Much has been made of the fallout that companies face after a data breach. But for public companies, shaken investor confidence adds a whole new dimension to recovery concerns.
A recent study from Comparitech shows that share prices for large breached companies will hit a low point approximately 14 market days after an incident becomes public. Share prices fall 7.27 percent on average to reach that low, and they underperform the NASDAQ by -4.18 percent.
Further, the firm found that finance and payment companies saw the largest drop in share price performance following a breach, while healthcare companies were least affected. And unsurprisingly, breaches that exposed credit-card and Social Security numbers saw larger drops in share price on average than companies that leaked less-sensitive data.
The study analyzed stock performance for 28 very large companies listed on the New York Stock Exchange that have 33 well-known data breaches between them: Apple, Adobe, Anthem, Capital One, Community Health Systems, Dun & Bradstreet, Facebook, First American Financial, eBay, Equifax, Global Payments, Home Depot, Health Net, Heartland Payment Systems, JP Morgan Chase, LinkedIn, Marriott International, Monster, T-Mobile, Sony, Staples, Target, TJ Maxx, Under Armour, Vodafone and Yahoo. All of them resulted in at least 1 million records leaked, and some (Capital One, Equifax, Target, Yahoo) are among the largest breaches in American history.
In analyzing their closing share prices prior to and after the data breach incidents, Comparitech found that after about a month, share prices actually tended to rebound and catch up to NASDAQ performance on average. However, in the longer term, breached companies went on to underperform the market. This effect perhaps stems from more details on the incidents coming to light, or due to ongoing media attention or the impact of fines, according to researchers.
“Breaches are becoming more frequent as more data comes online, and as organizations find new and expansive ways to capture personal information across a wide variety of platforms,” said Emily Wilson, vice president of research at data protection service provider Terbium Labs, speaking to Threatpost. “Data breaches also make the news more often, so they seem more frequent. The rise in security reporting that follows the increase in the data economy means more journalists are paying attention, and more security researchers are uncovering serious issues in the way major organizations store sensitive data.”
Whatever the reason, after one year, share price at the companies investigated grew 8.38 percent on average (over time, the market overall increases in value on average). However, to put things in context, they underperformed the NASDAQ by -6.49 percent, meaning that the share gains were lagging behind those of their fellow listed companies. After two years, average share price rose 12.78 percent, but underperformed the NASDAQ by -12.88 percent. And after three years, average share price was up by 32.53 percent but down against the NASDAQ by -13.27 percent.
Social Media Bounces Back
Digging into the numbers on a segment-by-segment basis, the most interesting data point is the Teflon nature of stock performance at social media and e-commerce companies. BetFair, Dun & Bradstreet, eBay, Facebook LinkedIn, Monster and Yahoo weren’t performing well on average prior to their data breaches (underindexing vs. the NASDAQ by -6.1 percent. But the average post-breach share price low was -5.13% vs NASDAQ on day 9; and, in the six months following, this group actually managed to outperform the NASDAQ by more than 10%.
As mentioned, the finance and payments companies in the data set – Capital One, Countrywide, Equifax, First American Financial, Global Payments, Heartland Payment Systems and JP Morgan Chase – suffered the largest initial downturn following breaches on average, plummeting more than 17 percent against the NASDAQ after 16 market days. After six months however, they rebounded a bit, underperforming the NASDAQ by just -2 percent after six months.
What are the top risks to modern enterprises in the peak era of data breaches? Find out: Join breach expert Chip Witt from SpyCloud and Threatpost senior editor Tara Seals, in our upcoming free Threatpost webinar, “Trends in Fortune 1000 Breach Exposure.” Click here to register.
The technology companies that Comparitech looked at – Adobe, Apple, Sony, T-Mobile, Vodafone and Vtech – had the worst long-term effects on share price. This group saw an a more gradual drain on stock performance after an incident, bottoming out at -5.3% vs. the NASDAQ on 40 market days after; and, they went on to underperform the NASDAQ by -4.48 percent six months after their incidents.
A Grain of Salt and a Look at Healthcare
As the social-media company results show, handicapping the average impact on organizations from a breach is not an exact science, with individual variables having much to do with the magnitude of the fallout to a specific segment or company. In some cases, specific metrics are much more concerning than hits to brand reputation and investor confidence.
For instance, a recent study cross-referenced Department of Health and Human Services’ (HHS) public database on hospital data breaches and Medicare Compare’s public data on hospital quality measures for 2012-2016. It found that breach remediation efforts were associated with the deterioration in timeliness of care and patient outcomes.
The time from a patient walking in the door to having an electrocardiogram increased as much as 2.7 minutes during the three-year window following a breach. And the 30-day acute myocardial infarction mortality increased as much as 0.36 percentage points in that time frame. The study attributed this to the fact that “remediation activity may introduce changes that delay, complicate or disrupt health IT and patient care processes.”
Mounir Hahad, head of Juniper Threat Labs at Juniper Networks, said via email: “We tend to associate attacks on critical infrastructure to human lives being at stake. This report brings a stark realization to the forefront – attacks on services organizations (be it a hospital, first responders or city governments) related to elderly and special needs people also do cause irreparable harm.”
Healthcare companies are among the top targets for cybercriminals thanks to the sheer amount of legacy technology floating around hospital environments and a lack of IT resources. In fact, InterMed, a large health provider in southern Maine, this week said that personal health information (PHI) for thousands of its patients may have been exposed thanks to attackers gaining access to four of its employees’ email accounts in September.
The messages and attachments contained in the mailboxes included information of roughly 30,000 patients, including names, dates of birth, health insurance information and clinical information.
As data-breach incidents continue to multiply, companies – especially large companies and those processing highly sensitive or regulated data – can find ways to mitigate their impact, experts say.
“Regulators should mandate that every enterprise processing or storing sensitive data be required to buy cyber insurance,” Jack Kudale, founder and CEO of Cowbell Cyber, told Threatpost. “The analogy is straight forward: we are all required to buy auto insurance to drive cars because of the potential danger to harm others. This is no different for businesses that process medical data, credit-card information or other data. They could generate damage for consumers and this should be covered by cyber-insurance.”
What are the top risks to modern enterprises in the peak era of data breaches? Find out: Join breach expert Chip Witt from SpyCloud and Threatpost senior editor Tara Seals, in our upcoming free Threatpost webinar, “Trends in Fortune 1000 Breach Exposure.” Click here to register.