How do information security announcements affect stock markets … – BCS

Cyber security is certainly gaining traction at board level, especially since the advent of remote working with the COVID-19 pandemic and, more recently, high profile ransomware attacks such as that of Royal Mail. The IBM ‘Cost of a Data Breach Report 2022’ cites the average cost of a breach to an organisation as US$4.35m, with 83% of companies having experienced more than one breach.

The figure here is an activity-based cost of identifying and containing the breach, notifying the relevant authorities, paying any infringement fine and carrying out post-breach mitigating actions concerning lost business and reputational damage. Such costs would include both internal effort as well as that of external consultants where needed.

If your company happens to be publicly listed, though, your CEO will surely be keeping a close watch also on his/her share price (market value) too – and therein lies the focus of this article.

Event Study Methodology (ESM)

A commonly used method for analysing market reactions to new information such as earnings announcements, mergers and acquisitions and director dealings, is ESM. The basis of ESM is to carry out a regression analysis of how the share price of a firm moves in relation to a market reference (such as the FTSE100) over a period of, say, six months (known as the ‘estimation window’) and use that regression model to calculate an expected price during the period of a few days before (possibly), during and after the announcement (the ‘event window’). The difference between the actual and expected price is known as an ‘abnormal return’ (AR). If the AR is negative, this means the actual price is lower than expected and the market has reacted badly to the event resulting in a loss of market value (‘unfavourable event’). For good news (‘favourable event’) such as a firm making a positive earnings announcement, one would expect a positive AR.

If we apply ESM to the field of information security, examples of unfavourable events would be a data breach or a data privacy infringement fine, and an example of a favourable event might be the appointment of a new Chief Information Security Officer (CISO). In ESM studies we tend to look at daily ARs and sum them over the event window, known as a cumulative abnormal return (CAR) and, when examining multiple events, a cumulative average abnormal return (CAAR) is quoted. To ensure reliable results, a caveat of ESM is that there are no other confounding events during the event window. This, of course, is unlikely when the window is only a few days in length and we are just looking within the firm itself, but we also have to consider events impacting the markets in general such as the COVID-19 pandemic. For that reason, our studies looked only at events pre 31/12/19.

Data breaches

A number of ESM studies have been carried out in the past regarding data breaches, although with a very strong US bias – most likely due to the greater maturity of data breach notification laws Stateside and the existence of readily accessible breach databases such as Privacy Rights Clearinghouse. Earlier sources cite negative CAARs of between 1 and 2%, with more recent studies leaning toward less negative figures (ca. -0.3%) yet acknowledging the existence of certain ‘catastrophic’ cases.

Due to the lack of a comprehensive breach data base for Europe, we hand-gathered a data set of 45 events involving UK/EU listed companies to compare and contrast with previous US centric studies. Interestingly, we also found a variation in results, with a catastrophic example (Travelex) and even positive CAAR for the consumer defensive sector, but overall, no statistically significant CAAR (which under ESM means we have to assume zero). One notable exception was the Spanish market, which seemed to be more sensitive and react more rapidly to data breach announcements (a loss of 1% over the two days during and after the announcement). There was also weak evidence of some expected trends, similar to the US market, of larger breaches (more records) or personal (sensitive) data yielding greater losses, although it seemed the UK/EU financial services sectors did not respond as rapidly as the US. It certainly seems as though markets are becoming less sensitive to data breaches in general over time.

Infringement fines

Due to the relatively recent introduction (2018) of the General Data Protection Regulation (GDPR), there was not a great deal of literature on the subject available. That said, a comprehensive data source of infringement fines and penalties imposed by data protection authorities within the EU, the ‘Enforcement Tracker’ was readily available. We analysed a dataset of 25 GDPR infringement fine announcements from the Enforcement Tracker related to publicly listed companies and found CARs of 1% up to three days after the announcement of an infringement fine, with the Spanish and Romanian markets being particularly sensitive. It was also found that the drop in market value was much larger than the monetary value of the fine itself – around 29,000 times larger on average.