We analyze the short-term impact of cybersecurity incidents on the stock prices of afected companies. The dataset used in our analysis consists of mandatory filings required by the Securities and Exchange Commission. In addition to observing a measurable impact of these filings, we propose and test the relative price movement with respect to a sector benchmark. We also experiment with automatic severity assessment of cybersecurity incidents using a LLM.
CEUR Workshop ISSN1613-0073
The impact of cybersecurity incidents on stock prices was analyzed in various publications. The efect of data breaches on share price is analyzed in [1]. The data includes breaches spanning from 2007 to 2023, and includes 118 companies. Even though the analysis confirmed an expected negative impact, it is unclear how data breaches are selected. Moreover, the stock price is compared to the NASDAQ composite index. We think this is problematic, since in the last 15 years the NASDAQ generally outperformed the market as a whole. Therefore, given a random company and a random date, one can reasonably expect that NASDAQ outperforms, which might slightly distort the results.
A systematic review of 37 papers was published in 2016 [7]. The authors conclude that the majority of studies report statistical significance of the impact of security events on stock prices, but there are no quantitative results in the review. Moreover, the papers are relatively old, with majority being published before 2011. Given the constant changes in the attack landscape, countermeasures, preparedness, and other aspects of cybersecurity, the findings of these studies might not be entirely applicable to the current situation.
A recent study [3] uses data breach notification laws to assess the impact of these events on stock price, analyzing a sample of 3,615 U.S. public firms over the period 1997–2019. The main result is that the adoption of data breach notification laws leads to higher future stock price crash risk, confirming the ifndings of previous works like [ 5]. Extrapolating to the mandatory reporting of material cybersecurity incidents, we might expect similar outcomes in the future.
The more popular presentations, such as [2], focus mostly on well-known cases with large-scale media attention. Consequently, the dataset is biased, and the conclusions and perceived impact can be skewed.
We emphasize the importance of a clearly defined dataset, where inclusion criteria prevent possible biases. In our case, the dataset is implied by a regulatory framework, and it is obtained via the SEC’s online service. It contains all Form 8-K filings with Item 1.05. A detailed description of data acquisition, cleaning, and post-processing is discussed in Section 2.
There are two basic approaches to evaluate stock price movements, and we employ both. The first approach examines the change in price itself. The second approach involves comparing price changes with a benchmark, assessing how the stock underperforms or overperforms relative to the benchmark. Rather than using broad market benchmarks like S&P 500 or more narrowly focused but potentially unrelated indices like NASDAQ, we opt for sector benchmarks. We evaluate the relative performance of the stock in relation to its corresponding sector’s ETF. This evaluation is detailed in Section 3. We caution readers to carefully interpret any results, given the dataset is still relatively small, with only 48 ifllings. This paper is an expanded version of [ 8] where only 37 fillings were available for analysis. 3
An additional variable that contributes to the impact of cybersecurity incidents is their severity. The Item 1.05 in Form 8-K filings includes a brief description of the impact. We performed a simple zero-shot analysis of these texts and employed a large language model to classify the incidents into three categories: High, Medium, and Low. The results of this experiment are detailed in Section 4.
The dataset containing relevant filings was constructed following these steps: 1. Data search and download: The SEC’s Electronic Data Gathering, Analysis, and Retrieval (EDGAR) system is used for automated search of 8-K form fillings containing the strings “Material Cybersecurity Incident” or “Material Cybersecurity Incidents” or “Item 1.05”. When a company amends 3We also extend analysis window to 20 days after filing and use better LLM for classification.
the original filing, this usually happens when the information in Item 1.05 becomes available or can be determined, we process and analyze this amended 8-K form as a separate record. 2. Data cleaning: We manually inspect all results to remove entries that are not real Item 1.05 filings – mostly entries where this item was only mentioned in other context. We also fix duplicate entries, entries without a ticker, and other errors. 3. Enhancing data: We add additional attributes for each record in the dataset4 – sector, benchmark ticker, performance of the stock itself and its relative performance with respect to the benchmark, as well as the relevant text part of the filing describing the cybersecurity incident.
To compare relative price movements, we use 11 sectors defined by the Global Industry Classification Standard [4]. For benchmark, we opted for ETFs provided by State Street Global Advisors that aim to replicate the performance of individual S&P 500 sectors, see Table 1.
We analyze the stock price 5 days prior and 20 days after the filing day. We base our calculation on Close price only, i.e., intraday fluctuations are not evaluated. All further mentions of price denote the Close price. Similarly, we do not take into account a time when the filing was done, whether it was before, during or after trading hours.
In order to prepare the historical stock price data for further analysis and aggregation, we fill gaps with missing price (which are typically days where markets are closed), with the nearest previously-known price. For example, Sunday and Saturday prices are set to the previous Friday’s price. Performance of the stock. Let be the price of a stock at the filing day plus/minus days, for ∈ {−5, … , 20} . We calculate the relative performance of the stock in our interval as a series −5, … , 20, where = ( − 0)/ 0, for ∈ {−5, … , 20} . The relative performance at the filing day is trivially 0 = 0. Relative performance of the stock with respect to the benchmark. Let be the price of the benchmark for the stock’s sector at the filing day plus/minus days, for ∈ {−5, … , 20} . We calculate the relative performance of the stock with respect to the benchmark as a series Δ−5, … , Δ20, where Δ = ( − 0)/ 0 − , for ∈ {−5, … , 20} . It is easy to see that Δ0 = 0.
