Dr Adrian Ford MBCS explores how markets react to information security incident announcements about publicly listed companies. Three types of events are investigated: data breaches, GDPR infringement fines and CISO appointments.

Cyber security is certainly gaining traction at board level, especially since the advent of remote working with the COVID-19 pandemic and, more recently, high profile ransomware attacks such as that of Royal Mail. The IBM ‘Cost of a Data Breach Report 2022’ cites the average cost of a breach to an organisation as US$4.35m, with 83% of companies having experienced more than one breach.

The figure here is an activity-based cost of identifying and containing the breach, notifying the relevant authorities, paying any infringement fine and carrying out post-breach mitigating actions concerning lost business and reputational damage. Such costs would include both internal effort as well as that of external consultants where needed.

If your company happens to be publicly listed, though, your CEO will surely be keeping a close watch also on his/her share price (market value) too - and therein lies the focus of this article.

Event Study Methodology (ESM)

A commonly used method for analysing market reactions to new information such as earnings announcements, mergers and acquisitions and director dealings, is ESM. The basis of ESM is to carry out a regression analysis of how the share price of a firm moves in relation to a market reference (such as the FTSE100) over a period of, say, six months (known as the ‘estimation window’) and use that regression model to calculate an expected price during the period of a few days before (possibly), during and after the announcement (the ‘event window’). The difference between the actual and expected price is known as an ‘abnormal return’ (AR). If the AR is negative, this means the actual price is lower than expected and the market has reacted badly to the event resulting in a loss of market value (‘unfavourable event’). For good news (‘favourable event’) such as a firm making a positive earnings announcement, one would expect a positive AR.

If we apply ESM to the field of information security, examples of unfavourable events would be a data breach or a data privacy infringement fine, and an example of a favourable event might be the appointment of a new Chief Information Security Officer (CISO). In ESM studies we tend to look at daily ARs and sum them over the event window, known as a cumulative abnormal return (CAR) and, when examining multiple events, a cumulative average abnormal return (CAAR) is quoted. To ensure reliable results, a caveat of ESM is that there are no other confounding events during the event window. This, of course, is unlikely when the window is only a few days in length and we are just looking within the firm itself, but we also have to consider events impacting the markets in general such as the COVID-19 pandemic. For that reason, our studies looked only at events pre 31/12/19.

Data breaches

A number of ESM studies have been carried out in the past regarding data breaches, although with a very strong US bias - most likely due to the greater maturity of data breach notification laws Stateside and the existence of readily accessible breach databases such as Privacy Rights Clearinghouse. Earlier sources cite negative CAARs of between 1 and 2%, with more recent studies leaning toward less negative figures (ca. -0.3%) yet acknowledging the existence of certain ‘catastrophic’ cases.

Due to the lack of a comprehensive breach data base for Europe, we hand-gathered a data set of 45 events involving UK/EU listed companies to compare and contrast with previous US centric studies. Interestingly, we also found a variation in results, with a catastrophic example (Travelex) and even positive CAAR for the consumer defensive sector, but overall, no statistically significant CAAR (which under ESM means we have to assume zero). One notable exception was the Spanish market, which seemed to be more sensitive and react more rapidly to data breach announcements (a loss of 1% over the two days during and after the announcement). There was also weak evidence of some expected trends, similar to the US market, of larger breaches (more records) or personal (sensitive) data yielding greater losses, although it seemed the UK/EU financial services sectors did not respond as rapidly as the US. It certainly seems as though markets are becoming less sensitive to data breaches in general over time.

Infringement fines

Due to the relatively recent introduction (2018) of the General Data Protection Regulation (GDPR), there was not a great deal of literature on the subject available. That said, a comprehensive data source of infringement fines and penalties imposed by data protection authorities within the EU, the ‘Enforcement Tracker’ was readily available. We analysed a dataset of 25 GDPR infringement fine announcements from the Enforcement Tracker related to publicly listed companies and found CARs of 1% up to three days after the announcement of an infringement fine, with the Spanish and Romanian markets being particularly sensitive. It was also found that the drop in market value was much larger than the monetary value of the fine itself - around 29,000 times larger on average.

For you

Be part of something bigger, join BCS, The Chartered Institute for IT.

Four examples of GDPR fine appeals were also investigated. The expectation here was that any appeal which was successful (3/4) would yield positive returns, whereas those rejected (1/4) would be met with negative market reaction. The share price of International Airlines Group (IAG) seemed to rally on the news of the successful appeal and subsequent fine reduction for its subsidiary British Airways (BA), greatly offsetting the market loss of the original announcement. Out of the other three cases, two displayed weak evidence of expected behaviour, but all these examples were post-pandemic and therefore subject to market instability. It would, however, be an interesting topic for future research.

The CISO Effect

After examining the impact of two types of unfavourable event, we used a similar approach to investigate the (anticipated positive) impact of CISO, or similar head of security role, appointment announcements on market value. A dataset of 37 events was analysed and, indeed, the effect was found to be positive, producing a CAR of +0.8% on average over the three days surrounding the event, with stronger market reaction (+1.8%) for the financial services sector. For this small sample, there were indications that external appointments were increasing (despite that fact that internal CISOs led to almost double the CAAR of external) and that CISO roles with VP or SVP responsibility yielded higher gains, as did those reporting to CEOs, COOs and CFOs. Having the CIO as your boss, however, actually showed negative CAAR - so clearly there is a perceived conflict of interest there. It was also refreshing to see more female CISOs being recruited in recent years (around one in five). Financial services companies made up the largest proportion of the dataset (46%) and 76% were US based, showing an increased willingness or regulatory need to disclose such information. Other sectors and markets should surely follow this lead to reap the rewards.

An estimate of the average increase in market capitalisation as a result of these announcements is between US$94m (median) and US$318m (mean), thus easily justifying the trend for escalated executive salaries.

Conclusion

Although the initial announcement of a data breach may not hit the bottom line too hard, we have seen that the consequences later on may be much more severe, especially when personal data is compromised. For the particular case of IAG, who not only experienced a major data privacy breach (BA) and later infringement fines (BA and Vueling), the total market losses and fines (before any appeal) across all these events could have been an eye-watering €1.1bn.

Prevention is, of course, better than cure and the markets were shown to respond well to good news of investment in security, such appointing a CISO. These findings and insight should provide support for security practitioners in developing business cases for protective measures as well as highlighting the importance of information security and data privacy to executives.

Further reading

About the author

Dr Adrian Ford MBCS is a cyber security researcher at the School of Architecture, Computing and Engineering, University of East London and a Freeman of the Worshipful Company of Information Technologists.