Shaylan Rao

How are financial institutions stock prices impacted as a result of a

security/cyber breach involving personally identifiable information, when
made public?
Contents
1.0 Introduction ...................................................................................................................................... 2
2.0 Technology in Financial Institutions.................................................................................................. 2
2.1 The economics behind Cyber-Attacks........................................................................................... 4
3.0 Case study - JP Morgan Chase 2014.................................................................................................. 5
4.0 Source Assessment ........................................................................................................................... 7
4.1 Methodologies ............................................................................................................................. 7
4.2 Analysis ......................................................................................................................................... 8
4.3 Conclusion ................................................................................................................................... 10
5.0 Conclusion ....................................................................................................................................... 10
6.0 Recommendations .......................................................................................................................... 11
Appendix ............................................................................................................................................... 12
Definitions: ........................................................................................................................................ 12
Section A ........................................................................................................................................... 14
Fig. 1 .............................................................................................................................................. 14
Fig. 2 .............................................................................................................................................. 14
Section B ........................................................................................................................................... 15
Fig. 1 .............................................................................................................................................. 15
Fig. 1.1 ........................................................................................................................................... 15
Fig. 1.2 ........................................................................................................................................... 15
Fig.2 ............................................................................................................................................... 16
Fig. 2.1 ........................................................................................................................................... 16
Fig. 2.2 ........................................................................................................................................... 16
Section C ........................................................................................................................................... 17
Table. 1 .......................................................................................................................................... 17
Fig. 2 .............................................................................................................................................. 17
Section D ........................................................................................................................................... 18
Fig. 1 .............................................................................................................................................. 18
Fig. 1.1 ........................................................................................................................................... 19
Fig. 2 .............................................................................................................................................. 19
Fig. 2.1 ........................................................................................................................................... 20
Fig. 2.2 ........................................................................................................................................... 20
References ............................................................................................................................................ 21

Page 1 of 24
Shaylan Rao

1.0 Introduction
Cyber-attacks constantly occur against financial institutions where data such as personally
identifiable information (PII) is at risk. Financial institutions classify data such as customer credit card
information, home address, date of birth and other items of information that can uniquely identify
you as PII. Attackers commonly leverage this information for ransom or place it on the black market
for financial gain. Depending on the public profile of an institution, once a large-scale attack or a
significant data loss event has been experienced, the aftermath of the incident is often made public
via media(Ismail, 2017). Cyber breach impact can be quantified by measuring various data points
however, there is an infinite number of variables that can be considered and is hard to distinguish
which are relevant. This leaves many areas of discrepancy when analysing data (i.e. the full scope for
data analysis). Whilst case studies that have been analysed show that there is an impact, the primary
causation for these critiqued areas could also be explained as an effect of unconsidered events. The
aim of this study is to investigate whether public information regarding cyber breaches involving PII
has an impact on the stock price of a financial institution.

Nowadays, the internet plays a crucial role for companies and businesses by acting as the backbone
for constant connectivity to multiple clients and partners around the world, operating in real time.
Being the network of networks, businesses can incorporate the use of the internet to intensify growth
and inter-organisational collaboration which benefits investors (Mayer, 2014). As well as this, financial
institutions are moving towards digital advancement by leveraging how data management and
infrastructure are implemented. Consequently, the value of PII in monetary terms has exploded since
the digital economy is very much based on transaction processing and management of data. As a result,
the action of data protection has equally intensified.

Despite having these aspects of growth and development, new risks and threats have consequently
grown at an alarming rate. As data flows through a digital network, access into the network can lead
to access through all connections within the network. Information Security in these firms are
constantly employing new technologies and mitigation strategies in order to lower the risk and the
potential for compromising events. Nevertheless, firms must also be prepared for what to do in the
event if an incident.

2.0 Technology in Financial Institutions

Over the last decade, technology usage has exponentially grown within firms, leading to the value of
data to boom. With the connectivity of the internet, global trade/financing has advanced (with the
exchange of data being critical to this). This is a primary factor in how electronic data has become so
valuable.

Financial institutions have continued to invest in emerging technology to allow themselves to generate
further revenue and higher profits by becoming more efficient allowing a larger service base. An
example is artificial intelligence, Former Citigroup Chief Executive Officer, Vikram Pandit, predicts that
in the next 5 years (from 2017), up to 30% of jobs will be replaced by artificial intelligence (The
Business Times, 2017).

Page 2 of 24
Shaylan Rao

Referring to Appendix A: Fig.1, the number of global deals has a linear trend averaging 160 more global
deals annually highlighting the pace of activity within the industry. 2013 showed substantial growth
in Fintech financing in North America. The following year, Asia-Pacific invested USD$4 billion, almost
four times the amount than its previous year, whereas the rest of the world doubled their investments
to USD$3 billion. With the massive growth of fintech and the linear increase of global deals in this
space, the industry is continuing to deploy and rely more on technology than it has previously, to
support its business model. It can also be inferred that a large amount of trust is being placed upon
technology systems. The industry is implementing automation to reduce its operational costs, which
can be reinvested into the company or placed in dividends which increases share value. Legacy
organisations find this more challenging since it is dependent on its legacy infrastructure which has to
then be automated, whereas new entrants to the Industry are able to enjoy a faster rate of growth
than its competitors, an example of this is Ant Financial.

