It's never good news when a company is hit by a big-time data breach. Just ask Target (TGT) , CVS (CVS) , Home Depot (HD) , and JP Morgan Chase (JPM) - all of whom suffered a massive data breach in recent years, which resulted in millions of customer data records being compromised, including credit card numbers, Social Security numbers, and other valuable data.
When data breaches occur, companies can expect a hit to their financial bottom line. But that's especially so over the long-term, as the pain continues with a significant loss in the firm's publicly-traded stock price.
Just how steep a slide is that drop?
According to a new study from London-based Comparitech.com, which examined how companies who have been affected by a data breach have performed against the Nasdaq index, the impact of a data breach on company stocks is steeper than you might think. On average, Comparitech finds that company stocks linked to a data breach underperform the Nasdaq by 42% after three years.
The analysis covered 24 major companies who experienced a data breach resulting in the loss of over one million client records. Apple (AAPL) , eBay (EBAY) , Home Depot, Monster (MNST) , and Yahoo were among the company's tracked in the Comparitech study.
"Data breaches stain the reputations of companies both big and small, damaging the brand and reducing consumer trust, and sometimes the consequences can affect the company for years to come," notes Paul Bischoff, researcher and privacy advocate at Comparitech. "A data breach can harm both public sentiment and a company's competitive edge in the market depending on the type of breach."
The study does note that "breached companies" recover to the NASDAQ's performance level after 38 days on average, "but after three years the NASDAQ ultimately outperforms them by a margin of over 40." Technology and finance companies experienced the biggest slide in stock prices.
"Our one-year model shows their share prices experienced an immediate 2.84% drop versus the Nasdaq and took 38 market days to recover on average," adds Bischoff. "The model shows the stocks outperformed the Nasdaq until day 175, at which point they start falling again. 36 months later, the share price had fallen 42% relative to the Nasdaq baseline."
Comparitech isn't the first company to study the impact of data breaches on stock prices. Santa Clara, Calif.-based Centrify recently found that on the day a breach is exposed, a company's stock price drops an average of 5%.
There is some good news on the data breach and stock price front, in that companies dealing with breaches don't have to take stock price declines lying down. The data shows companies who aggressively respond to a data breach suffer lower financial losses.
"When a company gets breached and loses data, the response and actions of the board and management team become hugely important," says Thomas Fischer, global security advocate and principal threat researcher at Digital Guardian, a Waltham, Mass.-based cyber security firm. "A company must recognize the failures that led to the breach and data loss, then build a remediation strategy that can help to avoid those same pitfalls in the future."
Fischer says that companies can mitigate financial and brand loss by implementing a plan in a timely manner, and if a "long-term remediation" has been successfully demonstrated in the same timeframe. "Communication is an important part of handling the data breach - so much so that it is increasingly appearing in government legislation - and companies must do everything they can to avoid the kind of continued negative perception that may affect investor confidence," Fischer says. "Communication around a breach must be accurate and should explain the impact of the data breach, and include the remediation activities taken. That will help investors determine if there is a risk."
Unfortunately, data breaches are extremely difficult for investors to predict, because there's really no such thing as companies that are at higher risk of data breaches, says Lance Jepsen, owner of Guerilla Stock Trading, in Clovis, Calif. "Take Target, for example. That's not a company anyone would think was at high risk of a data breach."
Jepson does say that hackers often target industries that are lower "tech-based" with limited IT budgets and cyber-security mechanisms in place.
He also notes that there is money to be made in the aftermath of a major data breach. "The only thing an investor can do is when the news breaks of a security breach, take a quick "long scalp trade" in cyber-security stocks like Symantec, FireEye, and Check Point Software Technologies," Jepson adds. "These stocks often have big upward moves when a massive data breach is announced."
While there is no perfect gauge to measure the impact of a security breach on a company's stock, there are some barometers that can help investors, and the financial advisors counseling them.
"Clearly, the type of information breached is a critical factor," says Aash Shah, senior portfolio manager at Summit Global Investments, in Salt Lake City, Utah. "For example, if a bank, credit card company or payment company breached account numbers and customer identification that would be much more troublesome than if a retailer breached customer emails."
"That said," Shah adds, "it really goes on a case-by-case basis on whether or not a breach will have a long-term impact on stock price."