Security Breaches Don't Affect Stock Price

Interesting research: "Long-term market implications of data breaches, not," by Russell Lange and Eric W. Burger.

Abstract: This report assesses the impact disclosure of data breaches has on the total returns and volatility of the affected companies' stock, with a focus on the results relative to the performance of the firms' peer industries, as represented through selected indices rather than the market as a whole. Financial performance is considered over a range of dates from 3 days post-breach through 6 months post-breach, in order to provide a longer-term perspective on the impact of the breach announcement.

Key findings:

  • While the difference in stock price between the sampled breached companies and their peers was negative (1.13%) in the first 3 days following announcement of a breach, by the 14th day the return difference had rebounded to + 0.05%, and on average remained positive through the period assessed.

  • For the differences in the breached companies' betas and the beta of their peer sets, the differences in the means of 8 months pre-breach versus post-breach was not meaningful at 90, 180, and 360 day post-breach periods.

  • For the differences in the breached companies' beta correlations against the peer indices pre- and post-breach, the difference in the means of the rolling 60 day correlation 8 months pre- breach versus post-breach was not meaningful at 90, 180, and 360 day post-breach periods.

  • In regression analysis, use of the number of accessed records, date, data sensitivity, and malicious versus accidental leak as variables failed to yield an R2 greater than 16.15% for response variables of 3, 14, 60, and 90 day return differential, excess beta differential, and rolling beta correlation differential, indicating that the financial impact on breached companies was highly idiosyncratic.

  • Based on returns, the most impacted industries at the 3 day post-breach date were U.S. Financial Services, Transportation, and Global Telecom. At the 90 day post-breach date, the three most impacted industries were U.S. Financial Services, U.S. Healthcare, and Global Telecom.

The market isn't going to fix this. If we want better security, we need to regulate the market.

Note: The article is behind a paywall. An older version is here. A similar article is here.

Posted on January 19, 2018 at 6:06 AM • 25 Comments

Comments

keinerJanuary 19, 2018 6:27 AM

" If we want better security, we need to regulate the market."

The question is: WHO wants better security? Apparently nobody. And after a breach some idiotz start selling insurances, bank account surveilance etc pp., so companies make profits from non-security. Not to take from "antivirus" software companies and the like...

NicholsJanuary 19, 2018 7:02 AM

Great research, but we need to look at and differentiate the visible impacts, which first go to the media and cause this first drop in actions and other invisible or hard-to-pinpoint impacts, such as: did the invaders reveal everything they stole? Are they selling it on the black market or to handpicked "clientes"? Often trade secrets and researches from the deacons have been compromised and this does not come to the public.

Another point is: after a public breakthrough companies come up with their speech of "we are doing everything possible, we hired a consultancy that discovers any APT in the world, we have the best forensic service at disposal, and blah blah blah. I believe, in my naive belief, that this gives a vote of confidence to the market, and gradually the actions return to normal, as the study says. But if the gap is long, with publications of data, projects, etc, for a long time? In this type of case the market will tend not to rely so readily on the company, which is struck from time to time by negative media exposing its security flaws.

These are two points that I believe the study should consider.

RobertBJanuary 19, 2018 8:00 AM

The paper seems a bit misleading about its implications. If I’m reading correctly, it says that a security breach reduces stock value by around 1% within three days and that the stock does not bounce back from this over the long term. 1% is not a lot, but it’s not peanuts either. (Note that insider trading could result in this number being understated: informed selling could push down share price prior to the announcement.) The fact that long-term performance is the same should not surprise anyone who has the least bit of faith in the efficient markets hypothesis. Given 3 days to absorb the consequences of a security failure, it is unsurprising that the market price would fully adjust to capture the expected impacts of the problem.

jbmartin6January 19, 2018 8:08 AM

I too find this hard to believe. If the price reliably dipped then recovered, arbitrageurs would be all over that like vultures on a meat wagon.

fredJanuary 19, 2018 8:15 AM

Regulations won't work either because there is not a "one size fits all" answer. To state the obvious, data breaches only happen where data is stored. As @Bruce augured "Data is Toxic"

This gene is out of the bottle and there is no putting it back. We've been trained to believe "If we have nothing to hide then collection our data isn't an problem"

For f*ck sake Equifax has a massive data breach then offers a service to find of you are on the dark web. Their algorithm for the search is easy "if(was_customer){return true;}"

Breaches are only half the problem anyway. All the data is sold and resold over and over again. Who knows where it ends up after the 5th or 6th sale?

echoJanuary 19, 2018 8:34 AM

The UK has had its own data breach scandals. In theory the law is much stronger but slap on the wrist business as usual does seem to be standard. From what I understadn there has been some progress. The big problem is a lack of trickle down from senior management to on the ground floor implementations, and lack of training and lack of money being spent. The pace of change especially within the public sector has been glacial (and in some instances uptake has been faster than banks who are not known for rapid change).