Alibaba’s Ant Financial (formally known as Alipay,) gained over 100 million clients in 2016, growing to
over 500 million clients. As of May 2018, the client base had reached almost 622 million (PYMNTS,
2018). In 2014, with a record rise in the market value of USD$4.5 billion, the company grew into a
USD$150 billion company by 2017 and continue to rise (Wang, 2018). The cause for this level of growth
largely is down to technological growth and “great ability to make credit decisions” – Veteran
Chairman of Ant Financial (Wang, 2018). In August of 2016, the firm made a large investment in
cybersecurity to protect its electronic data and marketed its services as being a low-risk investment
(Wang, 2018). After two years, the stock value grew by 148% (Yahoo Finance, 2018). The company’s
goal was to increase their customer base and proved to have successfully reached this. By advertising
its low-risk factor, it made the company look more attractive to customers as they would feel safe and
confident with sharing PII and transferring money when utilizing the company’s services. According to
PwC, 85% of consumers will not do business with a company if they have concerns about security
practices (PWC, 2017). As a result of a large global customer base, the company began to dominate
the market and with new business developments, the market value grew exponentially. A positive
effect of a large customer base is the ability to generate more revenue, causing the demand for stocks
to increase and hence the stock value increases. This demonstrates the importance PII possesses and
how operating on a globally connected platform can influence the financial value of a company.
Besides cybersecurity, Alibaba reported a 3% increase in revenue from cloud computing (Alibaba,
2018). Referring to Appendix A: Fig.2, the impact technology has made is clearly reflected in the stock
value trend from 2016. With the current rate of growth, Ant Financial is projected to be worth over
one and a half times the value of Goldman Sachs (GS) and Morgan Stanley (MS) clearly showing the
impact technology can have within financial institutions (Wu, 2018).

In February 2016, Ant Financial experienced and declared a data breach affecting 20 million accounts.
The following week, the stock price dropped 14% to $USD60.89. Although it is unclear whether the
announcement was the cause for this drop, the company were clearly affected shortly after this event
which supports the possibility that PII can have a strong impact the share price.

Yue Wang writes for a reputable website, Forbes. The information published by her and another author,
Rob Olsen, on this website is both reliable and credible. The author is a journalist who specialises in
China’s technology sector. This information is from a webpage that describes and explains the timeline
of the company through means of publications made on social media by senior members in finance to
company statements. The information uses accurate references to state explanations. The author has
worked as a journalist for many other credible news sources such as SCMP. Wang has had an in-depth
view into this field especially and so the information given will be structured on detailed knowledge.

Page 3 of 24
Shaylan Rao

In 1914, the creation of the Federal Trade Commission (FTC), have had the duty to protect customers
across several industries. It was established that governments in each country have the obligation to
protect customers including the security of PII. Since then, their role has developed into nationwide
organisations and agencies who form compliances for banks to abide by in efforts to keep data
(including PII) secure (Thales eSecurity, 2018). Data regulations including encryption, KYC and AML
have been implemented in order to keep clients safe and banks compliant to regulations. Enterprise
risk management in banks is used to identify risks and dangers that can prevent them from
achieving their objectives which include financial stability, availability of payment systems. With
threat levels rising, the risk appetite tends to reduce as a prioritised risk-based approach to mitigate
risk is adopted. (Committee of Sponsoring Organizations, 2018). This leads to banks focusing on
specific areas for risk remediation whilst it conducts its standard operations. It should be noted that
the financial institutions are accepting a level of risk as a result.

2.1 The economics behind Cyber-Attacks

Analysis of multiple financial institutions stock prices, before and after a data breach will produce
evidence for whether there is an impact on stock price. Previous research (Campbell, 2007) took 83
occurrences from different banks and investigated the cost after the breach had been publicly
announced. Breach remediation costs impact the stock price as the investment required for this can
be significant and often taken from potential dividends, lowering the value of stock worth to investors.
43 of the breaches showed a clear negative correlation and a subset of 11 from the population showed
a stronger negative correlation. These 11 were the only reports that included PII involving credit card
details and sensitive information. Campbell’s research not only shows that most breaches impact the
stock price, but those involving PII have a significantly greater impact. This data was taken from 1995
to 2000 and so the information provided may be outdated, however, the principle of PII’s worth has
not changed, so the claim of stock price declining following a breach are still valid. Further research
by (D'Arcy & Hovav, 2003) supports this by showing how DDoS attacks have no significant losses or
abnormal returns to the share price. During an interview with an expert, Matthew Nixon, when
questioned on his opinion of the economic impact of PII attacks, he stated that the importance and
security of data and PII to financial institutions has always been of top priority, and vital to the effective
functioning of the banking system. The concept that most information has moved to a digital platform
and is on a larger scale has meant that handling customer data is much easier, however, but it has
increased levels of risk banks face in terms of information security, given data is fast becoming one of
their most important assets.

Mathew Nixon is a qualified cybersecurity expert with over 14 years’ experience. The information he
provides is his own opinion based on his experience and insights from the finance industry making his
statements reliable and credible. Being an expert in the field of information and technology risk. His
statements can be considered accurate and current as his role is closely linked to specific areas within
technology risk. The purpose of his opinion is to get a true, personal view from an expert that works in
the line of data protection. This also proves that there is a high level of authenticity.

Page 4 of 24
Shaylan Rao

The most common incentive to maliciously exfiltrate PII is that it can be exploited for a range of illicit
gains (Zurier, 2018). These exploits include withdrawing large quantities of money, blackmail and more
commonly identity theft. Stolen PII can be accessed on the dark web, being an unpoliced global
platform typically used for illegal activity. On the black market, a single persons PII can be sold within
the range of USD$1 to USD$450 based on several factors such as the economic status of the individual
and type of information available. The median price of general identity is estimated at USD$21.35,
with cases of thousands to millions of records stolen, an average gain of USD$10-20 million could be
obtained (Collins, 2015). Security professionals estimate that the selling price on the black market is
less than 5% of its worth to the bank. The equilibrium between supply and demand has fallen very
short of what it was estimated to be. This is due to easy access to the data and a low-risk factor of
gaining PII. This means that there is a low-risk to reward ratio for people in low-income countries
where cyber-attacks can generate much larger profits than regular wage (Collins, 2015).

