Is Wall Street to blame for Equifax’ Cybersecurity Woes?

The Equifax CEO will be leaving the firm due to the massive data breach with approximately 143 million identities impacted. This departure is in addition to the already announced departures of the CIO and CISO. Clearly, there is a lot of concern and consternation about this data breach and its impact. However, there have been many data breaches before, that have been equally high profile. For example a few months ago Booz Allen Hamilton was in the news for having exposed sensitive US Defense files.

The interesting question however is – Are executives within corporations really incentivised to focus on cybersecurity matters? Given that most corporations are driven by a profit motive, do the markets really know how to assess and value the impact of security breaches? A simple concept in corporate finance called “event analysis” suggests perhaps, that the markets do not quite understand cybersecurity! There is perhaps a need to come up with better models that allow investors and markets to do a better job of understanding the risk associated with cybersecurity. Here are some interesting and thought-provoking examples:

Based on the latest Equifax stock price of around $103 per share and approximately 120 million shares outstanding, the Equifax market cap is around $12.4B. The Equifax share price prior to the data breach announcement was around $140 per share thus a market cap of $16.8B. So since the announcement of the breach, there has a net erosion of around $4.4B.

Assuming that 143 million identities were compromised, Wall Street values each identity at around $30 per identity. A quick scan of industry literature on the cost of handling data breaches, the actual number is closer to a few hundred dollars. Assuming a conservative estimate of $200 per identity, for 143 million identities compromised, we are talking about a potential for $28.6B liability whereas Wall Street thinks that the breach is just a $4.4B problem. So, is Wall Street partially to blame for the lack of seriousness dedicated to cybersecurity by Corporate America?

Let us look at another interesting example related to the Booz Allen Hamilton data leak of sensitive information announced in the third week of May 2017 around the 24th. A quick analysis of the Booz Allen stock shows hardly any movement of impact on the stock price. On May 22, 2017 the stock closed at $38.50 and a week later it was at $39.25 an actual increase! Totally discounting any impact of the data breach on the business.

Given that all of us are concerned about cybersecurity, data breaches and the right public policy response, it is interesting to observe corporate behavior through the lens of markets. The goal of this post is to provoke thought and discussion. Do join the conversation and share your thoughts. Does Corporate American truly understand and pay attention to the issues around Cybersecurity? Or is it the case that most Executives (due to the market signals) believe that buying cybersecurity insurance, passing on risk to vendors, hiring a CISO (and not funding them with authority and resources) are good enough responses?