The possibility of securities litigation following the disclosure of a cyber security breach has been a topic of significant recent attention, including on this site. There already have been securities class action lawsuits filed following significant cyber breaches, at least in some cases. More recently, however, the stock prices of several major companies that recently announced that they had experienced cyber attacks barely moved. For example, announcements earlier this year by Facebook, Apple and Microsoft that they have been the target of sophisticated cyber attacks did not affect the companies’ share prices. And despite the high-profile disclosures, these companies were not hit with securities lawsuits about the breaches, either.
Without a significant stock price decline, prospective claimants lack one of the critical predicates for a securities lawsuit. If the stock market shrugs off news of cyber security breaches, there may less securities litigation related to the cyber breaches than some commentators have conjectured.
The question of the market reaction to cyber breach news is the subject of recent paper from three professors at the University of Maryland business school. In their paper entitled “The Impact of Information Security Breaches: Has There Been a Downward Shift in Costs?” (here). The authors – Lawrence A. Gordon, Martin F. Loeb and Lei Zhou – examined 121 security incidents involving 85 firms during the period 1995 to 2007, in order to determine the impact of the disclosure of the cyber breaches on the share prices of the companies involved.
The authors divided their study into three time periods: the 1995 to 2007 period as a whole; the period from 1995 to 2001; and the period from 2001 to 2007. The authors choose to split their study this way based on their desire to determine (in light of the results of prior research) the possible impact of the 9/11 terrorist attacks on the sensitivity of the market to news of cyber breaches. Of the 121 cyber breach events in the study, 60 occurred in the pre-9/11 period and 61 occurred in the post-9/11 period.
The authors found that for the period of the study as a whole the impact of the news of cyber security breaches on the stock price of the involved company is “significant.” As the authors put it, “those who are concerned about the economic impact of information security breaches on the stock market returns of firms apparently have good cause for concern.”
However, the authors found that the results were split between the two subsidiary time periods. During the pre-9/11 time period, “the overall impact of security breaches … on the stock market returns of firms is statistically significant.”
The result for the post-9/11 period differed. That is, “for the second time period, the authors discerned “a significant decrease in the market’s negative reaction to announcements” of security breaches.
Based on the differing results of the two time periods, the authors concluded that the results “support the general argument that investors shifted their attitudes in the way they view information security breaches.” The authors suggested that “investors have grown accustomed to seeing news of a corporate information security breach without major consequences to the firm’s long-term profitability. “ For that reason, “investors appear to have little reaction (in terms of revaluing a firm’s shares) to the news that a firm has had an information security breach.”
The authors did note that their analysis of the post-9/11 results “does not necessarily imply that investors seem to have become totally desensitized to news about corporate information security breaches.” Their analysis is based on average effects; “some news of specific breaches did have a significant impact on the market capitalization of specific firms.” They concluded that “while executives may take some comfort from the fact that average breaches are not a major threat to their firm, they still must be concerned over the possibility of a particular information security breach threatening their firm’s survival.”
The authors’ conclusions about the post-9/11 impact on company share prices of the news of a cyber breach does suggest, at a minimum, that many companies experiencing cyber breaches are unlikely to also have to deal with securities litigation related to the breach.
On the other hand, the authors’ observation that even post-9/11 some companies did experience a significant impact on their share prices from the disclosure of a cyber breach does suggest at the same time that at least some companies announcing a cyber breach could also face the prospect of securities litigation related to the breach.
It would have been interesting if the authors had take their study to the next step, to try to describe what types of companies or what types of breaches were involved in the instances where the companies experiencing the breach did sustain a significant stock price decline. Unfortunately, the authors’ analysis does not reach those issues.
It is noteworthy that nearly six years has elapsed since the end of the period that was the focus of the authors’ study. The intervening period has been characterized by rapid technological change; the rise of global cyber spying activities arguably sponsored by national governments; and even the rise in cyber warfare activities. It is hard to know, one way or the other, whether the results for the intervening time period would be consistent with the results of the time period that was focus of the study.
The authors’ conclusion that, on average, companies disclosing cyber breaches do not experience significant share price declines does raise the question of whether cyber breach-related securities litigation will prove to be as widespread as some have conjectured. On the other hand, the authors’ conclusion that, notwithstanding the average figures, some companies in some circumstance disclosing cyber breaches are experiencing significant stock price declines suggests that a threat of cyber breach-related securities litigation remains a possibility for a least some companies disclosing cyber breaches.
Even in the absence of a significant stock price decline and ensuing securities litigation, companies disclosing a security breach and their directors and officers could still face the possibility of corporate litigation related to the breach. Companies that do not experience a share price decline following a cyber security incident may not get hit with securities class action litigation, but they are still susceptible to derivative lawsuits alleging, for example, that company directors breached their fiduciary duties by failing to ensure adequate security measures. Shareholder may claim that senior management and directors were either aware of or should have been aware of the breach and the company’s susceptibility to cyber incidents. (Of course, any lawsuit of this type would face significant hurdles, including the requirement to make a formal demand on the board as well as the business judgment rule.)
The authors of the report expressed their own unease with the suggestion that investors may have become desensitized the new of cyber security breaches. They questioned whether “corporate executives are likely to see this as a cue from investors to keep their firms’ information security investments at the status quo.” This view “seems misguided in light of the fact that an unforeseen major breach …has the potential to threaten a firm’s survivability.”
In other words, corporate officials must remain vigilant, as the failure to do so could have serious consequences for their companies. The management of these cyber security risks remains a significant responsibility. The failure to manage these risks continues to represent a significant liability exposure – whether or not a significant liability breach will include the risks of breach-related securities litigation.
Special thanks to Bill Boeck of Lockton Financial Services for providing me with a link to the academics’ study.
Insuring Against Cyber Risks: Separate and apart from the liability exposures of companies’ directors and officers, cyber security risks also present a host of related first-party and third-party exposures for companies. In response to these company liability concerns, the insurance industry has evolved an insurance product to protect against these cyber risks. This evolving insurance industry response is the subject of a short May 22, 2013 New York Law Journal article entitled “Insuring Against Cyber Risks: Coverage, Exclusions, Considerations” (here) by Howard Epstein and Theodore Keys of the Schulte Roth & Zabel law firm.
The authors conclude that “Insurance products that address these cyber risks are still evolving. However, for directors and officers seeking to address these risks, these insurance products should be part of the equation.”
Welcome Aboard: We are pleased to announce that Keith Loges has joined RT ProExec, a division of RT Specialty. Keith is a proven and well recognized professional with over 25 years experience in the Executive and Professional Liability industry. Keith represents RT Specialty’s commitment to further establishing itself as the premier Executive and Professional Liability wholesaler. Keith will be located in the RT Specialty Atlanta office and you can reach him at:
5565 Glenridge Connector, Suite 550
Atlanta, GA 30342