3.0 Case study - JP Morgan Chase 2014

This case study analyses the J.P. Morgan Chase & Co. data breach (2014) in how it occurred and the
impact on the firm including their stock value following the first public announcement. This is one of
the largest cyber breaches ever. In August 2014, J.P. Morgan Chase & Co. was reported by Bloomberg,
to have been breached (Robertson, 2014). J.P. Morgan is one of the biggest financial institutions in
the world, being a global corporation, they assist millions of small banks as well as government,
institutional and corporate customers (JPMorgan Chase & Co., 2014). The attack affected 7 million
business and as many as 76 million connected households (United States Securities and Exchange
Commission, 2014).

Further information was released in late August, stating that they traced the attack back to early June
during a routine search review (Schwartz, 2014). Foreign code had been detected and was exfiltrating
gigabytes of customer records from J.P. Morgan servers. The malware exploited several zero-day
weaknesses within the infrastructure of the bank’s network. Despite having no financial information
leaked, date of births, social security numbers, passwords and much more were stolen from several
accounts. After routing the location of data flow, it traced through numerous countries before
terminating in a large Russian city. It was suspected that this was a Russian state-sponsored attack
based on the scale and magnitude of the operation (Robertson, 2014).

J.P. Morgan announced they would be investing USD$250 million annually into their cybersecurity
which is a vast amount of money even though their market capitalization stands within the billions.
Considering the amount invested for security, one would assume that the probability of a vulnerability
being exploited would be low, being known as one of the most secure banking institutions (Schwartz,
2014). Looking into the infrastructure surrounding the main server network, the attack started with a
staff members credentials being compromised allowing the attackers to access the network and
servers. Regardless of the hundreds of servers having a secure gateway, one of them did not. The
servers were secured under multiple factor authentication. Arguably, from having poor data
management, most customer details were stored on these servers (Roman, 2014). The breach was
not a result of the bank as a whole having poor cybersecurity policy/standards but, specific multiple
weaknesses which lead to the compromise (Roman, 2014). Financially, the effect of disclosing the
incident caused the stock price to fall by 0.2% in after-hours trading and a further 0.9% when the
market re-opened. JP Morgan (JPM) eventually lost 1.3% of their original stock value from the August
before the announcement (Huddleston, 2014).

Page 5 of 24
Shaylan Rao

The United States Securities and Exchange Commission’s report, “FORM 8-K” is a government-issued
report. This source is extremely reliable and accurate as it is a national publication from a centralised
source from the government. The report is authored not by a single author but multiple contributors
who are data and analytics experts meaning that the source has a high level of authenticity. This is a
form of regulation with new demands for financial institutions and links to new guides with a digital
signature of the Senior Vice Present from J.P Morgan. As this is a signed document, the currency is
relevant towards the date of the announcement of the breach. The commissions of security are the
biggest experts in the field and the purpose of this source is to show the regulations that the institutions
have pledged to follow.

The public would have been aware of the breach on August 27th, 2014 from Bloomberg. Analysing
Appendix B: Fig.1, up to a month before the event (public announcement), the stock prices were
consistently increasing. Days before the event, the price peaked at a high of USD$60 before falling the
next day to USD$59.2 and reached a low on the day after the event of $USD58.6. J.P Morgan disclosed
the event with a full report detailing the full impact of the attack including figures on how many
records were breached. This was released on 02/10/14, the following day the price fell 2.4% showing
a more significant impact than Bloomberg announcement date. The more significant dips in share
price such as 11/07/14, 15/10/14 and 16/12/14, where a result from purely financially driven motives
related to overestimated returns and failed targets. Reviewing Appendix B: Fig. 1.1, before the event,
the trading volume was dropping leading to a decrease in the stock price representative of a bearish
trend. This means that despite the fall in the stock price after the event, there is evidence in favour of
the drop being inevitable regardless of the event. Looking at Appendix B: Fig. 2.2, the day before the
event, a spinning top can be identified representing a potential reversal of the upward trend. This
leads to the idea that the news of the breach was leaked before the first public announcement on the
27th. On t+1 (28th), a dragonfly doji can be spotted followed by a gravestone doji showing the sellers
dominated the market just after the release and then were swept by buyers after the price fell.

J.P. Morgan are known to be hit by the ‘largest theft of customer data from a financial institution in
US history’ which affected their revenue estimations for that year. The number of investors dropped
by 11% by the end of the year and within their annual review, customer/data protection was
mentioned by an additional 35 instances than it had the previous year (JPMorgan Chase & Co., 2014).
The impact of this breach not only destabilized the stock activity but impacted its reputational risk by
being deemed ‘insecure’. The effect of a poor reputation can last for years and with such a large-scale
event, the level of fake news can explode. When unfamiliar or new customers research possible
organisations to bank with, false, negative information can be a deal breaker and as a result, the stock
value cannot reach its potential. The damage on the stock value can be long-term although not
necessarily quantifiable.

Page 6 of 24
Shaylan Rao

4.0 Source Assessment

There has been limited research regarding the effect of cyber breaches on financial institutions stock
prices. This is due to the complications and uncertainties involved with developing several analytical
models required to form valid statements. The data required to analyse multiple institutions are
constricted to credible authors/statisticians whom the institutions trust sharing with as most data is
confidential. This is a personal, critical evaluation on several publications to find an answer to the
question.

Cyber breaches that expose confidential customer information can critically affect a firm’s reputation,
losing investors as well as the consequences of reputational impact and opportunity cost. The outflow
of sensitive material can lead to customers seeking litigation against the firm, or government
authoritarians imposing financial penalties upon the firm. As a result, this is likely to hold the firm back
and lose their competitive edge to other like size companies. This could lead to a fall in stock value
from the lack of shareholder investment.

