Picked this on Bruce Schneier's CRYPTO-GRAM latest issue, under the very terse description of
Interesting research: "Long-term market implications of data breaches, not," by Russell Lange and Eric W. Burger. The market isn't going to fix this. If we want better security, we need to regulate the market.
The "Long term implications..." link is paywalled, but there are two other recent(ish) academic papers linked.
The first one, "Market Implications of Data Breaches" by Russell Lange and Eric W. Burger (21 PDF pages, title page, ToC and references included). The "executive summary/key findings":
- While the difference in stock price between the sampled breached companies and their peers was negative (-1.13%) in the first three days following announcement of a breach, by the 14th day the return difference had rebounded to +0.05%, and on average remained positive through the period assessed.
- For the differences in the breached companies' betas and the beta of their peer sets, the differences in the means of 8 months pre-breach versus post-breach was not meaningful at 90, 180, and 360-day post-breach periods.
- For the differences in the breached companies' beta correlations against the peer indices pre- and post-breach, the difference in the means of the rolling 60-day correlation 8 months pre-breach versus post-breach was not meaningful at 90, 180, and 360-day post-breach periods.
- In regression analysis, use of the number of accessed records, date, data sensitivity, and malicious versus accidental leak as variables failed to yield an R2 greater than 16.15% for response variables of 3, 14, 60, and 90-day return differential, excess beta differential, and rolling beta correlation differential, indicating
that the financial impact on breached companies was highly idiosyncratic.- Based on returns, the most impacted industries at the 3-day post-breach date were U.S Financial Services, Transportation, and Global Telecom.
At the 90-day post-breach date, the 3 most impacted industries were U.S. Financial Services, U.S. Healthcare, and Global Telecom.
The second-linked FA, "How does cyber crime affect firms? The effect of information security breaches on stock returns", by Maria Cristina Arcuri, Marina Brogi and Gino
Gandolfi (Parma and Roma Universities):
This paper investigates the impact of information security breaches on stock returns.
Using event-study methodology, we provide empirical evidence on the effect of announcements of cyber attacks on
the market value of firms from 1995 to 2015.
We show that substantial negative market returns occur following announcements of cyber attacks. We find that financial entities often suffer greater negative effects than other companies. We also find that non-confidential cyber attacks are the most dangerous, especially for the financial sector.
Our results seem to show a link between cyber crime and insider trading.
Hang on, what's happening here? The first FA says "No long term effect on stocks", the second says "substantial negative market returns"? Well the second FA looks only on the short term - at most +10 days after the breach; but some of the findings are telling an interesting story. PDF-page-8, in the "Results" section:
The event windows (-5;5) and (-3;3) show mean CARs of -1.26% and -1.19% respectively. This means that significant negative market returns occur on the days prior to and after the announcement of information security breaches. Moreover, the official announcement of a cyber attack is often partly anticipated by a few days: the asymmetric event windows (-10;-1), (-5;-1) and (-3;-1) display a statistical significance at the
90% confidence level or above. Specifically, they show mean CARs of -1.08%, -0.87% and -0.90% respectively.
These results imply that cyber criminals are in fact implicated in insider trading.
Ummm... can we really exclude the scenario in which the upper-management hide the breach for some days to arrange their affairs and then announce the breach? Still insider-trading, but not necessary carried on by the hackers.
(Score: 3, Interesting) by GreatAuntAnesthesia on Friday February 16 2018, @12:00PM (1 child)
So, as soon as a data breach is announced, I should buy shares at a reduced price and sell them two weeks later at the rebounded price.
If this became common knowledge and everybody did it, what would the implications be? Would we see "breach-bubbles" forming around such stocks, and then an inevitable crash when the bubble pops?
Maybe that's the market incentive required.
(Score: 2) by legont on Friday February 16 2018, @07:47PM
For a bubble to form an unreasonable source of money is needed. Pure speculatively - just as a thought exercise - this one could had been financed by shorting volatility. The volatility bubble pooped spectacularly a few days ago so it may be interesting to see if the observed tendency suddenly reverses. Perhaps those corporate morons suddenly start to feel the punishment for the risky behavior.