One problem the UK has is the ding dong between public and private sector. I'm agnostic myself but see commonalities although for different reasons between the UK and US experiences.

With regard to Bruces call for regulation - in the UK I would like to have a bigger sense that regulation applies evenly across public and private sector, and a better understanding of the primary issues not tertiary differences, and build from there.

Who?January 19, 2018 9:51 AM

My guess is that, in case this announcement is not an hoax:

https://skyfallattack.com/

Intel's stock price will be even less affected than it was with Meltdown and Spectre. Not only very few people care about concepts as security or privacy, each security nightmare announcement makes people more insensible to this problem.

Petre PeterJanuary 19, 2018 10:16 AM

If security is all about tradeoffs, then I want management to mitigate the cost by insuring against certain threats-this is pretty much what e-commerce is relying on when I pay for goods and services through a credit card. While regulation in moderation is the solution, another problem is that we need legislators who know how technology works, and how it fails; otherwise, legislation will work against technology.

keinerJanuary 19, 2018 10:34 AM

@Who?

As a usual user: How to care for hardware buds? TINA! AMD only in part, but mostly no machines available...

And then there is funny software from Intel/MS etc. giving "green light" when you install a MS update. Or a fresh browser. Or a BIOS update. Band-aid to help a ripped-off head---

People only care if their HDD/SSD is suddenly encrypted by a trojan or the bank account is suddenly empty. Otherwise hardly anyone hardly ever cares.

CraigJanuary 19, 2018 10:42 AM

This kind of data is really helpful when assessing risk. The impact of a data breach does not include reputational harm or decrease in market value---losses in those areas have proven to be exaggerated. This is another data point to confirm that.

The real impacts are in incident response costs, regulatory fines, and legal fees.

As security professionals, we need to be realistic when assessing impacts and not spread FUD if we want to help our organizations make informed risk decisions.

justina colmenaJanuary 19, 2018 12:43 PM

... disclosure of data breaches ...

Party A's data, in custody of Party B, was breached to Party C.

The fact that the breach took place was disclosed to Party D, which partially revealed some of the circumstances of the alleged breach to the public.

The breach, or the disclosure of the breach, or the public revelation of the disclosure, respectively, is alleged to affect the financial interests of Party E.

Meanwhile Parties F and G already have the entire "scene" under total surveillance and know in great detail exactly what information was disclosed to which party when under what circumstances. Riiight....

Might've skipped a few sharps and flats, but otherwise I think we've covered all the notes we're going to here, and the instruments are so far out of tune, I don't even want to listen anymore. Oh, yeah, uh-huh, sure....

The market isn't going to fix this. If we want better security, we need to regulate the market.

"Regulation" is not by any means a silver bullet to fix market problems.

Regulatory capture is a well-known problem that occurs when established market participants capture the regulatory process with aggressive special interest lobbying, which results in laws passed that not only entrench and enforce existing bad practices in any particular industry, but raise additional barriers of entry to potential new market participants who might otherwise engage in better business practices selling whatever goods or services they offer in that market. Regulatory capture, in effect, turns the entire "regulated" market into an ever more firmly "established" cartel or oligopoly.

High-tech industry regulation is already firmly captured and tightly controlled by the mostly foreign high-tech industry lobby in the United States.

Fox-guarding-the-hen-house "regulation" does not fly at the poultry market.

house shoppingJanuary 19, 2018 3:26 PM

I just paid $10 to unfreeze my credit so that my mortgage broker could run my credit so I could get pre-approved. The payment screen where I entered my credit card suggested this charge depended on what state I live in. That Experian can nickle and dime me ("Ham" me in this case) is annoying to say the least.

VinnyGJanuary 19, 2018 4:22 PM

@justina colmena - exactly right. Further, a good question (which unfortunately cannot be accurately answered quantatively) to ask is to what extent the lack of competition exacerbated by regulation contributes to the noted absence of impact on the stock price of a breached company.

albertJanuary 19, 2018 4:23 PM

If the study is accurate, then it goes a long way in reinforcing the idea that we don't have to worry about cybersecurity. Besides insider trading mentioned by @RobertB, stock buybacks are another way to 'recover' the stock prices.