4.1 Methodologies

The methodology of an investigation is crucial as it takes specific data from chosen events and
produces results based on the purpose of the investigation. In this case, using actual and simulated
stock price data from multiple events will give numeric reasoning. Detailed research carried out (Goel,
2009) on firms between the time of 2004-2008 that had been affected by breaches have several
possible methods in how they can be analysed. Goel uses an event-study methodology to inspect stock
market data before and after the announcement of a breach occurring. When analysing stock prices,
there are three types of event-studies, i) market efficiency, ii) information utility, iii) metric
explanation. Market efficiency assesses the speed and accuracy of market change to information, this
information could include earning reports/estimates. Information utility evaluates how security prices
react to specific information released, in this case, securities being equities in the form of stocks.
Metric explanation creates a numerical, statistical model that uses regression to explain abnormal
returns around the time of the event. Other research (Campbell, 2012) suggested using specific steps
when carrying out an event-study shown as shown in Appendix C: Table. 1. Estimating anticipated
returns requires a single factor model which assumes the relationship between the individual
securities and market portfolio returns is linear. Statistically, this produces one of the most reliable
and reproducible results to date.

The return on a security is calculated by adding the measure of risk-adjusted performance, the
disturbance (normally distributed) to the product of systematic risk and the return on the market
portfolio as shown in Appendix: Fig. 2. Modigliani measure (M2) is used to quantity risk-adjusted
performance, this is the improved version based on the Sharpe ratio as it can be more widely
interpreted (The Economic Times, 2018). This assesses each firm against themselves with realistic
fluctuations that are predicted based on advanced software.

Page 7 of 24
Shaylan Rao

A second set is needed to act as a backbone with the Fama-French three-factor regression model
(Fama & French, 2004). The Fama-French model is an extension to the capital assets pricing model
(CAPM) as it also includes size and value risks. Researchers use this as it is a more reliable evaluation
tool as it is adjusted towards more realistic scenarios as small-cap stocks tend to outperform
(Investopedia, 2017). By subtracting the normal returns from the actual returns, we generate the
abnormal returns. Typically, the length of days between the event needs to be sufficient enough to
produce a valid statement such as a year.

John Y Campbell is a British-American economist who has published 5 books and over 100 articles on
finance and microeconomics. The book was initially published in 1997 but was remastered in 2012 with
more modernised content. As the book contains theoretical economics, the currency of the book does
not impact the information given and is still currently being applied by economists. As the book was
written by 3 other authors, including a professor of Finance at MIT and Campbell who is still a professor
of Economics in Harvard University, it can be agreed that the source contains accurate and reliable
research. The purpose of this source is to help identify the methodology in how to assess stock price
impact.

4.2 Analysis

From the event-study (Goel, 2009), the assumption in his methodology is that the events are within
an efficient market. The event is set upon the date of which the first media outlet regarding the breach
was released, 93% of which were reported from credible sites such as The Register (Thomson, 2017),
Wall Street Journal (Andriotis, 2018) and several others. For a more thorough evaluation on impact,
breaches have been categorised under their magnitude based on the number of people who have
been affected (PII’s that have exposed). This is crucial in analysing whether there are anomalies and
correlations can be observed in terms of the impact of the return price. As financial institutions must
protect against threats and cyber-attacks daily, the chance of a major breach exposing a zero-day
threat becomes feasible and as a result, several more breaches could occur from different attackers.
Using firms which have more than one breach within a year would produce anomalies in the data and
an unclear view of the impact, and so have been excluded from the data field.

With 205 events and 168 exact dates recorded, 37 results were slightly unclear due to the bias
implemented when estimating the date of the announcement as they were based on the residual days
around the time of the event. Consequently, it is unable to claim the impact of the event and so purely
analysing the subset of exact dated events there are some very clear trends. Appendix D: Fig. 1
illustrates the average abnormal returns (AR) and cumulative abnormal returns (CAR) from the
sample using the single factor market model. Appendix D: Fig. 1.1 presents the same data, but from
the Fama-French three-factor model. The single model graph shows a basic overview whereas the
Fama-French model considers firm size and value of premiums (Jagannathan & Ma, 2003). This
produces a source of greater reliability to the single factor model.

Page 8 of 24
Shaylan Rao

Comparing the two graphs, the behaviour of AR and CAR are alike when close to the time of the event.
As the CAR is within 0.26% and averagely 0.36 in Appendix D: Fig. 2.1., the models used to predict the
expected market prices are very accurate. The average and CAR declines significantly between t-2 and
t0 of the event, however, it would only be suggested that this may occur after the event if a negative
decline was predicted. It is possible that this is due to inside information being leaked into areas of
the public that then spreads. Another possibility is that information regarding the breach may have
leaked and stayed only within the firm, but the insiders may be affected personally. This with the
combination of those who have had their records exfiltrated could cause a large withdrawal of
customers and funds from the firm. Alternatively, little information could trigger substantial market
speculations on the firm’s future stock value, thus leading to a negative decline in market value in the
days prior to the event even occurring. There is an inevitable time delay between a firm discovering a
breach, investigating it and finally announcing it with the new governing rules of mandatory breach
reporting (Personal Data Protection Commission, 2017) (Schwartz, 2016).

From the same graph, it can be seen that there is a continuous negative impact on the returns on the
day of the event and an accelerated decrease over the following days. This is strong supporting
evidence for breaches having a negative impact on stock prices as 74% of all cases involve PII. The
gradient of the drop shows the scale of economic impact on the market to that date and negative
peaks indicate the greatest point for loss of returns. Taking an in-depth look into cases of major
negative reactions, it appears that they share a similar trait where the news does not include specific
facts or data points on the financial impact caused. This decreases investors security and confidence
on the extent of damage possibly caused, therefore reducing stock activity and volume. It is key that
the firm either articulate their response to the public so that fear levels decrease, show a clear
understanding of the toll taken as well as an immediate future proofed plan in response or both.

