Cybersecurity is beginning to feel like an arms race the good guys can’t ever win. Year after year, corporations and governments boost spending on cybersecurity by hundreds of millions of dollars in an increasingly fruitless attempt to protect their data. And yet the attacks keep coming, growing in sophistication, scope and cost.
Just look at health insurer Anthem Inc (NYSE:ANTM), which recently fell victim to a cybersecurity breach, losing vital information on tens of millions of customers. Names, addresses, even social security numbers were all compromised in the attack.
The past year offered two especially damaging hacks that involved some of the world’s best-known brands. Intruders hacked into the iCloud accounts of scores of celebrities, and although that wasn’t technically the fault of Apple Inc (NASDAQ:AAPL), it put the company in an uncomfortable spotlight.
Even worse, of course, was the data breach at Sony Pictures Entertainment — the film division of Sony Corp (ADR) (NYSE:SNE) — purportedly at the hands of the North Korean government. The trove of critical business information, personal data and embarrassing correspondence captured by the hackers was made worse for Sony by the fact that it didn’t encrypt its data.
And those are just a couple of recent and well-known data breaches at major corporations. Although they may have been among the most scandalous, they were hardly the only ones.
In the U.S. alone, companies, governments and other institutions face unimaginable numbers of attacks per year. The Identity Theft Research Center tracked nearly 800 data breaches in 2014, a new record. Globally, roughly 40% of all companies suffer some kind of breakdown in cybersecurity annually, according to the Ponemon Institute.
No Company Is Immune to Cybersecurity Breaches
Indeed, a compilation of the biggest data breaches of all time reads like a who’s who of big business. Major companies getting hacked in just the last couple of years include JPMorgan Chase & Co. (NYSE:JPM), eBay Inc (NASDAQ:EBAY), Home Depot Inc (NYSE:HD), Target Corporation (NYSE:TGT) and Facebook Inc (NASDAQ:FB).
On a global scale, cybercrimes such as stolen data, identity theft and fraud cost the worldwide economy as much as $575 billion per year, according to security provider McAfee.
Those kinds of figures are enough to keep investors in any company up at night. But the fallout and lingering effects of some of the biggest data breaches reveal no long-term ill effects from the crime.
Indeed, as much as a stock gets slammed on a data breach, the costs associated with it — while large — are absorbed easily by big, publicly traded companies. As such, given enough time, their share prices tend to be resilient.
Hackers Take Aim at Target
Take Target as an example. In 2013, the discount retailer disclosed a massive data breach. Roughly 40 million credit card numbers were affected, as malware stole names, mailing addresses, email addresses and phone numbers of Target’s credit and debit card holders.
Costs for the breach initially came to about $150 million. Target was covered by insurance, which offset costs by $38 million, but expenses stemming from legal, consulting and credit monitoring services continued to mount. Some security expects estimate that when all is said and done, the total cost to Target could be as much as $1 billion.
And the costs didn’t end there. Credit and debit card information was stolen. Those accounts had to be cancelled and new cards had to be issued to million. As a result, the holiday cybercrime also cost banks another $200 million.
The data breach came at a particularly bad time for Target. The company was already struggling with sluggish sales and a disastrous expansion into Canada that caused profit to plunge nearly 50% in the quarter before the data breach.
Costs for the breach forced Target to slash its outlook by a steep amount. Five months after disclosing the breach, Target’s CEO was out.
It was a hard time to be a shareholder in Target. The stock plunged more than 12% in wake of the news and languished trough the first three quarters of last year. And yet despite all the damage done by the breach, Target stock regained all the ground it lost on the news by September 2014.
In fact, since it disclosed the breach, Target is actually beating the S&P 500. That’s right: Target’s data breach was a buying opportunity, especially if you bought in near the bottom of the dip — TGT stock is outperforming the market by 20 percentage points since then.
Hackers Hit JPMorgan and Home Depot
JPMorgan Chase offers a similar narrative for investors. The bank disclosed in September of last year that hackers gained access to 83 million accounts. As part of its response, JPMorgan pledged to spend more than $250 million per year on cybersecurity. By 2020, the bank’s expects costs for cybersecurity to hit half-a-billion dollars annually.
JPMorgan sold off sharply after the disclosure, but not because of the breach. The entire market suffered an steep selloff last October. Just a couple of months later, JPM was hitting new year-to-date highs.
At about the same time as the JPMorgan attack, Home Depot disclosed its own massive data breach. The hackers stole payment information on more than 55 million cards. HD’s response to the attack cost $43 million in a single quarter.
Yet when HD disclosed its knowledge of the attack in early November, the market shrugged it off. Home Depot stock is up more than 15% since it made the hacking public. The broader market is up less than 2% over the same span. As for Sony’s stock, it didn’t budge on revelations of its infamous data breach.
The costs of cyberattacks might come to almost $600 billion per year, but that’s a tiny fraction of total corporate revenue. Wal-Mart Stores, Inc. (NYSE:WMT) alone has annual sales close to $480 billion. And as a percentage of global GDP? Forget about it. The U.S. economy all by itself generates $17 trillion worth of economic activity in a year.
Cybersecurity Breaches Won’t Break Most Companies
The market has become inured to the costs of data breaches. Unfortunately, the attacks are all too common. As most security experts will tell you: It’s not a matter of if a company gets hit, but when.
But the charges related to data breaches are more than manageable. It’s just part of the cost of doing business in an interconnected world.
As scary as data breaches may be, the ultimate effects look to be totally immaterial for investors with at least medium-term holding patterns. For long-term investors, they have essentially no effect at all.
As of this writing, Dan Burrows did not hold a position in any of the aforementioned securities.
More in Cybersecurity
- 7 Ways to Secure Your Cyberspace
- Cybersecurity Stocks Are Poised to Reach Full Stride in 2015
- 3 Cybersecurity Stocks for 2015 and Beyond