Blog

Ticker Symbol: Hack - *Updated*

By Gunnar

There is a ticker symbol HACK that tracks a group of publicly traded “Cyber Security” firms. Given how hot everything ‘Cyber’ is, HACK may do just fine – who knows? But perhaps one for breached companies (BRCH?) would be better. For you security geeks out there who love to talk about the cost of breaches, let’s take a look at the stock prices of several big-named firms which have been breached:

Sony 11/24/14 28.3%
S&P 500 11/24/14 2.2%
 
Home Depot 9/9/14 31.3%
S&P 500 9/9/14 6.4%
 
Target 12/19/13 23.8%
S&P 500 12/19/13 16.9%
 
Heartland 1/20/09 250.1%
S&P 500 1/20/09 162.7%
 
Apple 9/2/14 28%
S&P 500 9/2/14 6%

This is a small sample of companies, but their stock values have each substantially outperformed the S&P 500 (which has been on a tear in the last year or so) from the time of their breaches through now. “How long until activist investors like Icahn pound the table demanding more dividends, stock buy backs and would it kill you to have a breach?” Food for thought.

No Related Posts
Comments

Hi Gunnar,

What do the dates and percentages correspond to in your table? Breach publication date and post-breach to present (2/24 COB) stock performance?

To me, this comes back to the whole debate around materiality and its application in the cybersecurity realm. Chris Walsh did a great RSA-C presentation on cyber-related disclosures in 2013 (https://www.rsaconference.com/writable/presentations/file_upload/sect-r35a.pdf), but I haven’t seen any studies, scholarly or otherwise, on the topic since.

It may be interesting to keep an eye on Gemalto over the next week or so as the market incorporates information related to the SIM hacking allegations. The drop it suffered earlier this week seems to have almost fully recovered

By Will on


Hi Will

Yes - “Breach publication date and post-breach to present (2/24 COB) stock performance”

Another takeaway here is that supposedly security and “the business” cannot co-exist. But it turns out that firms who go about investing more heavily in security post-breach can do quite well. Maybe there is not a dichotomy after all.

By gunnar on


If you like to leave comments, and aren’t a spammer, register for the site and email us at info@securosis.com and we’ll turn off moderation for your account.