Scaling the extent of decline in CAR measures to be in the region of 8% around the time of the event
in the single factor model and 1% in the Fama-French three-factor model. Referring to the Appendix
D: Fig. 1.1, the AR which appears to be significant near the time of the event are t-2, t-1 and t+1 which
are all negative. This means that the reaction to the breach was short and sharp but would have a
gradual recovery being Blue Chips. Taking a detailed inspection of the Fama-French graph, shown in
Appendix D: Fig. 2.2. At t-4, the abnormal returns start to decrease and then dip at t-2 for AR and CAR.
The lowest point is observed at t+1 with recovery commencing at t+4.

Sanjay Goel is a professor in Information technology Management for the University of Albany. He is a
researcher in security and privacy for technology meaning that this source has accurate and reliable
information. This journal is one of the first documents published in a topic thus guaranteeing its
authenticity. The journal has several credible sources that it refers to, meaning that this is a balanced
source supported by explanations.

Page 9 of 24
Shaylan Rao

4.3 Conclusion
From this data, it can confidently state that security breaches regarding PII disclosed to the public has
a significant impact on the stock prices of financial firms. Public disclosure of breaches to sensitive
material regarding customers can seriously affect a firms’ reputation. The findings show a substantially
negative AR and CAR around the time of the events, modelled by single and three-factor market
modelling. Both models prove that around the time of the event, both before and after, a statistically
significant negative return rate. The greatest drop occurred on the days following the announcement
which backups the announcement being the main cause of share price decline. The results show that
on average, a firm’s market value is likely to fall 1% after a public release of information regarding a
data breach. A limitation of this source are how the firms would have disclosed different levels of
intimacy regarding the breach as there it is up to the firm to disclose information. This could mean
that key information may not have been released, possibly reducing the impact on share price.

5.0 Conclusion
In conclusion, the supporting evidence suggests that there is a negative impact on financial institutions
after a cyber breach involving PII. Assessing the trends in stock activity, the argument for banks not
being impacted is that the drop is only a shock value from an event from realising the impact is not
widespread. After this temporary period of decline, banks will still retain their value with a strong
balance sheet and the business model maintains a constant, but a gradual rate of growth. This is a
characteristic of blue-chip stocks, however stating that breaches do not impact a bank is only valid on
a macro-scale (dating across 2 months or over). It is justifiable to state that there is an insignificant
level of impact relative to other economic events. Financial institutions use technology in business,
however, their main role is to offer services based in the finance market. It could be argued that
financial institutions are becoming technology organisations that provide financial services.

All the events from case studies have three main factors in common, i) cost, ii) reputational and iii)
speculation impact on the bank. Rare events such as J.P Morgan’s breach can cost a substantial
amount and as a result, banks may need to make cuts in order to reduce their liabilities so that they
can pay for possible regulatory fines and remediation. The significant costs of a data breach are not
from the damage of the breach but by the fines from regulators. In most cases, banks have to transfer
money out of dividends and other areas to facilitate the remediation cost. This makes the stock less
attractive, hence lowering the stock value.

Reputation is the key factor that can have a long-term impact but it is challenging to produce
quantitative evidence. This is because stock forecasting becomes inaccurate over a long period of time,
making the reliability of data too poor to analyse. In spite of this, the likelihood of a poor reputation
can justify a glacial rate of growth in a firm. Limited information being released shortly after the bank
discovering a breach leads to mass speculation and a net movement in market leaders advice. Fake
news slowly merges with facts making investors unsure and decreasing demand for the stocks,
lowering the price. The change in the stock market is greatly influenced by the law of supply and
demand, so fake news and speculation are the biggest variables that affect people’s decision in
investment and as a result, has an impact on the stock price of a particular firm.

I have found that cyber breaches involving PII have the potential to create an impact on the stock price
however, this is only substantial in the short term and can be considered negligible compared to
changes in the economy over the long-term.

Page 10 of 24
Shaylan Rao

6.0 Recommendations
From my findings, I believe that amendments can be made to reduce speculation and uncertainty in
the news which impacts the stock value of firms.

In February 2018, Australia implemented a mandatory breach reporting framework for companies to
follow. This includes specific questions that a firm must answer to detail the facts about the breach
within a given time frame of discovering the breach (Office of the Australian Information
Commissioner, 2018). This extremely important to regulators as the breach may not only impact a
firm but the finance industry. Currently, banks decide how much information to release and in what
level of detail, this can be very unclear as banks do not want to reveal any private information
regarding how the firm operates. A mandatory breach reporting framework can act as a universal
medium, allowing comparisons and analysis on each breach across banks. Each bank will have to
give the same input with an equal level of detail. Regulators can decide whether the bank needs to
make public disclosure releasing this information according to the impact of the breach. I think that
this will reduce the level of speculation as there will be concrete evidence from banks regarding the
details of the breach and no need for hypothesizing the potential damage on the financial
institution, allowing the market to operate efficiently and with a more complete view of required
information.

A framework for mandatory breach reporting makes the process of declaring a PII breach more
transparent with only major breaches potentially impacting the stock value.

Word Count: 5500

Page 11 of 24
Shaylan Rao

Appendix

Definitions:

Financial Institute – A business company that handles financial transactions, trade, investments and
provides a service for the public

PII – Data that can identify an induvial. Commonly used by customers for identification to access
specific contents in Financial Institutions

Stock Price – The price of purchasing a security. The price can fluctuate with volatility in the market,
economic conditions and several other factors

Fintech – Software and hardware that is used to enable/support financial services

KYC – Know Your Client. A banking procedure that helps the bank stay secure by knowing the
identity of customers that use the services of the bank

AML – Anti-Money-Laundering. A set of procedures that help identify and prevent the generation of
income via illegal acts

Enterprise Risk Management – (ERM). "A process, effected by an entity's board of directors,
management and other personnel, applied in strategy-setting and across the enterprise,
designed to identify potential events that may affect the entity, and manage risk to be within its
risk appetite, to provide reasonable assurance regarding the achievement of entity objectives." -
(Committee of Sponsoring Organizations, 2018)

Risk Appetite – The level of risk an organization is prepared to allow to meet objectives

