Does a Data Breach result in the fall of the Company’s Share Price?

Oct 3 Blog

Created with Microsoft Bing Image Creator powered by DALL-E

What’s the issue? 

Do data breach incidents have a significant negative impact on breached companies’ share prices? 

What are the findings? 

Based on recent studies and reports, it seems that data breaches do have a negative impact on both short and long term share prices, but the impact is fairly small and given the small sample size, there may be flaws in the analysis. It also appears that customers place greater importance on a company’s response to the breach rather than punishment of the breach itself. 

Why is this important? 

For those who have invested in a company that suffered a privacy data breach (or is likely to suffer one), this may mean there is no need to fear an immediate and permanent drop in share prices. Rather, analyzing the company’s response to the breach may be of greater importance before deciding whether to stay invested. 

In More Detail: 

Given the recent outbreak in high profile data breach incidents, such as Uber’s data breach and Optus’s data breach in Australia last month, I became curious on whether such data breaches impact the companies’ stock market performance. 

Major data breaches are happening weekly, with numbers increasing every year. Consumer trust in companies to protect their personal data is also declining, with there seeming to be greater loss of trust in countries that have widespread privacy awareness such as the GDPR-protected countries in Europe. The 2022 Thales Consumer Trust Index report found that 21% of consumers worldwide have stopped using a company that suffered a data breach, with 8% having taken legal action against the company. However, the priority for consumers was to implement better data security measures to mitigate the risk of future data breaches, whereas their lowest priority was fining the companies involved. This finding may indicate that consumers are becoming more accepting about data breach risks, and are valuing a company’s proper response (by improving data security) over seeking to punish the company (through lawsuits, fines, or not using the company anymore). 

A 2021 study by comparitech found that data breaches slightly impacted the affected companies’ share price, with 21 out of 40 breaches resulting in worse stock performance compared to their performance before the breach. Share prices of breached companies fell 3.5% on average 110 days after the breach, and in the long term breached companies underperformed the market (-8.6% after 1 year, -15.6% after 3 years), with the largest drops being in tech and finance companies as well as breaches that involved highly sensitive information such as credit card and social security numbers. Additionally, the study found that older breaches were met with a stronger negative reaction than newer breaches, and theorized that as breaches became more common over time, it created a “breach fatigue” effect where investors became less shaken by data breaches. Overall, this study demonstrated that data breaches do impact the share price of affected companies negatively, both in the short and long term. However, this sample was limited by sample size and also did not cover compensation to the victims and financial reports detailing the financial consequences of the breach that may have further impact on the market.  

A 2021 study by Korea’s Infringement and Accidents Response Council (CONCERT / 한국침해사고대응팀협의회) and Koreas Chief Privacy Officer (CPO) forum reported that contrary to findings in comparitech, data breaches in companies within Korea resulted in little impact on share prices in the short term, but more persistent negative impacts in the long term . The report explained this discrepancy as being caused by Korean consumers putting greater value on intangible values over financial values, which exacerbates the consequences of a ruined public image. Since the impact of data breaches appear to be more centered on the public image of the companies, CONCERT’s Secretary General theorized that this was also indicative of the lack of privacy awareness in Korea. 

Although further research using greater samples and more information is needed, existing studies seem to indicate that the negative impact of data breaches on companies’ share price is more centered in long term, with the decline partly coming from loss of customers due to bad public image and lack of trust (which in turn would lead to worse financial results and worse outlook, driving investors away). Additionally, the research by Thales as well as comparitech implies that consumers and investors are not as concerned about the data breach itself(with more and more consumers accepting the risks of it happening) as they are about the company’s response to it. Therefore, companies with an existing loyal customer base that appropriately responds (by promptly offering compensation and improving security measures to prevent future data breaches) likely will not suffer significant fall in share price or financial performance. That being said, this also depends on each company’s specific situation.