The Shareholder Perspective on Security Breaches

In a forthcoming paper, we explore the stock prices of companies during the period just before to just after an announcement that they have been hit with a computer breach.  We analyze all available public equity data by breach type and industry from 2005 through 2017 and find that, prior to the announcement of a breach, the mean cumulative abnormal return (CAR) on the target’s shares is typically negative. Moreover, following the breach announcement, the mean CAR is typically positive, often larger than the initial CAR decline.

Counterintuitively, following the breach announcement, an increase in stock price is more likely than a decrease. A negative CAR prior to the breach announcement should serve as a signal to regulators that an information leak may have occurred. Traditionally, the SEC has studied information leaks prior to merger announcements and identified numerous instances of insider trading. Our paper suggests that regulators should also assess the trading history of a stock surrounding the announcement of a breach. In particular, the focus of the regulators should be on the weeks prior to the announcement.

Breach Types

In our paper, we divide breaches into four categories: traditional hacks, breaches caused by negligence, phishing, and breaches involving theft. Traditional hacks are relatively frequent and involve the unauthorized use of a computer to gain access to a system. The 2017 hack of Equifax resulted in wrongdoers getting access to the personal data of 147 million people. In a recent 2019 hack, the data of more than 100 million Capital One customers were accessed.

Negligent breaches are the result of weak company oversight that enables the misuse of personal information. Such breaches occurred in 2014 at AT&T call centers, where unauthorized employees stole customer data.

Phishing occurs when an external device such as a skimmer is used to obtain sensitive information such as credit card details and passwords. Between May 2017 and March 2018, unauthorized software was installed on cash registers at retailers Saks Fifth Avenue and Lord & Taylor, enabling data theft from more than 5 million customers.

A breach involving  theft results when a document, computer, or computer file is misappropriated from a company. Such a breach occurred at Morgan Stanley in 2015 when an employee stole sensitive data from approximately 10 percent of its wealth management clients.

The Data

The data for this study were provided by the Privacy Rights Clearinghouse (PRC). Of 5,331 breaches between January 1, 2005, and February 23, 2017, 344 breaches occurred in public companies for which data was available. To determine whether the news of a breach announced in major media outlets is associated with market movements, we categorized the breaches into those announced in the mainstream media (e.g., Wall Street Journal, New York Times, Bloomberg Business Week, etc.) and those reported through other sources (e.g.  state government, etc.). Of the 344 breaches, 85 were announced through the mainstream media. The breaches were classified into six industry categories: banks, large chain stores, technology companies, telecommunications firms, other financial institutions and miscellaneous organizations.

Methodology

We used an event study to determine the relationship between public-company stock prices and breaches, with abnormal and cumulative abnormal returns derived for a period of 10 days before and 20 days after the announcement of the breach.

In cases where the breach announcement is made in the mainstream media, the announcement date is simply the date the announcement appeared. Unfortunately, due to wide variations in state requirements, the announcement may occur in some cases immediately following the breach and in other cases months later. When the announcement is not made in the mainstream media, the announcement is considered to be the date that the PRC has determined the breach was made public.

Within the 30-day period surrounding the breach announcement, we investigated 10 different time windows. These included standard three and five-day windows, but other windows as well. The multiple windows were used to account for the possibility that the market takes longer to digest the breach announcement than it does to digest more ordinary corporate announcements. Moreover, for robustness we used both a standard Capital Pricing Model (CAPM) and four-factor based CARs (FF-based CARs).  We applied both standard statistical tests and non-parametric tests to analyze the breach data.

The results suggest that there is a statistically significant decline in returns in anticipation of the breach announcement. Interestingly, following the breach announcements, the CARs increase over the following 20 days. These results were similar for both the CAPM and FF-based CARs. While these results may seem counterintuitive, there are plausible explanations for both the pre-announcement drop in returns and the post-announcement increase. Prior to the announcement, there are a number of executives at the breached firm aware of both the breach and the date of the forthcoming announcement. There can also be a delay for a number of reasons. For example, the FBI may request the firm to delay the announcement to see if can catch the perpetrator. Leaks can occur during the delay. Following the breach announcement, the increase in CARs may result from confidence that the company will take serious measures to prevent future breaches. Most interesting is that these results generally occur only when companies announce the breach in the media and thus control the timing of the announcement. Announcements made by governmental authorities have no distinguishing pattern of CAR declines followed by increases. This may well occur because the company and its executives have no knowledge of the particular date of the forthcoming announcement.

This pattern of declines and increases is observable in virtually all of the industry categories investigated. One notable finding is that the CAR increase for large chain stores is approximately double the increase for banks. Given that they have been breached more often than other institutions have, banks may have less credibility when giving assurances that they will take effective preventative measures.. Statistically significant results when categorizing breach by type are also observed for the category of hacking. A statistically significant decline in CARs before breach announcements is observed for phishing but not for other categories (e.g., theft and negligence).

Conclusions

The pattern of negative CARs before breaches are announced in the media and increasing CARs following the announcements is observed for each of the industry categories analyzed. Moreover, the same pattern is also seen for hacking. Such leakage is similar to that observed in the case of other types of corporate announcements (e.g., acquisition announcements). Yet breach announcements are unusual in that following the announcements in the media, CARs typically increase, often by a larger amount than the initial decline. These results have significant implications for regulators, analysts, portfolio managers, and investors. In particular, the negative CARs prior to the announcements have regulatory implications given the possibility of insider trading, while the post-announcement positive CARs have trading implications for investors.

This post comes to us from professors Allen Michel at Boston University, Jacob Oded at Tel Aviv University, and Israel Shaked at Boston University. It is  based on their paper, “Do Securities Breaches Matter? The Shareholder Perspective,” forthcoming in European Financial Management and available here.