Ordinary Least Squares – A method for estimating unknown parameters on a linear regression
model

DDoS – Denial of service. An unauthorized interruption to a computer network, typically

malicious intent

Citibank / Standard Charted – Financial institutions in the banking sector

Dark Web – A section in the world wide web where users can stay anonymous and is accessed using
special software

Malware – Software designed to harm and/or disrupt unauthorized computer systems/networks

Zero Day – Previously unknown vulnerabilities in software that is or has just been vulnerable to
attack

State-Sponsored Attack – Government supported cyber-attacks with political or economic

motivation

Gateway – A device or route that is used to connect several networks

Page 12 of 24
Shaylan Rao

Trading Volume – The number of total securities (, stocks,) that has been traded in a given time
frame. Usually measured in shares per day

High/Low/Close Price – The highest / lowest price the stock reached in the trading day. The close
price is the price of the stock when the trading day finished

A Security – A financial instrument that possesses a form of monetary value

Risk-Adjusted Performance – A measure of how much risk is involved in producing that return.
Typically measured as a rating or figure. This is applied to securities for estimations and evaluation
for investors

Market Portfolio – A grouping of (all) financial assets, assessing a firm’s total existence in the market

Sharpe Ratio – A measure of the performance for an investment by adjusting for risk. The average
return earned excessive of the risk-free rate per unit of total risk

Small-Cap – Companies with a relatively small market capitalization

Efficient Market – A market where all data is visible to all participants simultaneously. Stock markets
are considered to be an efficient market.

(Cumulative) Abnormal Returns – (The cumulative total of) the difference between the actual return
gained against the expected value of return in a given period (a day).

Multiple factor authentication – Access only gained once multiple pieces of information are entered
(e.g. username, compound password, USB imbedded passcode).

Page 13 of 24
Shaylan Rao

Section A

Fig. 1
Reference: Global Fintech Financing Activity, Graph showing investments and number of global deals
from 2010 to 2015. [Graph] Available at: https://www.ft.com/content/78058d7c-7c90-11e7-9108-
edda0bcbc928 [Accessed 28 July 2018]

Fig. 2
Reference: Alibaba Group Holding Ltd.’s stock value, Graph showing Alibaba Group Holding Ltd.’s
stock price from 2014 to present. [Graph] Available at:
https://www.google.com/search?q=alibaba+group+stock&ie=utf-8&oe=utf-8&client=firefox-b-ab
[Accessed 05 August 2018]

Page 14 of 24
 Shaylan Rao

Section B

Stock Prices, t-121 - t119 of first release

Represents the date of
62 the announcement
USD

60
58
56
54
52
28-04-14 28-05-14 28-06-14 28-07-14 28-08-14 28-09-14 28-10-14 28-11-14

Open High Low

Fig. 1

Trading Volume, t-121 - t119 of first release

40000000

30000000

20000000

10000000

0
28-04-14 28-05-14 28-06-14 28-07-14 28-08-14 28-09-14 28-10-14 28-11-14

Series1

Fig. 1.1

Candlestick Chary t-121 - t119 of first release

62
61
60
59
58
USD

57
56
55
54
53
52
19-05-14

11-08-14

10-11-14
28-04-14
05-05-14
12-05-14

26-05-14
02-06-14
09-06-14
16-06-14
23-06-14
30-06-14
07-07-14
14-07-14
21-07-14
28-07-14
04-08-14

18-08-14
25-08-14
01-09-14
08-09-14
15-09-14
22-09-14
29-09-14
06-10-14
13-10-14
20-10-14
27-10-14
03-11-14

17-11-14
24-11-14

Fig. 1.2

Page 15 of 24
 USD USD

0
5000000
10000000
15000000
20000000

57
58
59
60

57.5
58.5
59.5
60.5
57
58
59
60
19-08-14 19-08-14 19-08-14

Fig.2
20-08-14
20-08-14 20-08-14

Fig. 2.2
Fig. 2.1
21-08-14
22-08-14 21-08-14 21-08-14
Shaylan Rao

23-08-14 22-08-14 22-08-14

24-08-14
23-08-14

Spinning top doji

23-08-14
25-08-14
24-08-14 24-08-14
26-08-14
27-08-14 25-08-14 25-08-14
28-08-14 26-08-14 26-08-14
29-08-14
27-08-14 27-08-14
30-08-14
31-08-14 28-08-14 28-08-14

Dragon fly doji

01-09-14 29-08-14 29-08-14
02-09-14
Open

30-08-14

Gravestone doji
03-09-14 30-08-14
04-09-14 31-08-14 31-08-14
05-09-14 01-09-14 01-09-14
High

06-09-14
02-09-14 02-09-14
07-09-14
08-09-14 03-09-14 03-09-14
09-09-14 04-09-14
Low

04-09-14
10-09-14
05-09-14 05-09-14
11-09-14
Stock Prices, t-8 - t19 of first release

Candlestick Chart t-121 - t119 of first release

12-09-14 06-09-14 06-09-14
Trading Volume, t-8 - t19 of first release

13-09-14 07-09-14 07-09-14

14-09-14
08-09-14 08-09-14
15-09-14
09-09-14 09-09-14
10-09-14 10-09-14
11-09-14 11-09-14
12-09-14 12-09-14

Page 16 of 24
13-09-14 13-09-14
14-09-14 14-09-14
15-09-14 15-09-14
Shaylan Rao

Section C

1. Define the time frame for before and after the event where the stock prices are being monitored

2. Acknowledge a criterion for analysing the firms for the study

3. Use a suitable model for computing the abnormal returns

4. Design a testing framework for abnormal returns

a) Define a null hypothesis
b) Determine specific techniques for aggregating the data on an individual level
c) Select appropriate statistical tests for analysing the data

5. Collection of data
a) Collect the data of stock prices of individual firms around the time of the event
b) Identify firms which fit the criteria or have significant changes

Table. 1

Fig. 2

Page 17 of 24
Shaylan Rao

Section D

Fig. 1
(Goel, 2009)

Page 18 of 24
Shaylan Rao

Fig. 1.1
(Goel, 2009)

Fig. 2
(Goel, 2009)

Page 19 of 24
Shaylan Rao

Fig. 2.1
(Goel, 2009)

Fig. 2.2
(Goel, 2009)

Page 20 of 24
Shaylan Rao

References
Alibaba, 2018. Alibaba Group Announces March Quarter 2018 Results and Full Fiscal Year 2018
Results. [Online]
Available at: https://www.businesswire.com/news/home/20180504005297/en/Alibaba-Group-
Announces-March-Quarter-2018-Results
[Accessed 8 August 2018].

