Picked this on Bruce Schneier's CRYPTO-GRAM latest issue, under the very terse description of
Interesting research: "Long-term market implications of data breaches, not," by Russell Lange and Eric W. Burger. The market isn't going to fix this. If we want better security, we need to regulate the market.
The "Long term implications..." link is paywalled, but there are two other recent(ish) academic papers linked.
The first one, "Market Implications of Data Breaches" by Russell Lange and Eric W. Burger (21 PDF pages, title page, ToC and references included). The "executive summary/key findings":
- While the difference in stock price between the sampled breached companies and their peers was negative (-1.13%) in the first three days following announcement of a breach, by the 14th day the return difference had rebounded to +0.05%, and on average remained positive through the period assessed.
- For the differences in the breached companies' betas and the beta of their peer sets, the differences in the means of 8 months pre-breach versus post-breach was not meaningful at 90, 180, and 360-day post-breach periods.
- For the differences in the breached companies' beta correlations against the peer indices pre- and post-breach, the difference in the means of the rolling 60-day correlation 8 months pre-breach versus post-breach was not meaningful at 90, 180, and 360-day post-breach periods.
- In regression analysis, use of the number of accessed records, date, data sensitivity, and malicious versus accidental leak as variables failed to yield an R2 greater than 16.15% for response variables of 3, 14, 60, and 90-day return differential, excess beta differential, and rolling beta correlation differential, indicating
that the financial impact on breached companies was highly idiosyncratic.
- Based on returns, the most impacted industries at the 3-day post-breach date were U.S Financial Services, Transportation, and Global Telecom.
At the 90-day post-breach date, the 3 most impacted industries were U.S. Financial Services, U.S. Healthcare, and Global Telecom.
The second-linked FA, "How does cyber crime affect firms? The effect of information security breaches on stock returns", by Maria Cristina Arcuri, Marina Brogi and Gino
Gandolfi (Parma and Roma Universities):
This paper investigates the impact of information security breaches on stock returns.
Using event-study methodology, we provide empirical evidence on the effect of announcements of cyber attacks on
the market value of firms from 1995 to 2015.
We show that substantial negative market returns occur following announcements of cyber attacks. We find that financial entities often suffer greater negative effects than other companies. We also find that non-confidential cyber attacks are the most dangerous, especially for the financial sector.
Our results seem to show a link between cyber crime and insider trading.
Hang on, what's happening here? The first FA says "No long term effect on stocks", the second says "substantial negative market returns"? Well the second FA looks only on the short term - at most +10 days after the breach; but some of the findings are telling an interesting story. PDF-page-8, in the "Results" section:
The event windows (-5;5) and (-3;3) show mean CARs of -1.26% and -1.19% respectively. This means that significant negative market returns occur on the days prior to and after the announcement of information security breaches. Moreover, the official announcement of a cyber attack is often partly anticipated by a few days: the asymmetric event windows (-10;-1), (-5;-1) and (-3;-1) display a statistical significance at the
90% confidence level or above. Specifically, they show mean CARs of -1.08%, -0.87% and -0.90% respectively.
These results imply that cyber criminals are in fact implicated in insider trading.
Ummm... can we really exclude the scenario in which the upper-management hide the breach for some days to arrange their affairs and then announce the breach? Still insider-trading, but not necessary carried on by the hackers.
(Score: 2) by GreatAuntAnesthesia on Friday February 16, @12:00PM
So, as soon as a data breach is announced, I should buy shares at a reduced price and sell them two weeks later at the rebounded price.
If this became common knowledge and everybody did it, what would the implications be? Would we see "breach-bubbles" forming around such stocks, and then an inevitable crash when the bubble pops?
Maybe that's the market incentive required.
(Score: 3, Interesting) by TheRaven on Friday February 16, @12:07PM (1 child)
First, if a regulator imposed a large fine. In the US, the regulators are either captured or toothless. The EU is starting to impose significant fines for this kind of thing, but it's sufficiently rare that if you escape the fine then there's no problem. A company with an annual profit of a few billion having to pay a few hundred thousand in fines is in the noise - it would probably cost more to have decent security practices than just to pay the fine every few years.
Second, if consumer confidence were eroded enough that they'd move to a different supplier. Unfortunately, these breaches are often one-day wonders in the press and then forgotten. How many people stopped shopping at Target after their breach? That one had direct consequences for customers (credit card numbers stolen and used fraudulently), yet it didn't seem to have any significant impact on whether people chose to shop at Target. Some of this may even be rational: you may expect that a company that's experienced a breach will upgrade their security, whereas one that hasn't yet is likely to be complacent.
(Score: 2) by GreatAuntAnesthesia on Friday February 16, @01:19PM
Or there's an element of resignation: "The bad guys already have all my data, it's no longer secret, so it doesn't matter if it gets leaked again."
Also, the fact that these data breaches don't always result in immediate ,visible harm to the affected customers. How much leaked customer data never gets used for whatever reason? Maybe it's out of date, or the customer changes their passwords in time, or the bank freezes the cards in time, or the data isn't actually useful for the people who acquired it. If the majority of the time people see no consequences, of course they will be less bothered.
(Score: 0) by Anonymous Coward on Friday February 16, @12:22PM
I wonder if any studies take into account the reaction of the affected companies to the breaches? One would hope that there would be a world of difference in investor confidence between a company which quickly fixes the breach, provides a full analysis, and shores up its procedures; and a company which denies everything, and sues security professionals who report the issues.