There are only a few things that can cause real panic in the SM. One is a crash of the exchanges themselves. Another is a panic sell-off due to external factors.

-Financial- regulation is joke. Regulations are approved by the players. Useful regulations may appear honest and fair, but how useful are they when they're not enforced?

Wells Fargo is still in business, so what's that tell ya?

I gotta go....check my Intel stock...

. .. . .. --- ....

justina colmenaJanuary 19, 2018 4:29 PM

@house shopping

There is a saying that it is not good to make a whole lot of money at once, and in that same vein, Realitors don't usually accept cash for real estate, so there is not really a good option, even if you do have 100% cash down and are not even applying for a mortgage, to buy a home.

It depends how much cash, of course, and how much of your personal wealth is at stake, but especially at the ultra-low mortgage rates offered today, it seems wise to establish residency in the house you are buying before putting too much cash down on it — and there is some aspect of so-called "adverse possession" to that — but meanwhile maintain proof of all your mortgage payments in a very safe place possibly in your home but available to you alone at any time and ready to take with you, without having to rely on a third party. I do not believe in safe deposit boxes, bank records, registered or certified mail, or anything of the sort anymore. I've been burned on that kind of stuff too many times, and that is too much "faith" in material things and fallible human trust for me.

At the same time, I don't want to be in the position of paying something off while some other party is making devious maneuvers at law to misappropriate the title from me over time — because this sort of thing can easily happen over the many years of a typical mortgage term.

bcsJanuary 19, 2018 5:13 PM

The kind of regulation I'd consider worth looking into would be to make is more costly to do things wrong:

First, legally mandate specific types of actions and results in the event of a data breach. (E.g. if they don't happen, people go to prison and big fines get paid.) Then connect the likelihood of those actions being needed to a present cost. For example, make being insured for data breaches be a regulatory requirement for lucrative markets, say by refusing FDIC insurance to banks that don't have it. (The market should then make better planning result in lower cost insurance.)

The advantage of that sort of approach is that by enacting the direct requirements only in the case we want to not happen, we avoid the problem of legislating means rather than ends. Market efficiencies will seek out the most effective way to prevent data breaches, not the most cost efficient way to do the steps that some untrained legislators *think* will prevent data breaches.

ThalesJanuary 21, 2018 9:38 AM

"The market isn't going to fix this."

Because we don't have "markets". We have a CB ponzi. Central banks have been net buyers and the stock indices are directly coorelated to CB balance sheets - like the FED. Check the charts.

That's how you end up with this: https://jessescrossroadscafe.blogspot.com/2018/01/stocks-and-precious-metals-charts_12.html

"If we want better security, we need to regulate the market." - Yes, the market is supposed to be regulated by brutal market forces. That hasn't been the case, also, insider trading was illegal last I checked. Just ask Martha. In a world where Banks like HSBC, JPMorgan and Goldman are charged with MULTIPLE FELONY crimes and nobody goes to jail... What about the trail of strange deaths of IT and other employees at those same firms; nobody wants to investigate that? These are all the trappings of a banana republic failed state.


Don't tell me about more regulation while laws are broken by insiders and joe snuffy gets a mag full of 9mm by the police for a traffic infraction and having bad hearing. Let's start with the basics. Maybe we should go back to the code of Hammurabi - Symmetry.

"The curious task of economics is to demonstrate to men how little they know about what they imagine they can design." - F.A. Hayek

VinnyGJanuary 21, 2018 10:40 AM

@bcs re: "The kind of regulation I'd consider worth looking into would be to make is more costly to do things wrong..."
That is exactly the kind of action and judgement that is supposed to result from a (free) market. Unfortunately, as noted in different ways by justina colmena and Thales, we don't have anything even close to that. We have pay-to-play (i.e., bribe-a-politician-to-play) combination central command economy (thinly disguised as an actual market) and kleptocracy. Apparently many of the participants in this forum believe the solution to that is merely to whisk away the veil.

Clive RobinsonJanuary 21, 2018 11:46 AM

@ VinnyG,

Apparently many of the participants in this forum believe the solution to that is merely to whisk away the veil.

No it's not the solution, but it is one of the first steps, to finding a realistic solution.

Look at it this way, roaches stay out of the light, because if you can not see them you can not squish them. Likewise all undesirable behaviour, first you've got to see there is a problem then after a little assesment decide on the scale of the response and the way you are going to apply it.