Andriotis, A., 2018. Equifax Hack Might Be Worse Than You Think. [Online]
Available at: https://www.wsj.com/articles/equifax-hack-might-be-worse-than-you-think-
1518191370
[Accessed 8 August 2018].

Campbell, J. Y., 2012. Econometrics of Financial Markets. 1 ed. New Jersey: Princeton University
Press.

Campbell, K., 2003. The economic cost of publicly announced information security breaches:
empirical evidence from the stock market*. Journal of Computer Security, 11(3), pp. 431-448.

Campbell, K., 2007. The Economic Cost of Publicly Announced Information Security Breaches.
Empirical Evidence from the Stock Market, 11(3), pp. 431-448.

Centrify, 2017. The Impact of Data Breaches on Reputation and Share Value. [Online]
Available at:
https://www.centrify.com/media/4772757/ponemon_data_breach_impact_study_uk.pdf
[Accessed 24 June 2018].

Collins, K., 2015. Here’s what your stolen identity goes for on the internet’s black market. [Online]
Available at: https://qz.com/460482/heres-what-your-stolen-identity-goes-for-on-the-internets-
black-market/
[Accessed July 24 2018].

Committee of Sponsoring Organizations, 2018. Enterprise Risk Management Framework, Chicago:

COSO.

D'Arcy, J. & Hovav, A., 2003. The Impact of Denial-of-Service Attack Announcements on the Market
Value of Firms. Risk Management and Insurance Review, 6(2), pp. 97-121.

Fama, E. & French, K. R., 2004. The capital asset pricing model: Theory and evidence. [Online]
Available at:
https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=3&cad=rja&uact=8&ved=2ah
UKEwiPs4LAwJTfAhWBO48KHYVPDnIQFjACegQICBAC&url=http%3A%2F%2Flegacy.earlham.edu%2F
~lautzma%2Findex_files%2FCapital%2FPart%25202%2FCAPM_Fama_French_JEP_2004.pdf&usg=AO
vVaw
[Accessed 13 July 2018].

Goel, S., 2009. Estimating the market impact of security breach announcements on firm values.
Information & Management, 47(7), pp. 404-410.

Gordan, M., 2006. When should companies go public following a security breach?. Computer Fraud
& Security, 2006(9), pp. 16-18.

Page 21 of 24
Shaylan Rao

Gordon, L. A., 2006. Information System Frontiers. Economic aspects of information security: An
emerging field of research, 8(5), pp. 335-337.

Huddleston, T., 2014. JPMorgan Chase says hacking affected 76 million households. [Online]
Available at: http://fortune.com/2014/10/02/jpmorgan-chase-disclosed-cyber-breach/
[Accessed 29 July 2018].

Investopedia, 2017. Fama and French Three Factor Model. [Online]

Available at: https://www.investopedia.com/terms/f/famaandfrenchthreefactormodel.asp
[Accessed 5 August 2018].

Ismail, N., 2017. Cyber crime and the banking sector: top threats and secure banking of the future.
[Online]
Available at: https://www.information-age.com/cyber-crime-banking-sector-123464602/
[Accessed 13 July 2018].

Jagannathan, R. & Ma, T., 2003. Risk reduction in large portfolios. The Journal of Finance, 58(4), pp.
1651-1683.

JPMorgan Chase & Co., 2014. JPMorgan Chase & Co.. [Online]
Available at: https://web.archive.org/web/20140725165234/http://jpmorganchase.com/
[Accessed 27 July 2018].

JPMorgan Chase & Co., 2014. JPMorgan Chase & Co. Annual Report 2014. [Online]
Available at:
https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=1&cad=rja&uact=8&ved=2ah
UKEwiznveAwpTfAhVBM48KHaKfBuIQFjAAegQIChAC&url=https%3A%2F%2Fwww.jpmorganchase.co
m%2Fcorporate%2Finvestor-relations%2Fdocument%2FJPMC-2014-
AnnualReport.pdf&usg=AOvVaw3xv
[Accessed 20 August 2018].

Loveless, N. J., 2015. DDoS Attacks Against Banks Increasing. [Online]

Available at: https://www.bankinfosecurity.com/ddos-a-8497
[Accessed 19 July 2018].

Mayer, J. H., 2014. A BUSINESS PERSPECTIVE FOR IMPROVING MANAGEMENT SUPPORT SYSTEMS.
MANAGERS AND COLLABORATION TECHNOLOGY, 1(1), pp. 7-15.

Modi, S. B., 2015. Shareholder value implications of service failures in triads: The case of customer
information security breaches. Journal of Operations Management, 35(1), pp. 21-39.

Morse, E. A., 2011. Market Price Effects of Data Security Breaches. Information Security Journal: A
Global Perspective, 20(6), pp. 263-273.

