The Financial Implications of a Data Breach and How To Manage The Crisis

Lars Terp Søland & Morten Rasmussen

Student thesis: Master thesis


This thesis investigates the financial and managerial implications of data breaches, and as such, its purposes are multiple. Using an event study framework, the financial implications of data breaches are investigated by analysing stock returns for a sample of breached publicly traded companies in both the short and long term. This leads to conclusions on the financial risk companies are facing by storing consumer data, making it increasingly relevant to explore how to strategically manage a data breach should it ensue. That perspective is gauged using a case study of select data breaches and their implications. This thesis finds that investors initially react negatively to the disclosure of a data breach, expecting significant direct and indirect costs to follow. However, these negative financial implications are not expected to be sustained in the long term. A month after the first disclosure of a data breach, no significant financial implications can be found on average. Even still, there are select companies that show to still be severely affected after a month, and these companies also significantly underperform the market over the course of a full year following the first disclosure. However, it shows difficult to predict both the initial and long term financial implications of a data breach by the quantitative and categorical ramifications of the breach. Only the number of customer records compromised offers significant explanatory value, validating an assumption that the financial implications are largely related to indirect costs from the breach. Resultantly, how companies and managers handle the first disclosure and aftermath of the breach is very important. The case study analysis finds that when facing a data breach, managers should refrain from trying to subvert media framing of the crisis and take responsibility for events, rather than frame themselves as a victim if they wish to curtail the negative impact of the breach, furthermore, manager’s should ensure that their communication strategy is consistent with actions taken in the wake of a breach to avoid sending mixed messages regarding their commitments to consumers. Lastly, this thesis proposes that managers may historically have lacked financial incentives to prioritise data security, as the expected long-term impact is insignificant. This is concluded to be likely to change with the impending General Data Protection Regulation. The regulation escalates the potential direct and indirect costs associated with a data breach, and also further allows governments to penalise companies for not taking appropriate security measures even if a data breach does not happen.

EducationsMSc in International Marketing and Management, (Graduate Programme) Final ThesisMSc in Finance and Investments, (Graduate Programme) Final Thesis
Publication date2018
Number of pages142