"Wealth is the relentless enemy of understanding" - John Kenneth Galbraith.
(Score: 5, Interesting) by TheRaven on Friday February 16 2018, @12:07PM (14 children)
First, if a regulator imposed a large fine. In the US, the regulators are either captured or toothless. The EU is starting to impose significant fines for this kind of thing, but it's sufficiently rare that if you escape the fine then there's no problem. A company with an annual profit of a few billion having to pay a few hundred thousand in fines is in the noise - it would probably cost more to have decent security practices than just to pay the fine every few years.
Second, if consumer confidence were eroded enough that they'd move to a different supplier. Unfortunately, these breaches are often one-day wonders in the press and then forgotten. How many people stopped shopping at Target after their breach? That one had direct consequences for customers (credit card numbers stolen and used fraudulently), yet it didn't seem to have any significant impact on whether people chose to shop at Target. Some of this may even be rational: you may expect that a company that's experienced a breach will upgrade their security, whereas one that hasn't yet is likely to be complacent.
sudo mod me up
(Score: 3, Insightful) by GreatAuntAnesthesia on Friday February 16 2018, @01:19PM (1 child)
Or there's an element of resignation: "The bad guys already have all my data, it's no longer secret, so it doesn't matter if it gets leaked again."
Also, the fact that these data breaches don't always result in immediate ,visible harm to the affected customers. How much leaked customer data never gets used for whatever reason? Maybe it's out of date, or the customer changes their passwords in time, or the bank freezes the cards in time, or the data isn't actually useful for the people who acquired it. If the majority of the time people see no consequences, of course they will be less bothered.
(Score: 0) by Anonymous Coward on Friday February 16 2018, @09:18PM
For credit cards this doesn't even matter. In most cases neither the cardholder nor the issuing bank give two shits about unauthorized charges. The charge gets reversed and then whoever accepted the card eats the loss.
(Score: 3, Insightful) by Thexalon on Friday February 16 2018, @02:59PM (6 children)
Those two factors are precisely why when major corporations experience a data breach, they view it entirely as a public relations problem, not a technical problem. And the PR response will invariably make the following statements:
1. These kinds of things have happened to many other firms before.
2. Such breaches are essentially inevitable. There was absolutely nothing the firm could have done to prevent it.
3. Nevertheless, we're making some technical changes that will prevent it. (this directly contradicts the previous point, but consistency is the antithesis of PR)
4. If you go through a convoluted rigamarole, we'll give you a nice cheap identity theft insurance policy (that's only good for 1 year, and nigh-impossible to actually get, and may not pay out once the media attention has gone away).
And if they do that well enough, their bottom line is barely affected, and thus their stock price is barely affected. And if you need further proof of that, consider that Equifax is still in business and doing just fine.
The only thing that stops a bad guy with a compiler is a good guy with a compiler.
(Score: 3, Insightful) by krishnoid on Friday February 16 2018, @08:00PM (5 children)
Identity theft, data breaches, all that stuff might be mumbo-jumbo to people outside the computing field. But talk to them about data breach insurance just like any other type of insurance, and they'll probably understand somewhat better.
Get it into the CFO's head that better customer data security means a discount on insurance (or insurability in the first place), and get it into the investors' heads that insurance is about risk management, and maybe the idea will pick up speed on its own?
(Score: 3, Insightful) by Thexalon on Friday February 16 2018, @08:32PM (4 children)
Here's the problem: Right now, companies don't actually insure against that risk until it's already happened. It's cheaper to take the risk, go through this PR dance when that risk-taking fails, and as noted in TFA ultimately have no consequences whatsoever for your bottom line or the career of anybody in management (they'll instead fire some junior tech staffer who had no say in any of the decisions that led to the data breach).
