A new study from the Ponemon Institute, due to be released next week, suggests the impact on share prices of data breaches has been under-estimated.

The Institute is the parent organisation of the US based Responsible Information Management Council and has been producing an annual Cost of a Data Breach study for the past decade.

The latest study highlights “potential for a business to lose an average of 5% in shareholder value and more than a quarter of its customers due to a breach”.

Centrify, a leading provider of identity verification services for companies, commissioned Ponemon to survey IT and information security professionals, senior level marketers, and consumers in the UK, Germany and the US for the research.

The full report will be unveiled on 18th May at a round-table event at London’s Shard building.

Its headline findings include:

  • There is a direct correlation between a data breach and share value. On the day a breach is exposed, the share price drops 5% on average. But this drop is likely to be significantly less for companies with a high security posture compared to those with a poor security posture.
  • More than a quarter of consumers leave a company suffering a breach. Of those customers affected by one or more breaches, 65% lost trust and 27% discontinued the relationship.
  • 1.7-3.6% customer churn rate experienced by companies after a breach. There is a relationship between data breach revenue losses and an organisation’s security posture.
  • Three-quarters of customers believe firms have an obligation to take reasonable steps to secure their personal information.
  • There is a clear disconnect between the marketing and IT functions when it comes to who is responsible for protecting the company’s brand and also budget allocation.

A recent study from Oxford Economics, reported by Retail Risk News on 17th April, bears out some of Ponemon’s findings and establishes a longer term link between cyber breaches and share price falls.

This study, commissioned by CGI, found an average 1.8% decline in share price over three and a half years for 65 companies that had suffered high profile cyber breaches in the previous four years.

By comparing each company against a selection of their peers in the industry, the analysts calculated that the companies had lost an average of US$ 645 million (£516 million) each in market valuation as a result of the breaches.

The study appears to show that as investors and analysts have become more aware of cyber-security, the impact on share price has been getting worse. In the first year of the study, 2013, the impact was just 0.2 percent, but by 2015/16 it had risen to 2.7 percent.

The research also indicates that underperforming firms suffer worse impact from a cyber breach than firms that are overperforming, other things being equal.