Skip to main content

Analysis: Strong Data Privacy and Security Management Pays Off

Posted on November 22, 2022

Melissa Hudson
Melissa Hudson
Associate Director, Research Products
Liam Zerter
Liam Zerter
Quantitative Research Manager, Methodology & Product Architecture

Cyberthreats are broadening and deepening, and they can materially affect a company’s performance through fines, class action lawsuits, loss of consumer trust, and operational disruption. 

For investors willing to limit the impact of cyberattacks on stock prices, there are helpful tools at hand to mitigate sentiment changes and assess the significance of recent news regarding long-term damage to a company. 

In our recently published cybersecurity paper, The Impact of Cyberattacks on Stock Prices, we analyzed 69 immediately high-risk cyberattack news incidents. Then, we measured the average price return of stocks by conducting a time series event analysis. Exhibit 1 showcases findings one year after a major cybersecurity incident: We see sizeable losses for some stocks after a major cyberattack. 

Exhibit 1: News Incidents Analysis - Annual Returns

*Currency in use: Base Currency     Source: Morningstar Sustainalytics

We used the Data Privacy and Security Policy (DP&S) management score as a variable to assess returns one year later, mainly due to its good historical track record depth: A fitting assessment score to measure cybersecurity strength prior to an incident.

We find a positive correlation between the management score and returns, at 33%.

We split our management score into three buckets. Exhibit 2 shows that one year later, companies with better scores, 75 to 100, kept a better pace with their respective sector on average where those with a score of 0 or not available (N/A) had negative double-digit returns.

Exhibit 2: Split of Data Privacy and Security Management Scores - Annual Returns1

Source: Morningstar Sustainalytics

A closer look at risk reveals that companies with more robust DP&S management scores had risk benefits. 

Exhibit 3 shows an ordinal ranking of better standard deviations and a diminished average maximum drawdown as the management score improves.

Exhibit 3: DP&S Policy Management Scores – One Year Risk Measures2

Source: Morningstar Sustainalytics

Our findings show that strong management scores within DP&S scores offer an improved probability of a lower share price downside, volatility and a decreased impact concerning future returns.

For more details on the how investors can utilize corporate DP&S management scores in their portfolio assessments, download our recent report

 

impact of cyberattacks on stock prices

 

Notes:

1 Management Indicator Scores include predicted, retroactively researched, and actual historical scores before the incident date.

  • Data Privacy and Security Management Indicator Scores prior to incident; Score 75 to 100 (12), Score of 25 to 50 (18), Score of 0 or N/A (38).
  • N/A is representative of companies where no predicted or historical research for the Management Indicator Score was available
  • Currency in use: Base Currency. A financial return that does not take into consideration reinvestment of dividends. Dividends are treated as a cash payout as of the end of the period. The calculation is point to point using adjusted price at the beginning of the period and the adjusted price at the end of the period incorporating any dividends paid.

2 Management Indicator Scores include predicted, retroactively researched, and actual historical scores before the incident date.

  • Data Privacy and Security Indicator Management Scores prior to incident; Score 75 to 100 (12), Score of 25 to 50 (18), Score of 0 or N/A (38).
  • N/A is representative of companies where no predicted or historical research for the management score was available
  • Currency in use: Base Currency. A financial return that does not take into consideration reinvestment of dividends. Dividends are treated as a cash payout as of the end of the period. The calculation is point to point using adjusted price at the beginning of the period and the adjusted price at the end of the period incorporating any dividends paid.  
  • Standard Deviation return calculations are made monthly. A statistical measurement of dispersion about an average and depicts how widely the returns varied over a certain period of time. Morningstar computes standard deviation using the trailing monthly total returns for the appropriate time period. All of the monthly standard deviations are then annualized.

 

Recent Content

The Current State of EU Taxonomy Alignment in 2024 | Morningstar Sustainalytics

The Current State of EU Taxonomy Alignment in 2024

This article summarizes the findings from our first EU Taxonomy Reporting Review, examining alignment to KPIs on revenue, opex, and capex on more than 1,300 non-financial companies over the last two years.

Controversies Over Forever Chemicals Navigating the US Landscape of PFAS Regulations |Morningstar Sustainalytics

Controversies Over ‘Forever Chemicals’: Navigating the US Landscape of PFAS Regulations

The new US EPA drinking water standards and the CERCLA designation of PFOA and PFOS as hazardous substances show increased regulatory oversight and the expanding scope of potential liabilities across the supply chain. This report explores the latest regulatory developments concerning PFAS in the United States.

Mobilizing the Private Sector for COP16 | Morningstar Sustainalytics

Mobilizing the Private Sector for COP16: A Critical Juncture for Biodiversity Action

This article highlights the key role of the private sector in addressing biodiversity loss ahead of the October COP16 summit. It leverages data from Morningstar Sustainalytics' engagement program to reveal how companies recognize biodiversity as a material issue, whether they give the issue board-level oversite, and whether they have a strategic approach to addressing nature and biodiversity loss.

Close-up of water droplet impacting still water.

Getting to Impact: Integrating Double Materiality in Responsible Investment Strategies

Learn the key distinctions between financial, impact and double materiality and the related implications for issuers and investors.