That said I've been mentioning that regulation is actually good for markets for quite some time now, as amongst other things it helps keep them out of "race for the bottom" totally destructive "tail spins" which free markets get into all to frequently when there is neither a monopoly are cartel at the top regulating the market in their own way.

So the choice is not between regulated or unregulated markets, but if we are going to have markets by whom the regulation comes from... Government or mega-corps, either way can be disastrous, in the past Governments acted more in the public interest but with the likes of Disney etc lobbying, we are getting mega-corps dictating legislation to the politicos, most of which has been very much against the public interest (ask John Deer Tractor owners what they think of the DMCA to see why).

Thus maybe making lobbying a capital offence might also be a starting point ;-)

justinacolmenaJanuary 21, 2018 2:54 PM

@Thales

Re: CB Ponzi. Yes, it's called "fractional reserve banking." The Federal Reserve was founded in government-conspiratorial secrecy in 1913, ostensibly to "stabilize" the economy. None of the economic crashes the U.S. had experienced up to that time was as bad as the Great Depression of approximately 1929 – 1943.

Only a last-ditch declaration of total war, and a total conversion of the country's entire economic capacity to the production of war materiel with strict rationing of staple goods and military supervision of all manufacture and trade pulled us out of that economic depression.

A lot of stupidity, as well as Nazi infiltration of the government prevented us from fully redressing the root problems that resulted in two world wars and a Great Depression. For example, we incarcerated Japanese-Americans in internment camps, but not the Nazi-aligned German-Americans who were so successful at sabotaging the war effort that they left us with a hollow victory half-sold-out to Soviet Russia, while they formed deep-cover cells which persisted over the generations to entrench their white nationalist agenda and propaganda throughout the U.S. government.

Now since 2008 we have been in the same situation with the same Nazi holocaust taking place once more in the background, not just in Europe but in America as well, mostly sight unseen to the upper middle class. Only now the Nazis call themselves by other names: white nationalist, national socialist, social democrat, etc.

The mostly American "big" banks, BAC, JPM, WFC, USB, etc. appear destined for failure as "poor men's" banks, while a new tier of mostly European "rich men's" banks has formed: COF, HSBC, UBS, etc. including Julius Baer, which Wikileaks has already reported on some time ago.

Some of those mostly European banks are just too slick and smooth for me, their balance sheets are even skinnier than the American ones, and furthermore, by both corporate taxation and direct governmental ownership of shares, these banks have come into the ownership and control of hostile European nation-states, and that (Nazi / white nationalist) control has been leveraged to create havoc throughout the United States banking system.

@VinnyG

Apparently many of the participants in this forum believe the solution to that is merely to whisk away the veil.

You are no doubt aware yourself, that this would be a dangerous assumption. Clive and the EFF's "sunlight-is-disinfectant" crowd are expressing a certain agenda here in this respect.

The truth must be told, and clearly, as Clive mentioned, this is a first step, but una cucaracha, I think not.

Force and power, military force, must be brought to bear to solve these problems. Exposure alone is not enough. Covert use of force is not enough. That this sort of problem in general has "escalated" is evident by the overt use of force by hostile European nation-states against the people of the United States of America.

ThalesJanuary 21, 2018 8:00 PM

@Clive Robinson @VinnyG

I'm not sure why there is this infatuation with regulation being some kind of answer. We've clearly seen empirical evidence that regulatory capture happens a LOT (way more than most are willing to admit) and makes the eventual disasters of far greater magnitude than without. Removing volatility in a system (perhaps with good intentions) simply shifts the risk to the tail (fat). That results in widow-maker events versus what might have been six cases of the sniffles.

Come on people! We're all very smart, top of the systems-design pile individuals. This can be solved in a system, a heuristic. Just look at natural ecosystems that have feedback mechanisms. We need rules, not necessarily laws. This is a complex system, not a machine to be oiled and tweaked. Start treating it like one!

AnuraJanuary 21, 2018 9:15 PM

@Thales, Clive Robinson, others

The solution is easy; the implementation is difficult. You need to not depend on anything that isn't controlled by you. If you use software, you need to have the source code. If you depend on an organization, you need to control that organization. If you depend on property, you need to own that property. The reason every economic systems has failed the people is because the incentives are such that the more people depend on them, the more money they make and the people that you depend on care a hell of a lot more about money than you. On top of that, the faster they can grow, the easier it is to get people to depend on them - and the more corners they cut and the greater the information asymmetry, the faster they can grow. This is a problem in any producer-centric economic model; the solution is a consumer-centric economic model where businesses are transparent and consumers have direct control over them.

