Do Security Breaches Matter?
Nick Owen posts about the stock valuation impact of security breaches.
This UMD study found that a firm suffering a breach of ‘confidential information’ saw a 5% drop in stock price while firms suffering a non-confidential breach saw no impact.
I read it as the market over time learning the difference between a DOS attack and the posting of customer’s credit cards online. Which is interesting, because the market will be most forgiving of the attacks that are the most basic to prevent (web defacement, viruses & worms) or which are ‘unpreventable’ (DOS attacks – unpreventable isn’t the 100% correct word, but you know what I mean) and it will punish you severely (a 5% market cap drop according to the UMD study) for succumbing to a more viscous, targeted attack that results in exposure of confidential information such as customer credit cards. So are you putting your money in the right places?
I read this slightly differently. I think the market doesn’t care about attacks that don’t cost money. I think the market doesn’t really care about breaches of confidentiality, except when there’s a risk of lawsuit or customers leaving. And that means that when the market gets a whiff of the new attackers, these market impacts are going to go up.