A casual observation of investor confidence after an infosec breach.
One of the issues that security and privacy professionals discuss with our clients is the potential loss of customer confidence if confidential information is compromised. The responses this concern vary across industry and business size. The controls implemented would vary based on the information collected, the tolerance for risk, and the client’s ability implement cost effective controls. Since the downturn in the economy many companies have been scaling back expenditures on security controls and accepting more risk. This involves taking a more compliance centric view and making expenditures only on technology and personnel to comply with the law or self-regulating industry standards, rather than a risk centric view. When accepting more risk it is reasonable to assume that the probability of a security incident will increase and/or the impact/remediation will be more costly to clean up. Does this present any concern for the public?
Several technology executives have implied privacy is dead get over it. With the proliferation of social tools such as Facebook, Twitter, Foursquare, Gowalla, and Google Latitude, the general public has no problem with letting the their “friends” or the whole internet know where they are and what they are doing. Many people, especially the younger generations don’t see it as a big deal to broadcast that they aren’t home or their most intimate and politically incorrect thoughts. Granted GenY is focusing more buying experiences rather than material possessions, so the impact burglary may be less for GenY, but that is another topic we may discuss in detail under a personal finance tag in the future. The silent death of privacy across generations may also be foretelling the the death of security from the viewpoint of the public.
As company executives accept more security risk, the consumer public has also been accepting more risk or relying on risk transference to protect themselves. Combine apathy with risk transference and you have a big stiff cocktail of SNMP (Someone’s -Not Mine- Problem). ATM skimmers are all over the news, and among the GenX and younger crowd there is relatively little concern when compared to older individuals. That is derived from a very small sample so take it as you will. Why no concern? Most credit cards have zero liability for the consumer and fraudulent charges can be corrected immediately along with a new credit card sent overnight. To the consumer this is a minor irritation and the only people suffering are those dirty Wall Street bankers everyone loves to hate. Even debit card fraud is only slightly more irritating when dealing with small community banks and credit unions who are likely to have the consumer protections as credit cards.
Is the public suffering from apathy when companies experience a security breach? Is security dead and the inconvenience of having information compromised something that we will just have to put up with going forward? If we are not there yet we may be getting there soon. When examining investor confidence of companies that have security incidents there appears to be very little concern, even for large security breaches. When compared to the overall S&P 500 Index several of these companies rise and fall along with the Index. This would indicate that any declines in share price are related to the Index itself falling.
In recent days EMC and SPX are up and down together.
Lockheed Martin experienced a large percent move relative to SPX, but the ups and downs do have some correlation.
L-3 Communications has moved with SPX very closely since news of the intrusion broke.
Sony has underperformed when compared to SPX and their stock price has been affected the by multiple intrusions and related news stories.
EMC declined in mid March after the breach. The decline of about 10% was relatively small compared to what it could have been. Three months later EMC is performing as if the breach and any long term issues are a distant memory. EMC is currently trading in a range between 27 and 28.75.
Near the end of May Lockheed Martin announced that they had been the victims of a security breach. Nothing unusual happened to the stock price and the declines can be correlated to losses in the general market.
L-3 Communications has also been pulling back, but seeing a shooting star candle and confirmation the next day that could be expected. We can assume that any loss in value is simply related to overall market corrections.
Sony may be the exception since they have lost a lot of value since March. Sony is different than Lockheed or L-3. They have been punished multiple times by various hacking groups and the news stories simply won’t go away. The decline is about 30%.
Compare and contrast the charts above with this chart of BP after the Deepwater Horizon explosion.The stock declined almost 50% before beginning to recover and reached –30% after a week.
There are differences between all of the companies which does not allow an apples-to-apples comparison. Customers of Lockheed Martin can’t obtain a substitute from someone else as easily as Sony customers. BP is in the business of tangible goods and an oil spill has different impact in the minds of investors and the public than a data breach.
Conclusion:
Based on non-scientific, casual observations, a one-time news event has little effect on the stock price when compared to multiple news stories over a period of time. This is important to the overall business ecosystem from several viewpoints
- Short sellers in the market may be able to take advantage of short term moves in price, but if the story fades from the news it would be best to cover and wait for more news.
- Hacktivists wanting to teach a long term lesson to a company will need to hit them multiple times or release breadcrumbs of information over a period of time to keep the story in the news so it can wear on investor sentiment.
- Consumers will need to accept that the impact to a company will be relatively minor if they mishandle private data one time. Wall Street will not severely punish the companies for poor data handling practices.
- Security and Privacy professionals will need to give up on selling the idea that a one-time security breach will harm their client’s business. Based on these stock charts there is little incentive to spend money on prevention.
- Consumers are at the mercy of the companies they deal with and simply put up with the inconvenience. There is little evidence of a crippling or destroying exodus of customers or a change in consumer behavior.
Disclosure: We currently have no long or short positions mentioned in this post. We may have held positions in the past.