Office of the Australian Information Commissioner, 2018. Privacy Breach Management Report
Template. [Online]
Available at:
https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=1&ved=2ahUKEwjDw8LjsJTfA
hWJto8KHRZqCIgQFjAAegQICBAC&url=https%3A%2F%2Fwww.oic.qld.gov.au%2F__data%2Fassets%
2Fword_doc%2F0009%2F35487%2Ftemplate-privacy-breach-
management.dotx&usg=AOvVaw02mMnwhr

Page 22 of 24
Shaylan Rao

Personal Data Protection Commission, 2017. Banks’ Feedback on the PDPC’s Public Consultation on
Approaches to Managing Personal Data in the Digital Economy, Singapore: Personal Data Protection
Commission.
Available at:
https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=1&cad=rja&uact=8&ved=2ah
UKEwjAraORw5TfAhXKv48KHd0uDCIQFjAAegQICRAB&url=https%3A%2F%2Fwww.pdpc.gov.sg%2Fp
dpc%2Fnews%2Flatest-updates%2F2018%2F02%2Fpdpcs-response-to-public-consultation-on-
approaches-to-managing-personal-data-in-the-digital-
economy&usg=AOvVaw2hr0zGIyFYzrzkVbEzGyGd

PWC, 2017. How consumers see cybersecurity and privacy risks and what to do about it. [Online]
Available at: https://www.pwc.com/us/en/services/consulting/library/consumer-intelligence-
series/cybersecurity-protect-me.html
[Accessed 11 July 2018]

PYMNTS, 2018. Ant Financial Has More Than 600 Million Users. [Online]
Available at: https://www.pymnts.com/news/alternative-financial-services/2018/ant-financial-600-
million-users/
[Accessed 13 August 2018].

Reuters, 2018. China's cyber watchdog scolds Ant Financial over user privacy breach. [Online]
Available at: https://www.reuters.com/article/us-ant-financial-china/chinas-cyber-watchdog-scolds-
ant-financial-over-user-privacy-breach-idUSKBN1F006B
[Accessed 17 August 2018].

Robertson, J., 2014. JPMorgan, Four Other Banks Hit by Hackers: U.S. Official. [Online]
Available at: https://www.bloomberg.com/news/articles/2014-08-27/customer-data-said-at-risk-
for-jpmorgan-and-4-more-banks
[Accessed 2 August 2018].

Roman, J., 2014. Bankinfosecurity.com. [Online]

Available at: https://www.bankinfosecurity.com/jpmorgan-chase-confirms-cyber-attack-a-7319
[Accessed 1 August 2018].

Roman, J., 2014. Chase Ramps Up Security: Is It Enough?. [Online]

Available at: https://www.bankinfosecurity.com/chase-ramps-up-security-enough-a-6753
[Accessed 2 August 2018].

Schwartz, M. J., 2014. New JPMorgan Chase Breach Details Emerge. [Online]
Available at: https://www.bankinfosecurity.com/further-jpmorgan-breach-details-emerge-a-7249
[Accessed 1 August 2018].

Schwartz, M. J., 2016. A Look at Breach Notification Laws Around the World. [Online]
Available at: https://www.bankinfosecurity.com/blogs/look-at-breach-notification-laws-around-
world-p-2140
[Accessed 14 August 2018].

Spanos, G., 2016. Computers & Security. The impact of information security events to the stock
market: A systematic literature review, Volume 58, pp. 216-229.

Page 23 of 24
Shaylan Rao

Spanos, G., 2016. The impact of information security events to the stock market: A systematic
literature review. Computers & Security, Volume 58, pp. 216-229.

Thales eSecurity, 2018. Data Security and Compliance Solutions for Financial Services and Banking.
[Online]
Available at: https://www.thalesesecurity.com/solutions/industry/financial-services
[Accessed 20 August 2018].

The Business Times, 2017. Ex-Citi CEO Pandit says 30% of bank jobs at risk from technology. [Online]
Available at: https://www.businesstimes.com.sg/banking-finance/ex-citi-ceo-pandit-says-30-of-
bank-jobs-at-risk-from-technology
[Accessed 29 July 2018].

The Economic Times, 2018. Definition of 'Modigliani And Modigliani Rap Measures'. [Online]
Available at: https://economictimes.indiatimes.com/definition/modigliani-and-modigliani-rap-
measures
[Accessed 2 august 2018].

Thomson, I., 2017. Hackers nick $60m from Taiwanese bank in tailored SWIFT attack. [Online]
Available at: https://www.theregister.co.uk/2017/10/11/hackers_swift_taiwan/
[Accessed 6 August 2018].

United States Securities and Exchange Commission, 2014. Form 8-K, Washington, D.C.: United States
Securities and Exchange Commission.

Wang, Y., 2018. Ant Financial Raises $14B To Fund Global Expansion. [Online]
Available at: https://www.forbes.com/sites/ywang/2018/06/08/ant-financial-raises-14b-to-fund-
global-expansion/#217641d2575a
[Accessed 14 August 2018].

Wu, K., 2018. Explainer: Ant Financial's $150 billion valuation, and the big recent bump-up. [Online]
Available at: https://www.reuters.com/article/us-antfinancial-valuation/explainer-ant-financials-
150-billion-valuation-and-the-big-recent-bump-up-idUSKBN1HP1AA
[Accessed 17 August 2018].

Yahoo Finance, 2018. Alibaba Group Holding Limited (BABA). [Online]

Available at: https://finance.yahoo.com/quote/BABA/
[Accessed 17 July 2018].

Yahoo Finance, 2018. JPMorgan Chase & Co. (JPM). [Online]

Available at:
https://finance.yahoo.com/quote/JPM/history?period1=1406822400&period2=1417363200&interv
al=1d&filter=history&frequency=1d
[Accessed 26 July 2018].

Zero Day. 2016. [Film] Directed by Alex Gibney. United States: Magnolia Pictures.

Zurier, S., 2018. 8 Ways Hackers Monetize Stolen Data. [Online]

Available at: https://www.darkreading.com/attacks-breaches/8-ways-hackers-monetize-stolen-data-
----------/d/d-id/1331560?image_number=2
[Accessed 2 August 2018]

Page 24 of 24