Do investors “punish” firms that suffer a data breach?

November 7, 2018

"Do investors punish" article hero image

Nowadays, the press doesn’t have to look too far for the next cyber attack story!

Whether it’s the surprise theft of customer data, like British Airways suffered this year, or a fresh Facebook hack, if there’s one thing we’ve learned this year – no one, regardless of size and sophistication, is immune to attack.

However, while press coverage typically (and quite rightly) focuses on the impact to customer privacy, and the subsequent fines incurred, very little attention is given to the long-term reputational and financial damage incurred by a company.

However, if you dig deep enough there are several studies available that look at the impact a cyberattack has on company performance (in particular revenue, and market valuation) – and it’s not great reading.

As you would expect, companies that suffer an attack routinely under-perform against the average when it comes to revenue growth (a result of brand and reputational damage).

However, there’s a larger, and more worrying impact, with one study concluding that companies that lose control of confidential data suffer an average 1% drop in market capitalization.

Another study, (which focused on Nasdaq listed companies) found that even after three years, breached companies were down against the Nasdaq by almost 16%.

But why such lasting damage?

Of course, investors look at the immediate, and visible, indicators – such as customer churn, revenue performance, and the cost of any fines. But what of the indicators that aren’t so visible?

In particular, if the worst happens, what can investors learn from your company’s "security culture"?

Because while major breaches that result in the loss of sensitive customer data typically have to be reported (and therefore come to public attention), it’s the dozens of small, discrete breaches that happen every day, that point to a more worrying threat – a poor culture of security across the entire business.

Does a poor security culture point to a wider problem?

Take the example of workplace messaging. There is still widespread misunderstanding across employees about the level of security offered to them by different technologies. Earlier this year we wrote about research that found that 50% of employees wrongly assumed that SMS and landline phone calls offered greater protection than secure E2EE messaging apps.

We’ve also widely covered the inappropriate use of tools such as Slack and even Whatsapp for the sharing of confidential company information.

If issues like this are evident within a business, is it indicative of a lackluster approach to data security? These are the questions that investors will be asking.

Use the right apps to show investors that you mean business

It’s also worth noting that many of the studies found that firms with board oversight of risk, and firms that were able to respond effectively to a crisis, fared better in the aftermath of an attack.

In fact, how a business manages its stakeholder relations during its recovery is one of the best indicators investors have about how well the business is prepared, and the tools it has in place to manage recovery and communicate securely.

Remember, without the right leadership, policies, and technologies in place, it’s only a matter of time before the next headline!

Back to all posts