Every organization that suffers a serious ransomware attack faces years of financial pain and reputational damage, or at least this is what we’re often told.
While it’s true that the short-term costs of ransomware can be steep, there is less evidence about the longer-term costs that might follow behind.
One measure is the effect on share prices, which is the approach taken by a 2024 study by testing outfit Comparitech. This analyzed the performance of 106 companies quoted on the New York Stock Exchange in the six months after an attack was made public compared to the six months prior.
It’s a small but arguably meaningful way to measure what might be going on. Publicly quoted companies are required to reveal material attacks to shareholders so we can at least be sure that the sample is representative of larger organizations without being skewed by non-reporting.
For better context, closing prices were measured against the performance of the NASDAQ tech index over the same timeframe, breaking out the victims by sector, ransomware strain, and the year in which the attack happened.
Did attacks dent share prices?
The short answer is ransomware had relatively little short-term effect. The immediate impact was an average 0.76% fall in share price, which recovered after a mere four days.
This is surprising. One would expect the biggest effects to happen immediately. In fact, after six months, share prices had risen by 10.6%, albeit underperforming the NASDAQ as a whole by 2.05%.
This suggests that investors can be remarkably sanguine about ransomware attacks, perhaps seeing them as negative events that are nonetheless containable.
But not so fast; the study also found evidence that the effect of ransomware attacks on stock prices has grown more recently. Companies disclosing attacks before 2022 outperformed the NASDAQ by 16.6% whereas those doing so in or after that year underperformed it by 12%. In other words:
“The date of attack has a stronger correlation to share price than any other factor we looked at.”
The ransomware malware or group involved also had some influence with ALPHV/BlackCat (-16.4%), BlackBasta (-14.7%), and Lapsus (-8.0%) notably worse than others.
A caveat is that ransomware attacks were measured separately from data breaches that might arise from the same incidents but not be fully disclosed until some time later. As a separate earlier study found, these seem to have a bigger negative effect on share prices over time.
Regulation’s hidden hand
The fact that ransomware is having a bigger effect on share price performance post-2022 suggests that investors have realized that it is a bigger deal than they previously assumed. This might be tied to the connection between ransomware and data breaches in many attacks.
This is reassuring. For years, one of the biggest problems in cybersecurity has been convincing organizations to take the subject seriously. If share prices are now being negatively affected by ransomware and data breaches, this is one pressure for change.
Or perhaps it’s not the ransomware attacks per se that are changing investors’ minds but the regulatory consequences that increasingly arise from them, especially among public companies.