No one on the internet can claim to be completely hack-proof, but the e-commerce websites particularly, face the greatest risks. No doubt, cyber attacks and information security breaches have severe and lasting effects on websites. But, does it affect the market capitalization of companies?
It almost sounds incredible, but the internet today currently hosts around 1.68 billion websites. Moreover, according to research, 380 websites come alive every minute. With this exponential growth in websites, the risks & threats on the web have also soared. No one on the internet can claim to be completely hack-proof, but the e-commerce websites particularly, face the greatest risks. No doubt, cyber attacks and information security breaches have severe and lasting effects on websites. But, does it affect the market capitalization of companies?
Engineers at Astra have been studying the consequences of data breaches on businesses these past years. This article – the Hacking statistics 2019, is the crux of those researches that we have been pouring over all these years.
The effect data breaches have on market capitalization is validated by several popular companies such as the smartphone giant OnePlus & the networking colossal IBM. OnePlus recently announced that a breach of nearly 40K credit cards and personal identifiable information led to the market devaluation of its parent company, whereas IBM revealed that it experienced a total of $3.62 million data breaches in the year 2017. These data are shocking indeed. But we have found more astonishing facts. Read on to know.
The methods that we have used to evaluate the impact of security breaches related to personally identiﬁable information, ﬁnancial data and other conﬁdential data on market capitalization of companies, is the event study methodology. Moreover, we have selected ﬁrms that have faced data breaches in the past we obtained information about breached ﬁrms from various trusted and reputable sources such as ”The Wall Street Journal”, ”ZDNET”,”SANS Institute” etc.
About the time window we chose- Since the impact of security breaches on companies registers slowly, we thought it more appropriate to select a larger time frame to compare the before and after effect.
Further, some of the glossaries that are being used throughout this article are as follows:
Abnormal returns: Abnormal returns are the difference between the actual and the normal return of the firm over the event window. Abnormal return can be calculated as follows: Abnormal Return = Realized Return – Expected Return
Normal Return: The normal return can be defined as the expected return when no incidents occur.
For this research, we had to recognize and collect extensive data. These include essential information like firms which has event information available and stock prices tractable. We identified those companies like JP Morgan Chase, Facebook, Equifax, Alteryx, CVS Healthcare, Apple, Dun & Bradstreet, eBay, Home Depot, etc.
Then we took [-90,90] days event windows for the analysis. Finally, the findings are based on the comparison of the firm’s realized or actual return and its expected return.
Well, the research took two years to complete. And here the results of the study depicted individually as well as generally for the firms under discussion. In our findings, we also found that the health sector was the most hit by data breaches (28.82%), followed by financial(13.5%) and tech sector (8.0%).
Targeted attacks are often state-sponsored, though some have been by private groups. A nation might try to spy, disrupt, sabotage, or rob from another entity. The U.S. is the No. 1 target.
It’s not a statistic you’d want to own, but the U.S. is not alone. Here’s a breakdown of the top 10 countries affected by targeted attacks between 2015 and 2017.
Here is a pie chart that depicts that data breaches are indeed targeted based on countries:
Coming to the point of market valuation again, expected Returns vs realized Returns of each company post the breach is as follows:
1. JP Morgan Chase:
The stock of JP Morgan on NASDAQ was decreased by 3.56% post-breach in July 2014.
The stock of Facebook (“FB”) was decreased by 18.50% post-breach on March 17, 2018.
The stock of Equifax(”EFX”) was decreased by 36.27% post-breach on Sept. 7, 2017.
4. Dun & Bradstreet:
The stock of Dun was decreased by 15.17% post-breach.
5. CVS Healthcare:
CVS Healthcare’s(”CVS”) stock price was decreased by 0.07% post-breach.
The stock price of Alteryx(”AYX”) was decreased by 3.75% post-breach on 20th December 2017.
Apple’s listing price was decreased by 2.7550 % post-breach.
8. Time Warner Cable:
The stock price of TWC was increased by 2.6% immediately post-breach on Sept 1, 2017, however it decreased significantly after 7 days.
In a nutshell
On average, stock prices of firms decreased by 9.11% post-breach.
Stock prices of companies with good security practices took around seven days to recover the affected stock value.
Companies with poor security practices were more affected by data breaches, and it took them around 90 days to redeem themselves in the stock market.
Companies that announced data breach themselves were more affected in the stock market compared to companies whose data breaches were announced by third parties.
Impact of data breaches on market value is strongly correlated with the type of information leaked, attack type (For eg; Insider, Outsider, Accidental, etc.) and the number of leaked records.
Laws under the name GDPR and Notifiable Data Breaches Scheme were enforced in May 2018 by the European Union and Australian government respectively. These laws were implemented to regulate and monitor the data breach announcements by companies.
The last result is taken from the same study by Norton, the average cost of a data breach has also increased. Following are three telling stats from the Ponemon Institute’s 2018 Cost of a Data Breach 2018 study for IBM.
Cost of the average data breach to companies worldwide: $3.86 million (U.S. dollars)
Cost of the average data breach to a U.S. company: $7.91 million (U.S. dollars)
Average time it takes to identify a data breach: 196 days
What Should You Do?
This study shows that the consequences of data breaches include stock market upheaval also, in addition to known out-turns like sensitive & confidential data theft, a vandalized website, etc. Further, data breaches can even sabotage your business reputation, brand name & customer’s trust in your company which in turn, can prove to be a setback for you in the competitive market.
However, the good news is that after overlooking security for all these years, businesses finally seem to have included (some even prioritized) security in their business discussions/budgets. This drastic shift in awareness on cybersecurity comes from a series of rather brutal cyber attacks like WannaCry and NotPetya that the year 2018 saw. Today, businesses have come to terms with the fact that Security cannot be pushed back in a business strategy. No, not anymore.
Aakanchha is a technical writer and a cybersecurity enthusiast. She is an avid reader, researcher, and an active contributor to our blog and the cybersecurity genre in general. To date, she has written over 200 blogs for more than 60 domains on topics ranging from technical to promotional. When she is not writing or researching she revels in a game or two of CS: GO.