Craig A. Newman is a partner and Maren J. Messing is an associate at Patterson Belknap Webb & Tyler LLP. This post is based on a Patterson Belknap memorandum by Mr. Newman and Ms. Messing.
[On October 24, 2018], Cathay Pacific Airlines Ltd., the Hong Kong-based international airline, disclosed that a hacker had broken into its computer system and accessed personal information for as many as 9.4 million travelers, representing the world’s largest reported airline data breach to date. Following the announcement, the airline’s shares sank the lowest that they’ve been in almost 9 years—tumbling nearly 7% and losing more than $200 million of in market value.
There is nothing extraordinary about Cathay Pacific’s stock drop—data breaches have often been accompanied by a hit to the company’s stock price. Yet, what happens next is the more consequential question: is a company’s stock price affected by a data security incident over a longer period of time?
A 2018 study by Comparitech, a UK-based technology research firm, looked at a sampling of large breaches in the past decade and found a number of patterns. First, after the initial drop in share price following a breach disclosure, the study found that share prices often rebounded quickly and caught up to NASDAQ performance within about a month.
And within a year of the breach announcement, share price was up 8.53% on average, but still underperformed the NASDAQ by -3.7%. Within two years of the breach announcement, the average share price rose 17.78%, but still underperformed the NASDAQ by -11.35%. Three years later, average share price was up by 28.71% but still lagged the NASDAQ by -15.58%.
The study, while admittedly limited in sample size, considered factors such as the sensitivity of the information that was taken, the type of company involved, and the number of records breached. Unsurprisingly, breaches that leaked highly sensitive information such as credit card information and Social Security Numbers saw larger drops in share price performance on average than breaches that compromised less sensitive info like names and addresses without additional identifying information.
There are also other variables that come into play that could affect stock price such as sector strength, competitive pressures, and other market forces.
Similar patterns have played out over the past five years. The Target Corp. breach, for example, then-considered the biggest cyber-attack on a U.S. retailer. The stock experienced a 10% drop in price in the aftermath of the security breach disclosure on December 19, 2013, but by the end of February 2014, Target had experienced the highest percentage stock price regain in five years.
Home Depot followed a similar pattern: after the hack made news on September 2, 2014 it suffered a subsequent decrease in stock price of more than 2.3%, but the company’s stock had rebounded and then some by the end of September, and then even went so far as to hit a lifetime high in December 2014.
What explains these effects?
A Harvard Business Review 2015 article examining the question of why data breaches don’t generally hurt stock prices suggests that the public still does not have meaningful metrics to measure the impact of cybersecurity breaches on businesses and translate that into a dollar value. In most cases, at the time a security breach is disclosed, it is almost impossible to assess its full implications. The initial reaction of some shareholders is to dump their positions, but many shareholders look beyond the short-term and examine the impact on other factors, such as overall security plans, profitability, cash flow, cost of capital, the potential for litigation and other legal fees typically associated with the breach, and potential changes in management.
Perhaps some savvy buyers see the dip in stock price following the initial breach announcement as an opportune time to get in on a company that they believe is undervalued and will rebound. One exception might be technology or other intellectual property-driven companies, where hackers focus on trade secret or intellectual property theft, the longer-term financial impact could be much greater and less correlated to overview market performance.
The current research and academic thinking tells us that the impact of data breaches on public company share price likely diminishes over time as headlines become distant memories. But this is far from a settled question and leaves open important variables including the fact that the harm or damage inflicted by a data breach might—in some cases—not be clear or easily determinable in the short run.
[At the time this post was written]—four trading days after the Cathay Pacific breach was announced—the company’s stock is still down, but is starting to make a recovery, opening at HK$6.34 today after falling to HK$6.2 last week. Cathay Pacific has said that the hackers mainly gained access to passenger names and contact information. Passport numbers, frequent flier member numbers and historical travel information may also have been exposed in the data breach. But as data breaches become an almost predictable cost of doing business, the longer-term impact on the company’s stock price remains an open question.