If I were in a position to push legislation to deal with this, I would in fact demand that all companies that store customer data carry insurance against data breaches, for all the reasons you mentioned. The insurance companies would then do what they do best, namely determining risks and pricing them appropriately while offering discounts for reducing that risk.
The only thing that stops a bad guy with a compiler is a good guy with a compiler.
(Score: 2) by krishnoid on Friday February 16 2018, @09:16PM
I'm tempted to ask the next credit card/financial/pretty much any company I sign up with, not what their data security practices are (which can be talked around), but whether they have data breach insurance, through who, and what does it pay out to affected users in the event of a breach. Maybe if more people did that, it would lead to regulating these kinds of things and eventually suck all the fun out of the wild wild west of the Internet.
(Score: 0) by Anonymous Coward on Friday February 16 2018, @09:27PM (2 children)
What damages would this hypothetical "data breach insurance" cover? Who would be eligible to make claims? How will damages be assessed?
These data breaches don't cost the company anything worth mentioning. The insurance provider will pay out approximately $0, and premiums will be set accordingly...
(Score: 2) by Thexalon on Friday February 16 2018, @10:17PM (1 child)
Who would be eligible to make claims: All people affected by the breach. How would damages be assessed: Presumably, since these folks are offering some kind of identity protection program after these breaches, they've already priced that in.
Part of the point of doing all this is that by forcing the insurance payment, you create a financial incentive to:
- Not collect personally identifying customer information at all, or delete old information. Does a big-box store really need to know how frequently somebody identified by zip code and the last 4 digits of their credit card bought paper towels in 2014? Because right now they do know that kind of thing, even though it's completely useless for them to know it.
- Improve the security of information systems. Right now, techies arguing for this basically can say "Because otherwise there might be a data breach". That's nowhere near as powerful to a business as "For X number of hours from our IT staff, you'll save $Y on insurance every year".
The only thing that stops a bad guy with a compiler is a good guy with a compiler.
(Score: 2) by krishnoid on Saturday February 17 2018, @02:04AM
Target may have your number [businessinsider.com] on this one. In this example, maybe the 2014 data isn't currently relevant, but age everyone forward 4 years, and match buying needs accordingly.
(Score: 0) by Anonymous Coward on Friday February 16 2018, @03:58PM (3 children)
This is a variation on a common theme: almost any kind of security practice has costs associated with it and those costs are very often greater than any expected benefit. This is often true for large corporations as well as individuals. Thus almost nobody cares about security and such behaviour is rational.
Using this as an example... the cost to an individual having their credit card used fraudulently is very close to zero. This usually requires a handful of phone calls to sort out and some inconvenience for a few days while waiting for the card to be reissued.
Usually the costs for fraudulent transactions are borne by the poor merchant who accepts the stolen card. This is not the cardholder and probably not Target either. But even they don't care very much, because the vast majority of transactions are not fraudulent and they have decided that the benefits of accepting credit card payments outweighs those risks.
(Score: 2) by HiThere on Friday February 16 2018, @06:39PM (2 children)
If you think the cost to an individual is close to zero, then you've never had it happen to you. It doesn't even require obvious criminal actions, just some people getting their record confused and not being willing to fix them and lead to severe problems...but only for the individual, who has essentially no prower to fix the problem.
Javascript is what you use to allow unknown third parties to run software you have no idea about on your computer.
(Score: 1, Interesting) by Anonymous Coward on Friday February 16 2018, @09:09PM (1 child)
Sure, I have done this before.
Credit cards are empowering for individuals because unlike most other forms of payment, you still have all your money after fraudulent charges are posted. Since the cardholder is not responsible for unauthorized charges, when such a charge is discovered you call the issuer and get it reversed. This usually takes less than 10 minutes. Normally the card is then cancelled and a new one is issued.
If you have any recurring transactions then those need to be moved to the new card. This could be annoying if you have a lot of those; it took me about an hour.
