A new study highlighted on the Harvard Law School Forum on Corporate Governance, and posted by Subodh Mishra, Global Head of Communications at ISS STOXX, on Tuesday, April 14, 2026, quantifies how cyber incidents can have sustained and measurable negative impacts on shareholder value. The report, based on research conducted by ISS STOXX and ISS-Corporate (the study), analyzed cyber incidents among companies in the Russell 3000 over a multi-year period. Its findings are stark: companies experiencing significant cyber incidents underperform the broader market by approximately 5% on average over a three-year time period. 

As D&O Diary readers are aware, cybersecurity issues can be a source of D&O liability.  The findings in this recent study pile on with findings that cybersecurity failures may also result in share underperformance for a broad period.  The following discusses the findings of this most recent study, reasons for a longer tail and D&O liability and litigation implications. 

The ISS STOX and ISS-Corporate Study’s Findings

The study levered cyber incident data sources, which included self and required state and federal reporting, and compared share price performance across the Russell 3000 index from 2022 through 2024. The analysis looks at the share price impact of 176 unique events, measured from the date the incident was first reported by the impacted firm.  The study also used the adjusted closing price for all trading days during calendar years 2022, 2023, and 2024, considering the impact of share splits and reverse share splits over that period.

Notably, the study found a significant and sustained impact on share price for Russell 3000 index companies that experienced a significant cyber event.  And share price underperformance was not quickly reversed. Instead, affected companies continue to lag the market for extended periods, often exceeding a year, suggesting that cyber incidents trigger longer-term concerns among investors about governance, operational resilience, and future earnings capacity.  Importantly, the Financing and Banking and Health Care sectors accounted for more than half of the incidents reported during the time-period of the study.

This recent ISS STOXX and ISS-Corporate study findings align with broader observations about the growing frequency and systemic nature of cyber risks. Prior research has shown that cyber incidents affect a significant portion of public companies, with hundreds of reported incidents across the Russell 3000 in recent years, often involving third-party vulnerabilities and supply chain exposures. 

Discussion

While the ISS STOXX and ISS-Corporate study highlight the long tail share price value impact stemming from cyber incidents may expose underlying weaknesses, there may be many reasons why that happens. An incident may indicate failure in internal controls, risk management frameworks, and board oversight, leading investors to reassess not just the specific event but the company’s overall governance quality.

In addition, cybersecurity events can give rise to follow-on consequences including regulatory scrutiny, litigation, customer attrition, and remediation costs, many of which continue to unfold over time. A significant breach also may indicate that management failed to adequately prioritize cybersecurity investment or failed to disclose known vulnerabilities. In that sense, the market reaction may reflect not just the incident itself, but a reassessment of management credibility and disclosure practices.

From a D&O perspective, the demonstrated sustained stock price decline could provide a clearer causation narrative for securities plaintiffs. Plaintiffs’ lawyers have faced challenges in tying cyber incidents to measurable investor harm, particularly where stock price declines were short-lived. The study’s findings, showing prolonged underperformance, may help plaintiffs argue that cyber-related misstatements or omissions caused enduring shareholder losses, strengthening both pleading-stage allegations and damages theories.

The study may further reinforce the theory that cyber incidents could become event-driven securities claims, resulting from an operational failure. Thus, empirical evidence of sustained share value impairment may support shareholder causation arguments. The study findings could also be used in derivative litigation alleging oversight failures. If cyber incidents are shown to have long-term financial consequences, plaintiffs may be more likely to frame these events as failures of board-level risk oversight, invoking theories akin to Caremark claims.

Companies will continue to face pressure to provide robust and accurate disclosures regarding cybersecurity risks and incidents. If cyber incidents are now framed as causing prolonged financial impact to share price, regulators and investors alike may expect more detailed disclosure about both the incident itself and the company’s remediation efforts. At the same time, companies may have to navigate the challenge of a timely disclosure and submitting incomplete information in the immediate aftermath of a breach. The risk, as highlighted by the study’s findings, is that inadequate or overly optimistic disclosures may later be challenged considering sustained stock price underperformance.

From a governance standpoint, the study reinforces that cybersecurity is no longer a purely technical issue but a board-level priority.  Thus, for D&O insurers and underwriters, the study’s conclusions are particularly relevant. The evidence of sustained shareholder value impact may translate into increased frequency and severity of securities claims arising out of cyber incidents. Underwriters may respond by more closely scrutinizing insureds’ cybersecurity governance frameworks, incident response protocols, and disclosure controls.

Finally, the study highlights the importance of evaluating aggregation risk, particularly where cyber incidents affect multiple companies through shared vendors or third-party providers. As prior research has shown, a significant percentage of cyber incidents originate from third-party relationships, suggesting the potential for correlated D&O exposure.

Conclusion

The study and distillation by Harvard Law School Forum on Corporate Governance provides compelling empirical support for what has increasingly become apparent: cyber incidents are not isolated operational events but enterprise-level crises with lasting financial consequences. The finding that affected companies underperform the market for extended periods underscores the growing importance of cybersecurity as a core governance and disclosure issue.

For boards, the study’s findings support robust cyber risk oversight, proactive, and well-documented at the executive and board level. For D&O insurers, the study could signal a continuing evolution of cyber risk into a material driver of securities and derivative litigation exposure. As the study underscores a cyber incident’s significant impact on longtail shareholder value erosion.