The Harvard Business Review study of research into the impact of data breach incidences on stock prices highlights ‘two key pieces of advice: 1) Lead with what you did right to prepare for this eventuality, and 2) then pivot to how you’re going to improve even more.’ They conclude that these measures limit the damage to the breached company’s stock price.
HBR’s research also found that tabletop drills by top management and boards are important and urged companies to use cyber preparations—and responses if breached—as an opportunity to better prepare for long term digital innovation.
HBR’s advice to C-Suites faced with a breach to inform the public about their past cyber security efforts is sound. More market transparency is absolutely needed when it comes to cyber. But the reason for why this response is effective in limiting stock price damage is not. This type of ‘PR spin’ captures the narrative and turns the free publicity into something positive. The type of attack and severity of impact matters when it comes to the market value impact of a breach. A ransomware attack that disrupts business operations for days or over a week can be devastating—like Finablr/Travelex discovered—while a limited customer data loss breach will have much less of an impact on share price. Another important variable is the financial capacity of the company to respond to a breach when it occurs. Companies with the financial strength to allocate the resources necessary to address the weakness (es) that contributed to the breach in the first place tend to see business operations recover more quickly. This a reason why we look at combined cyber and financial factors when assessing a company’s cyber governance.
Companies that have prepared well for these incidents—and which therefore have something positive to remind the public about their past cyber security efforts—are normally highly ranked in cyber governance. This includes aspects of what the article recommends (management involvement, strong processes), well-trained people, robust policies and well-executed processes — all hallmarks of good cyber governance.
Importantly, high performing companies have also generally implemented digital transformation strategies that both better position them to recover from attack and that also position them for stronger revenue growth than competitors who lack effective Digital Transformation strategies.
The net result is that companies that are leaders in cyber governance are both better prepared to defend against and respond to a cyber attack and more likely to be market leaders in their industries. The consistent stock price outperformance of Cyberhedge’s top rated 5-star companies vs their relevant sector indices and their lower rated peers is market-based proof of this dynamic.