The impact of being unable to use a credit card until receiving a new one will vary depending on circumstance. Having your card cancelled while travelling abroad is likely way worse than just not being able to use it on amazon for a couple days...
(Score: 0) by Anonymous Coward on Saturday February 17 2018, @11:19AM
Easily solved by having more than one credit card and only using one for all online stuff. That way if there's a breach you just lose one card.
(Score: 5, Informative) by DeathMonkey on Friday February 16 2018, @07:01PM
In the US, the regulators are either captured or toothless.
We had a regulator with teeth but the Trump admin defunded it.
They also decided to give Equifax a free pass. [salon.com]
(Score: 0) by Anonymous Coward on Friday February 16 2018, @12:22PM (1 child)
I wonder if any studies take into account the reaction of the affected companies to the breaches? One would hope that there would be a world of difference in investor confidence between a company which quickly fixes the breach, provides a full analysis, and shores up its procedures; and a company which denies everything, and sues security professionals who report the issues.
(Score: 2) by leftover on Friday February 16 2018, @04:50PM
Hmmm. The first time any major business does so we might learn something.
Bent, folded, spindled, and mutilated.
(Score: 3, Informative) by goodie on Friday February 16 2018, @02:22PM
I'd probably read #2 first, if anything for the methods. these kinds of effects are usually best evaluated with event studies. The first study performs simple regression at different time intervals without necessarily controlling for other exogenous effects that could influence stock price. The second study should if if applied the event study method properly, which is used to measure cumulative abnormal returns (CAR) following an external (or internal, as in an announcement in some fancy new tech) shock.
(Score: 2) by fadrian on Friday February 16 2018, @03:51PM (4 children)
My God! It's something the free market doesn't fix. That should trigger the Libertarians!
That is all.
(Score: 0) by Anonymous Coward on Friday February 16 2018, @04:00PM
The free market is working as intended. There is no problem to fix and so the market value of solutions to such non-problems is zero.
(Score: 5, Insightful) by GreatAuntAnesthesia on Friday February 16 2018, @04:56PM (1 child)
You have it the wrong way round. The free market isn't there to "fix" things. It doesn't exist to serve humanity. Humanity exists to serve the market. We must offer it no resistance or impedance, we must immediately present whatever cruel sacrifice it demands, we must submit to its every whim and suffer its every tantrum, for The Market is pure and divine and all who worship The Market shall be SUPREMELY FREE FOREVER!!!!!1
1 Only while stocks of supreme immortal freedom last. Offer may be withdrawn at any time, for any reason, especially if you happen to be poor. Market freedoms shall take precedence over all other freedoms. Free Markettm reserves the right to devolve into a monopolistic cartel, oligarchic dynasty or apocalyptic feudal dystopia without notice. Supreme immortal freedom may be granted in the form of relentless, grinding servitude to those more supremely, immortally free than you are.
(Score: 0) by Anonymous Coward on Friday February 16 2018, @06:58PM
This message brought to you by Libertarians for Liberty! May we all remain free to fuck each other over for eternity.
(Score: 0) by Anonymous Coward on Friday February 16 2018, @07:40PM
if people are not willing to pay for something in the market than thats the end of the story. if you want to take my money if you want to make me pay for something well maybe you have that power but it will not be a few market and you will do so by threat of violence (tax evasion = jail)
such a fallacious statement. if people don't care about security enough to pay or change their purchasing habits and you disagree with that genuine expression of will all of a sudden its a market failure?
what a joke!
(Score: 1) by vali.magni on Saturday February 17 2018, @07:07AM
Harsh sanctions that affect the companies' earnings and stock value as the GDPR proposes, this is what we need. The GDPR prescribes upto a fine up to 20 million Euro or up to 4% of the annual worldwide turnover of the preceding financial year in case of an enterprise, whichever is greater, in some cases.
Criminal prosecution of senior management and jail time will also bring about the desired changes very rapidly. Imagine how differently things would have turned out had Brian Krzanich and all his henchmen had faced 15 years in jail.