You’ll need to update your browser so you can continue to log on to your online banking from 28th February. Update now.



Reporting data breaches - the impact on share prices

Reporting data breaches - the impact on share prices

With mandatory breach notification legislation encircling the globe, we’ve examined how markets respond when companies disclose a major data breach.

Australia has followed California’s lead by introducing a mandatory data breach notification scheme. Agencies and companies will soon be required to notify the regulator and affected individuals of privacy breaches that are “likely to result in serious harm”. The scheme, which replaces the current voluntary data breach notification standards, will be effective no later than February 2018.

With Canada and the European Union (EU) proposing similar schemes, this is a global trend that is particularly pertinent to financial institutions.

The market response

After the US introduced mandatory breach reporting there was a flood of information about security incidents. This enabled Commonwealth Bank’s Cyber Outreach and Research team to study the medium-term impact of major data breaches on a company’s share price.

With several other jurisdictions heading towards mandatory breach reporting, the study of 75 publicly listed organisations brings some clarity and confidence to the subject. 

The key findings were that in the 100 days after publicly disclosing a data breach, company share prices on average:

  • underperform by 1.5% compared with the previous 100 days
  • underperform against the broader stock market by 2-4%
  • underperform competitors by 3-4%.

Underperformance is far greater if financially sensitive information, such as payment or card data, is stolen. The research showed share prices:

  • underperform their previous 100-day performance by almost 11.5%
  • underperform the broader market by up to 20%.

The share price impact of a breach is largely determined by:

  • the type of data loss and the magnitude of the loss
  • what the market infers about the company’s security capability at the time of the breach
  • the company’s confidence when communicating how it will remediate customer impacts.

Equally, there are many examples of company share prices not responding at all.

The total cost of responding to a breach is rarely realised immediately or in the medium-term. Read the full report to learn more about the wide range of costs likely to be incurred because of a data breach. The report also contains detailed analysis of how quickly companies typically disclose data breaches once discovered and how the 100 worst data breaches of the past 10 years happened.

This article is based on information previously published in Signals, Commonwealth Bank’s quarterly security assessment.

