Equifax (NYSE:EFX) is the poster child for data breach negligence. The company suffered from hackers exploiting a known and previously reported security vulnerability in their open source Apache Struts framework. As the story continues to unfold, it seems that the thieves got away with every piece of valuable information in their data vault, and instead of turning out the proverbial light, they took that too. In the last six months since the breach was reported, Equifax’s stock suffered an initial steep drop, but has been regaining its footing. Today its shares are down approximately 12% from prior to the reported breach. It appears that Equifax share price is weathering this storm quite well.
To Date – Cyber Attacks Have a Had a Limited Imact on Share Price
In fact, the effect of cyber attacks on share prices is arguably not very damaging. In July of 2017, a study showed a detailed analysis of stock prices for 24 public companies that lost more than one million records due to a cyber attack. Immediately following the breach, their shares on average suffered a decrease of 0.43%. This rate was approximately equal to their average daily volatility.
In the long run, share prices recovered, but at an impaired rate. The analysis showed a 45.6% increase in share price during the three year period prior to a company’s data breach. In the three years after, the company only enjoyed a 14.8% growth. Daily volatility remained consistent, as it was approximately the same for both periods.
Clearly, investors remained somewhat skeptical about managements’ ability to implement better security practices, reduce the effects of brand damage, retain customers, mitigate lawsuits and recoup lost opportunity costs. Regardless, most cyber attacks and successful data breaches may have had a rather small impact on share price due to the low costs associated with fines and lawsuits.
Open Source is Everywhere
More than 90% of the software in use today contains open source code. Open source pervades operating systems, network platforms and applications. This trend will only continue to grow because, by leveraging open source, developers can lower assembly costs and quickly add innovations. Without it, almost every gadget, cloud platform, banking network and phone system would shut down.
Whether software code is proprietary or open source, it harbors security vulnerabilities. Because of its transparency, open source code tends be better engineered than a comparable piece of proprietary code. And thanks to its flexibility, open source code is extensively used. This means that a security vulnerability in a piece of open source code is likely to exist across a multitude of applications and platforms. Consequently, open source software vulnerabilities become a “low hanging fruit” for hackers to target and attack.
Known Security Vulnerabilities are Prevalent.
The number of reported security vulnerabilities in open source code – the same kind of vulnerability that hackers used to exploit Equifax – is increasing. In 2017, the number of known security vulnerabilities in open source code nearly tripled that of 2016, from 6,447 to 14,712. Based on the reported number of security vulnerabilities in the first two and a half months of 2018, it appears that we will once again set a record this year. Consequently, we can expect to see many more corporate casualties from cyber attacks directed at known security vulnerabilities.
E.U. Driving Large Fines for Data Security Breaches
The E.U. has enacted data protection / breach fines that, on their own, will negatively and materially impact a company’s financial results, and likely their share price. On May 25th, the E.U. will legislate its landmark General Data Protection Regulation (GDPR) that was approved in 2016. Not only will the GDPR affect any organization located or doing business in the E.U., it will also impact organizations processing data of EU individuals, regardless of their own geographic location. Multinationals will have to adjust their practices in order to comply with the new, and more stringent, data privacy and protection policies from the E.U.
So what is the GDPR?
According to the official GDPR website, it is a law to “protect all E.U. citizens from privacy and data breaches in an increasingly data-driven world.” Its reach is broad, “it will apply to the processing of personal data by controllers and processors in the EU, regardless of whether the processing takes place in the EU or not.” And, the penalties are non-trivial, “organizations in breach of GDPR can be fined up to 4% of annual global turnover or €20 Million (whichever is greater).”
A Practical Examinination of the Effects of GDPR
Had the GDPR been in place at the time of the Equifax breach, the fines would have been significant. Based on estimated Equifax 2017 income, which has been delayed in reporting, 4% of its approximately $3 billion in revenues is $120 million. The days of sweeping security vulnerabilities under the rug in the E.U. are over.
Open source software development and use are irreversible trends in today’s businesses. And given the undeniable importance of the E.U market, organizations must adapt to comply with the GDPR. It is prudent for software development and IT teams to investigate and reevaluate, in-depth: the ramifications of GDPR, their client data and privacy procedures, the short-term risk mitigation potently offered by cyber security insurances and their plans and practices for finding and responding to open source security vulnerabilities.
Investors should examine, in great detail, corporations’ reported plans for complying with the new GDPR rules. Additionally, given the increased risk, shareholders should reevaluate and discount the share price of companies that have a track record of data breaches. Going forward, cyber attacks and data breaches will have a much larger impact on share price.