A recent academic study by Daniele Bianchi and Onur Kemal Tosun analysed the market reaction to 41 deliberate (ie criminal) security breaches that occurred in large US firms between 2004 and 2016. The authors found that firms experiencing such a security breach experienced a loss in value of between 1 and 1.5% over a period of 2-3 days around the first public announcement of the breach. Given that the firms involved were amongst some of the largest corporations in the US, this equates to losses of billions of dollars to shareholders for each incident. Interestingly, the study also found that security breaches had long-term effects on the companies affected, specifically they observed:
- Reduced spending on Research and Development activity; and
- Reduced dividends to shareholders
Over a five-year period after the breach. Finally, and perhaps surprisingly, the authors also found that:
- The pay of CEOs in affected firms increased after a breach relative to unaffected firms; and
- Security breaches had no effect on the rate of CEO turnover.
This would seem to contradict recent high-profile examples, such as TalkTalk and Equifax; where CEOs left shortly after breaches.
Follow the link to our Downloads section to see more data on “The Cost of Disruptions”.