Step 1: buy the retailers in your community
Step 2: have the retailers buy the producers
Step 3: write the rules so your data is handled how you want

Equal StandardsJanuary 21, 2018 9:26 PM

What we need is for the FDIC to stop being retarded. They're an insurance company, they should start god damn acting like one. Investigate those claims and strictly punish bad, negligent clients, rather than treating them all like helpless victims.

If you drive drunk, you don't get to claim insurance when you crash your car. Your premium goes up or you get cut off, but you don't get money for being a dumbass. It's right there in your policy, in case you forgot to read it before signing.

If you leave your front door open and unlocked while you're on vacation, you don't get to claim insurance when someone steals your stuff. Your premium goes up or you get cut off, but you don't get money for being a dumbass. It's right there in your policy, in case you forgot to read it before signing.

If you've got five separate addictions, cancer in 15 parts of your body and a form of hepatitis that hasn't even been assigned a letter yet, you probably won't even be able to get medical insurance, at least not after they ask your doctor to fax over your file. You're just too risky. Sorry, but that's how it goes.

YET...

If you leave your website insecure for over half a year and millions of your customers get defrauded as a result of your laziness, you can totally expect the FDIC to cover you for being a dumbass. Hell, they won't even check to make sure you're paying attention to digital security to begin with, everyone's approved!

Why? What's in it for the FDIC to be so forgiving and accepting? Aren't they losing money this way? I thought insurance was only profitable if you instill at least a bit of a sense of responsibility in your clients, rather than letting them run amok without any regards to safety because, "Screw it, I got insurance."

Seriously, you'd think that Robert Parr is a client service agent at the FDIC and every one of these big institutions has him to thank for helping them out. Much love to anyone who gets the reference. :)

I believe the FDIC should be rejecting insurance claims and dumping clients whenever data breaches are shown to be the result of gross negligence. Furthermore, they should require all of their new clients submit themselves to mandatory pentesting, as well as require that existing client submit themselves to randomized pentesting, in order to enforce compliance with security standards, as soon as such standards are set, chosen and made policy.

Retail stores have a better handle on insuring things when it comes to computers. Ever bought one of those product protection plans? Doesn't matter how, when or where your laptop breaks, they always find some way to make it your fault, or at least not their responsibility. Not saying that's right, but damn it, that's insurance. Be prepared to do your part in being safe, don't just throw some money and a signature at a hazard and expect it to disappear. That's what us normal people have to understand when we make the decision to insure something, it's about time banks and credit unions start walking on the same eggshells as we do.

George HerbertJanuary 22, 2018 3:18 PM

Three comments.

One, more generally, this applies to IT disasters writ large. The consequences of data lost or destroyed are different than services down or unusable, but they're in details not in degree of impact.

Two, more specifically, there are ranges of effects from minor through catastropic. I've been present at a billion dollar class, brand/company (subsidiary) went away IT disaster. (Hazards of consulting: They don't always listen... ) I've also been present where what was fundamentally a major IT disaster or major security incident was handled professionally, rapidly, properly, and a couple of weeks later it was just bits of remaining chat threads griping, without long term impact. And lots and lots of incidents at all levels where no customers really noticed or were affected.

Three, in many cases it takes time to see what the impact is. Stock price of Intel recovering nicely after Specdown this week isn't news. News will be if Intel's market share, product roadmap, long term profitability shift due to this. One can predict with some certainty that actual fixes for those are going to entail delays in future CPU generations and performance hits that will matter. With less certainty, discussions about non-x86 architectures, market demands for compensation in terms of lower pricing (lower profitability), etc. I'm reasonably sure Intel's still wrapping their head around their responses and impacts, much less told customers yet or announced roadmap shifts etc. It's more likely that a year, two years, three years from now we'll see changes. There was more than a blip when AMD went 64 bit and the market followed; Intel was playing catch-up and you could see that over years, though it came back. But the impacts can be magnified by things like impacts to capital spend, chip fab R&D / future prototype process investments / etc. as well. Those sort of impacts would take years to work their way through the lifecycle system.

And given that we've discovered new classes of bugs, it's a fair guess that this isn't over yet in terms of new ways to exploit and damage stuff. Zero day over the weekend that execution of speculative loads was proven is Yet More Fun. How far down the rathole we go before it's well understood is a great question.

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of IBM Resilient.