In the past, a few studies addressed the problem of understanding the impact of a data breach suffered by a company on the company's value (see, e.g. the paper "The effect of internet security breach announcements on market value" by Cavusoglu et alii). The general conclusions were that the company value showed a decline (as measured by the market price of the company's shares) after the announcement of a security breach. The issue has been investigated further by Hinz et alii, from the Technische Universität Darmstadt, in their recently published paper "The influence of data theft on the share prices and systematic risk of consumer electronics companies", based on more recent data (falling in the 2011-2012 year range). While they confirm that the price of shares exhibits a sudden drop in the 2-3 days following the data breach, and that the industry as a whole is affected (though on a minor scale than the company that actually suffered the data breach), the systematic risk is practically unaffected. This means that the company suffering a data breach is not considered riskier on the average, and is therefore not surcharged when asking for funds: its long-term borrowing rates do not grow because of the security incident. This does not amount to say that data breaches do not matter, but rather that, aside from the damages and costs incurred on the data breach event, the company's financial reputation is not impacted. The study was conducted on a limited number of events (6), though, but nevertheless the suggestion that the long-term perception of risk is unaffected by single security incidents is significant. However, what would happen if the same company would be subject to a string of data breaches? A longer-term study would probably lead to different conclusions....
Data breaches matter...in the short term
This entry was posted in Privacy, Security and tagged Data breaches, privacy, Security, Security economics, Security investments. Bookmark the permalink.