forgive the first wave of data breaches, and might be too apathetic to change brands or loyalty to their stores, they might be less tolerant of future attacks.
Information Security Breaches – Avoidance and Treatment based on ISO27001 is a handy pocket guide that uses real-life information security incidents to explain how to reduce the risks of information security breaches and, crucially, what to do when they occur.