I just read a good article with a controversial title by Eric Chemi in Business Week, "Investors Couldn't Care Less About Data Breaches." Chemi asserts that based on the current stock behavior of eBay and the prior stock activity of Target, TJX, Sony etc. that investors don’t care about data breaches. I think it is wrong-headed to suggest that because a company gets hacked, it is therefore fundamentally unsound and investors should flee for their lives. So, this article has merit and shareholder activity of the representative companies seems to support that.
However what the author of this article misses is that breaches DO have seismic impact on companies in the same way that earnings misses, and law suits, and geo-political issues do. Investors may not immediately care about a breach, but customers do (given the choice between selling an article on eBay or Craigslist today, are you telling me that the breach is NOT a consideration?). Especially if an overhaul of business process (including security) doesn’t take place and isn’t made very visible to the customer. The stock drop of Sony, TJX and others may have been caused by investor fear in the wake of the breach, or by shrinking earnings due to customer fear of doing business with the company. Either way, the recovery of the stock (and the reputation of the company) had to include significant changes in operations, not to mention a very public push for improved security posture.
That is why cyber is now a boardroom issue, because hacks are expected and recoveries must be planned and executed.
