The digital landscape has brought about new challenges for businesses, one of which being the risk of cyber security breaches. A security breach not only results in the compromise of valuable information and financial losses, including having a significant effect on a company’s share price. The cost of a breach continues to creep up year-over-year. IBM’s Cost of a Data Breach Report for 2022 reported the overall cost of a breach has increased to $4.35m in 2022 – representing a nearly 13% increase from 2020.
In this blog post, we will explore the connection between cyber security breaches and their impact on a business’s share price, examining the various factors that contribute to the magnitude of the impact.
Why a Cyber Security Breach Impacts a Company’s Share Price
- Loss of Trust: Cyber security breaches can lead to a loss of trust among consumers, investors, and other stakeholders. This can result in a decline in the company’s reputation, leading to a drop in share price.
- Financial Losses: Breaches can result in significant financial losses, including costs associated with investigations, legal fees, and compensation to affected customers. These costs can also impact the company’s bottom line, which can lead to a decline in share price.
- Compliance Issues: Companies that suffer from a cyber security breach may face regulatory fines and penalties. This can impact the company’s financial health, leading to a further decline in share price value.
Factors that Determine the Scale of the Impact
The impact of a cyber security breach on a business’s share price can vary greatly, depending on a number of factors. Understanding these factors is essential for businesses looking to mitigate the potential impact of a breach and protect their financial performance in the aftermath of an incident.
- Severity of the Breach: The more severe the breach, the greater the impact on the company’s share price, and the nature of the information breached can greatly influence the extent of the negative impact on a company’s share price. If the breach results in the loss of sensitive or confidential information, such as personal information, financial information, or trade secrets, it can cause a greater loss of trust among customers, investors, and stakeholders. This, in turn, can lead to a greater decline in share price than say a breach that only affects less customers, or involves less sensitive information, such as email addresses or login credentials, which may have a more limited impact on share price.
- Company Size and Market Capitalisation: Larger companies and those with a higher market capitalization are more likely to experience a significant impact on their share price as a result of a cyber security breach. However they typically have more resources to devote to cyber security and are better able to absorb the financial impact of a breach. On the other hand, smaller companies and those with lower market capitalizations may face a disproportionate impact from a breach, as they may have fewer resources to devote to cyber security and a more limited customer base.
- Industry: The industry in which a company operates can also play a role in the impact of a cyber security breach on its share price. Different industries have varying levels of risk and exposure to cyber attacks, and this can impact the market’s perception of the company and its ability to recover from a breach. Some industries, such as finance and healthcare, handle sensitive personal and financial information and are therefore more vulnerable to cyber attacks, while others, such as manufacturing, may face lower levels of risk. Additionally, some industries may have more stringent regulatory requirements related to data privacy and security, which can impact the severity of the consequences for a company following a breach. Companies operating in industries with high levels of risk and regulatory scrutiny may face a greater impact on their share price, while those in industries with lower levels of risk may experience a more modest impact. Understanding the dynamics of the industry in which a company operates is essential for businesses looking to mitigate the impact of a cyber security breach on their share price.
- Reputation and Brand Image: A company’s reputation and brand image can also play a role in the impact of a breach on its share price. Companies with strong reputations and positive brand images may be able to weather the consequences of a breach more effectively than those with weaker reputations or negative brand images.
- Speed and Effectiveness of Response: The speed and effectiveness of a company’s response to a breach can greatly impact the market’s perception of the company and its ability to recover. Companies that respond quickly and effectively to a breach are often able to minimise the impact on their share price.
- Broader Market Conditions: The broader market conditions can also play a role in the impact of a breach on a company’s share price. In times of economic uncertainty or market volatility, companies may be more vulnerable to share price declines following a breach, while in stable market conditions, the impact may be more modest.
Cyber Security Breaches and their Impact on Share Price
Perhaps the most widely reported and quantified example is Yahoo. Yahoo Inc’s shares fell as much as 3.8% a day after the company said that more than 1 billion user accounts were compromised in a security breach in August 2013. And then in December 2016 they fell almost 5% after the technology company disclosed a second massive data breach. The breaches impacted Verizon Communications’s July 2016 plans to acquire Yahoo! for about $4.8 billion, which resulted in a decrease of $350 million in the final price on the deal closed in June 2017.
