Are Shareholders Indifferent To Data Breaches?

Ingo Walter
Riazul Islam and Ingo Walter
It seems investors don’t much care about the impact of data breaches on stock prices. This confounds the idea that the first line of defense against cyber-attacks should be market discipline - channeled from investor reactions through asset managers’ portfolio decisions, board governance and manager action - to get much more serious about cyber-safeguards. The evidence suggests the market-discipline defense is a lot weaker than it should be.

Identity fraud based on cyber-attacks drained an estimated $16.9 billion from victims’ accounts last year. In the Covid-19 rescue the financial locusts have found new opportunities among the 150 million recipients of stimulus funds and over 30 million laid-off or furloughed workers filing state unemployment claims. Gaps in payment-security protocols combine with confusion and haste - the mortal enemies of accuracy, transparency and accountability – to open the door to stealing other people’s money. 

Personal data have been lifted in dozens of cyber-attacks on financial and nonfinancial firms in recent yeas, much of it traded on the “dark web.” In all, billions of accounts have been compromised worldwide. They can be linked to reveal just about all the access information needed to steal identities and intercept payments - especially in a crisis setting like this one. Stolen data are reinforced by thousands of fraudulent website domains, robo-calls and emails to fill in the blanks, extracted especially from the elderly, the poor and the unemployed who can be bamboozled into disclosing personal information in order to access promised benefits.

What can be done about this plague? Apprehension and punishment of cybercriminals seem disappointing. The presence of state actors make things worse. The locusts are legion, they are resistant, and they move around. Once stolen, following the money globally is usually a fool’s errand. And the impact of  coming innovations in payment transfers remains to be seen. 

But how about going back to the source – the data harvested from cyber-attacks that populate the dark web? There have been plenty in recent years, sometimes stealing data on corporate and banking clients in the hundreds of millions. Law enforcement, regulatory bodies and the hacked firms themselves have ramped-up their cyber-security, but at a pace and intensity that seems to lag the frequency and severity of data penetration. Some prominent targets seem to consider successful cyber-attacks a “cost of doing business.” Anyway, cyber risks can be insured. The damage will ultimately be passed on to customers or shareholders in higher prices and lower returns. 
So corporate attention to cyber-security events often seems weak. Maybe that’s because boards and senior executives focus mainly on the manageable firm-level costs of the damage but ignore the potentially massive social costs as the stolen information hits the dark web to victimize countless others - call it “financial pollution not worth the cost of cleanup.”

Logically, shareholders of victim businesses should care about data theft. Investors should expect to see a reduction in the valuation of a target company suffering an announced breach - as customers jump to competitors, the firm’s operating costs rise, suffers potential fines and penalties levied by government agencies, and possibly faces class action lawsuits down the road.

Surprisingly, this doesn’t seem to be the case at all. A new study analyzing the shareholder impact of data breaches across 92 large data breaches at publicly-traded companies from 2015 to 2020 finds they generally result in little or no impact on stock prices. Only companies whose core businesses have both financial and personally identifiable information compromised - such as Equifax, Capital One, ADP, and First American Financial - suffer substantial stock-price erosion. Most other companies escape a significant negative impact of announced data breaches on their stock prices.

The study suggests that shareholders do not think there’s a material impact on the valuation of a company that suffers a publicly disclosed data breach. This absence of discernible market impact suggests investors do not believe there’s a material change in the company’s future cash flows. Maybe this is due to cybersecurity insurance cover, but companies are certain to incur some of the adverse revenue and cost impacts. The data show that they are not reflected in stock valuations - possibly because they’re thought to be immaterial, or that investors have “learned” to ignore them based on observed stock price effects of past incidents.

These results are profoundly discouraging to those who believe in market discipline and rely on it for economic efficiency. It seems to fail here, and sets the stage for substantial damage to society going forward. The “control rights” in the vast majority of traded shares are vested in institutional fund managers. Maybe they don’t much care either, and prefer to wait and see the direct and indirect fallout before doing any portfolio rebalancing. And maybe there’s little room even for that, given the shift to index funds and ETFs, where portfolio weights are on autopilot. 

It’s a shame that meaningful progress on data breaches and invasions of privacy will have to look beyond the invisible hand of the market to the visible hand of government.

Riazul Islam is a Glucksman Fellow and Ingo Walter is a Professor of Finance Emeritus at New York University Stern School of Business.