In the aftermath of a data breach, ransomware attack, or vulnerability disclosure, organizations may think about how the news will cause their stock price to dip. New research indicates that although security incidents do affect stock price, the size of this impact largely depends on the circumstances — and rarely lasts.
Alejandro Hernández, senior security consultant at IOActive, became curious about the correlation in a previous role when a company with which he was working discovered a "huge" software vulnerability. His colleagues began to speculate how much the stock would dip — some guessed 10%, others said 20%. The business's stock price fell only 3% that day, prompting him to start some new research.
Hernández began to closely examine the organizations that experienced vulnerabilities, security incidents, espionage attacks, or faced criticism for privacy concerns and misinformation. His data includes the company name, sector, type of issue or incident, details of the incident, date of disclosure, change in stock price, and the amount of time it took the stock price to recover.
For many of these incidents, the price drop was minor and recovery time was less than two weeks. But some have a larger impact: The 2017 Equifax breach, for example, kick-started a price drop that hit 31% a week after its disclosure. Many people thought the company would never recover, Hernández says, but its stock was back up within less than two years.
Of similar significance was the more recent SolarWinds campaign, which Hernández classified as an espionage operation because there was a nation-state involved. He says these attacks are among the most harmful to corporate stock price, sometimes leading to a drop of 17% to 20%.
"All of the problems that relate to national security around the entire country are the worst ones," he explains. But the stock price drop following disclosure of the SolarWinds attack was short-lived: Now, four months after disclosure, the company's stock is on its way back up.
While one might guess these two headline-making breaches might cause stock prices to fall, that logic can't be applied to all major incidents, Hernández says, as some have greater impact than others. The disclosure of vulnerabilities, for example, leads to a 4% price drop on average, and affected organizations recover within one month. For 40% of businesses that disclosed a vulnerability, their stock price wasn't affected at all.
[Hernández will share his data and observations at the upcoming Black Hat Asia virtual event in his talk, "A Walk Through Historical Correlations Between Vulnerabilities & Stock Prices"]
"On the other hand, incidents impact more than vulnerabilities, [with a] more than 5% drop," he continues. "The recovery depends on the amount and sensitivity of the data leaked," though he notes 63% of businesses hit with an attack recover in less than a month, even if sensitive data such as credit card information or personally identifiable information was compromised.
"Security incidents" is a blanket term for data breaches, ransomware attacks, and other events that might hit an organization. Of these, Hernández says ransomware does the most damage to stock price. In the short term, victims may not see a sizable difference; however, when it's clear that an attack will influence the entire quarter due to production and shipping delays, they will.
His research shows it's not only victim companies that are affected, but their parent companies as well. The Yahoo breach caused stock prices to fall for parent company Verizon; the disclosure of a vulnerability in WhatsApp in 2018 affected the stock for parent company Facebook. Similarly, organizations' stock price can be affected when a security issue affects their suppliers.
Security events only began to affect stock prices within the past few years, he points out.
"I have noticed that the older data breaches before 2015 did not have a sharp price drop, and they recovered in less than a week," says Hernández of earlier attacks affecting Sony, Target, JP Morgan, Home Depot, and Anthem. While all made headlines, the victim companies' stock prices didn't drop as he would have expected.
He attributes this change to the greater importance of cybersecurity among businesses and consumers, who now pay attention when a company they've shopped at has been breached. As security awareness continues to grow, Hernández anticipates cyberattacks, vulnerabilities, and other security issues will have a greater influence on stock price for victim organizations.