And what about Talk Talk? In October 2015 over 150,000 of the embattled telco firm’s customers had their personal data exposed. Immediately shares dropped by 10.7 per cent. In the weeks that followed, TalkTalk shares plummeted by a whopping 20 per cent.
The 2017 Equifax breach, kick-started a price drop that hit 31% a week after its disclosure, and in September 2018, International Airlines Group, the owner of British Airways, suffered an immediate share price drop of more than 4% after the airline revealed a massive data breach affecting thousands of customers.
Also in September 2018, Facebook’s stock immediately dropped by 3% after revelations that the company had shared the data of up to 50 million users. A few weeks later, the company clarified that only 30 million users had been affected, but among them, 14 million had their names, contact information, gender, relationship status and other sensitive information exposed. Facebook’s value dropped by almost $16 billion that day.
In the wake of the Capital One hack in July 2019, the company’s stock price dropped nearly 6% immediately in after-hours trading, losing a total of 13.89% over two weeks.
In October 2022 Medibank Private Ltd, the largest health insurance provider in Australia, reported that data of almost all of its 4m customer base had been accessed by an unauthorised party, causing their stock price to slide 14%, the biggest one-day dip since the company was listed.
More recently, UK breaches so far in 2023 have also all resulted in an immediate drop in share price:
- Royal Mail: In 2022 Royal Mails owner IDS saw its share price lose almost 60% of its value amid calls to restructure. Losses were compounded in January 2023 as Royal Mail was forced to pause its international deliveries following a cyber-attack, which caused the share price to decrease by a further 2.5%. Staff strikes have also hit a heavy blow, with the company yet to recover operationally from both strikes and the cyber attack.
- Morgan Advanced Materials: In January 2023, having detected unauthorised activity on its network, their share prices fell nearly 7.5% after it alerted investors that it was managing a cyber security incident.
- Vesuvius: In February 2023, shares in FTSE 250 UK engineering group Vesuvius fall 3.3% in 2022 after it was hit by a cyber attack.
Tech research company Comparitech reported that share prices of breached companies hit a low point approximately 110 market days following a breach falling by an average of 3.5% on average.
Long Term Impact
The impact of data breaches can create long term impact for many. Comparitech research reported that in the long term, breached companies underperformed the market. After 1 year, share price fell -8.6% on average,after 2 years, average share price fell -11.3%, and after three years, average share price is down by -15.6%.
However this is not true for all incidents, with many organisations recovering after a short term drop. For example it took Equifax 2 years Equifax’s stock price to return to pre-breach levels.
Factors that impact Recovery Time
The length of time it takes for a company’s share price to recover after a cyber security breach can vary greatly depending on several factors, including:
- Severity of the Breach: The more severe the breach, the longer it may take for the company’s share price to recover.
- Company’s Response: A prompt and effective response to the breach can help to limit the damage and speed up the recovery process. Companies that are transparent and proactive in addressing the breach, communicating with customers and stakeholders, and taking steps to prevent future breaches can help to limit the impact on their share price and speed up the recovery process.
- Industry: The recovery time can also vary depending on the industry. For example, companies in highly regulated industries, such as financial services or healthcare, may take longer to recover share prices due to the increased scrutiny and potential penalties they may face.
- Market Conditions: The broader market conditions can also influence the share price recovery time. During periods of economic uncertainty, for example, companies may take longer to recover even after a well-managed breach.
Combatting Ransomware to Protect Share Price
With the increasing frequency of cyber attacks, it’s important for businesses to understand the potential impact of a breach on their share price, to take steps to protect themselves against these threats and to respond quickly in the event of a breach. This can include investing in the right technologies, implementing best practices for data protection, and regularly assessing and updating security strategies.
According to the IBM Cost of Data Breach Report 2022, investing in security tools that leverage artificial intelligence (AI) and machine learning is the greatest cost mitigation approach organisations can take to significantly reduce the length and financial impact of a breach. Those using AI and automation had a 74-day shorter breach lifecycle and saved an average of USD 3 million more than those without. By taking these steps, companies can help to minimise the potential impact of a cyber security breach and protect their long-term financial stability and success.
We strongly encourage companies of all sizes to get in touch for more information about how Infosec Partners can support your business to protect its financial success from the impact of a cyber breach.