The information contained in this document is made available for persons who are wholesale clients, sophisticated investors or professional investors as defined in the Corporations Act 2001. This document is not to be construed as a solicitation or an offer to buy any securities or financial instruments. This document has been prepared without taking account of the objectives, financial situation (including the capacity to bear loss), knowledge, experience or needs of any specific person who may receive this article. All recipients should, before acting on the information in this report, consider the appropriateness and suitability of the information, having regard to their own objectives, financial situation and needs, and, if necessary seek the appropriate professional or financial advice regarding the content of this report. The information does not purport to be a complete statement or summary of a transaction. Financial markets products have an element of risk. The level of risk varies depending on the product’s specific attributes and how it is used. Potential investors should note that the product discussed is a sophisticated financial product which involves dealing in derivatives. Unless you are familiar with products of this type, this product may not be suitable for you. The Bank will enter into transactions on the understanding that the customer has: made his/her own independent decision to enter into the transaction; determined that the transaction is appropriate; ensured he/she has the knowledge to evaluate and capacity to accept the terms, conditions and risks; and is not relying on any communication from Commonwealth Bank as advice. We believe that the information in this document is correct and any opinions, conclusions or recommendations are reasonably held or made, based on the information available at the time of its compilation, but no representation or warranty, either expressed or implied, is made or provided as to accuracy, reliability or completeness of any statement made in this article. Any opinions, conclusions or recommendations set forth in this document are subject to change without notice and may differ or be contrary to the opinions, conclusions or recommendations expressed elsewhere by the Bank or the wider Commonwealth Bank of Australia Group of Companies. We are under no obligation to, and do not, update or keep current the information contained in this document. Neither the Bank nor any of its subsidiaries accept liability for any loss or damage arising out of the use of all or any part of this article. Any valuations, projections and forecasts contained are based on a number of assumptions and estimates and are subject to contingencies and uncertainties. Different assumptions and estimates could result in materially different results. The Bank does not represent or warrant that any of these valuations, projections or forecasts, or any of the underlying assumptions or estimates, will be met. Past performance is not a reliable indicator of future performance. The Bank has provided, provides, or seeks to provide, investment banking, capital markets and/or other services, including financial services, to the companies described in the article and their associates. All material presented in this article, unless specifically indicated otherwise, is under copyright to the Bank. None of the material, nor its content, nor any copy of it, may be altered in any way, transmitted to, copied or distributed to any other party, without the prior written permission of the Bank. In the case of certain products, the Bank or one of its related bodies corporate is or may be the only market maker. The Bank, its agents, associates and clients have or have had long or short positions in the securities or other financial instruments referred to herein, and may at any time make purchases and/or sales in such interests or securities as principal or agent, including selling to or buying from clients on a principal basis and may engage in transactions in a manner inconsistent with this article. Produced by Commonwealth Bank of Australia ABN 48 123 123 124 AFSL 234945 In the UK This document is made available in the UK only for persons who are Eligible Counterparties or Professional Clients, and not Retail Clients as defined by Financial Conduct Authority (FCA) rules. The Bank is registered in England No. BR250 and authorised by the Prudential Regulation Authority. Subject to regulation by the Financial Conduct Authority and limited regulation by the Prudential Regulation Authority as well as the Australian Prudential Regulation Authority (APRA) in Australia. Details about the extent of our regulation by the Prudential Regulation Authority are available from us on request. In Singapore The information in this document is made available only for persons who are Accredited Investors or Expert Investors in terms of the Singapore Securities and Futures Act. It has not been prepared for, and must not be distributed to or replicated in any form, to anyone who is not an Accredited Investor or Expert Investor. If you are an Accredited Investor or Expert Investor as defined in Regulation 2(1) of the Financial Advisers Regulations ("FAR"), the Bank is obliged to disclose to you that in the provision of any financial advisory services to you, we are exempted under Regulations 33, 34 and 35 of the FAR from complying with the business conduct provisions of sections 25 (Obligation to disclose product information to clients), 27 (Recommendations by licensees) and 36 (Disclosure of interests in securities) respectively, of the Financial Advisers Act ("FAA"). In Hong Kong The contents of this document have not been reviewed by any regulatory authority in Hong Kong. You are advised to exercise caution in relation to the offer. If you are in any doubt about any of the contents of this document, you should obtain independent professional advice. The provision of this document to any person in Hong Kong does not constitute an offer of securities to that person or an invitation to that person to acquire, apply, or subscribe, for the issue of, or purchase, securities unless the recipient is a person to whom an offer of securities may be made in Hong Kong without the need for a prospectus under section 2 and the Seventeenth Schedule of the Companies Ordinance (Cap. 32 of the Laws of Hong Kong) (“Companies Ordinance”) pursuant to the exemptions for offers in respect of which the minimum consideration payable by any person is not less than HK$500,000 or its equivalent in another currency. Neither this document nor any part of it is, and under no circumstances are they to be construed as, a prospectus (as defined in the Companies Ordinance) or an advertisement of securities in Hong Kong. The products have not been, nor will they be, qualified for sale to the public under applicable Hong Kong securities laws except on a basis that is exempt from the prospectus requirements of those securities laws. Minimum Investment Amount for Hong Kong Investors: HK$500,000 In the USA The Bank is authorized to maintain a Federal branch by the Office of the Comptroller of the Currency. This document is made available for informational purposes only. The products described herein are not available to retail investors. NONE OF THE PRODUCTS DESCRIBED ARE DEPOSITS THAT ARE COVERED BY FDIC INSURANCE. This product is not suitable for investment by counterparties that are not “eligible contract participants” as defined in the U.S. Commodity Exchange Act (“CEA”) and the regulations adopted thereunder; or (ii) entities that have any investors who are not “eligible contract participants.” Each hedge fund or other investment vehicle that purchases the products must be operated by a registered commodity pool operator as defined under the CEA and the regulations adopted thereunder or a person who has qualified as being exempt from such registration requirement. CBA cannot execute swaps with any US person unless our counterparty has adhered to the ISDA Dodd Frank protocol.