The dataset contains = 48 relevant filings from July 2024 to June 2025. Records span across 10 sectors, some with multiple incidents, while one sector (Utilities) is without a single filing. On average, the 4We use Python’s yfinance library to access Yahoo Finance data. -4.40% -6.25% -1.00% 0.62% -1.05% 0.76% -5.02% 1.50% -7.35% -6.10% -2.73% -7.02% 4.40% 1.36% 0.53% 2.88% -4.00% -0.76% 4.46% stock price declined -3.09%, -4.40%, and -2.73% in 5, 10, and 20 days after the filing, respectively. Table shows these statistics for each sector observed in our dataset. Impact of cybersecurity incidents in diferent sectors (5, 10 and 20 days after the filing).
The average movement of a stock starting five days prior to the filing and ending twenty days after the filing is shown in Figure 1.
by a few outliers, such as Meta Materials Inc. and its nearly 62% stock price decline on the eight day after the filling
5, or iLearningEngines Inc. with unrelated business problems and its fluctuating stock price around the filing date. In both cases companies filed for bankruptcy and were delisted by Nasdaq shortly after the cybersecurity incidents. 5Not directly linked to the cybersecurity incident.
1. Days prior the filings show, as expected, a flattish average price. In some cases, the knowledge of a cybersecurity incident can precede the filing (there is a limit of four business days), which can explain slight negative return prior the filing in some cases (did not manifest in average). 2. After the filing day we observe a measurable impact of the news. This impact lasts the entire interval, with slight recovery after 14 days. 3. Some sectors are more sensitive to cybersecurity incidents. If we limit ourselves to the sectors with at least 5 cybersecurity incidents, Technology and Financial services seems more sensitive than the others. We assume that the reasons are a connection of cybersecurity and the core business of a company in the case of technology companies, and the heavily regulated sector with possible immediate financial impact in the case of financial services. On the other hand, Financial services show the fastest recovery of the stock price. All these conclusions are limited and more data points are needed. The impact of outliers is clearly seen in Industrials sector. 4. It seems that comparing with a benchmark shows a steeper efect of a cybersecurity incident than looking at stock price itself. However, this efect shows only after a week, in the first week there is no measurable diference in these metrics. In other words, a short-term strategy (longer than a week) going long on the benchmark while shorting the stock might be more profitable than shorting the stock alone (and less risky, see the next observation). 5. The standard deviation is relatively high, however even this measurement favors the approach of comparing price movements to the benchmark. Table 3 shows these values for the entire dataset.
Benchmark delta 20 -2.73% 18.20%
Cybersecurity incidents can vary in their impact on an organization’s operations and financial stability. Market reactions can be disproportionately more significant in response to severe incidents compared to minor ones. The descriptions provided in Item 1.05 can be analyzed to evaluate the severity of such incidents. This problem is similar to the sentiment analysis problem in natural language processing, which has been extensively studied. In recent years, large language models have been applied to this domain [10]. We conduct a simple zero-shot classification using a small Gemma3 4B model [ 9] using the following prompt:
You are a cybersecurity analyst. Carefully review the following text describing a cybersecurity incident. Assess and rate the severity of the incident’s impact on the organization’s operations and financials. Respond with only one word: ’Low’, ’Moderate’, or ’High’, based on the overall severity. Do not provide explanations or additional text.
Overall, 3 filings were classified as ‘High’, 35 as ‘Moderate’, and 10 as ‘Low’. We split the dataset and evaluate the impact on market prices for each class separately. The results are inconclusive. We do not observe any meaningful price action for ‘High’ filings, although this can be attributed to low count. On the other hand, ‘Moderate’ severity filings shows deeper price decline and slower recovery in comparison to ‘Low’ filings, see Table 4 and Figure 2 for additional details.
To enhance our assessment’s accuracy, we consider using a few-shot learning approach, leveraging manually classified examples to train the model. Additionally, we can adjust our classification scale
to focus on market impact, using high/medium/low price decline indicators as a reference, before asking LLM to classify new Item 1.05 texts. However, we postpone these and other techniques until we accumulate a more substantial dataset of cybersecurity incidents.
We performed a basic analysis on the impact of cybersecurity incidents on stock prices. The dataset covers Form 8-K filings containing Item 1.05 up to the end of June 2025. While overall results confirm a negative performance of the stock after the incident, more records are needed for a more detailed analysis. Since there will definitely be other cybersecurity incidents in the future, we plan to extend our analysis accordingly.
The authors have used Generative AI tools for experiments in Section 4. The model Gemma3 4B was used for incident classification as described in the section. [1] Paul Bischof. How data breaches afect stock market share prices , 2024. [2] Alejandro Hernández. A Walk Through Historical Correlations Between Vulnerabilities & Stock Prices, Black Hat Asia 2021. [3] Hung Cao, Hieu V. Phan, Sabatino Silveri. Data breach disclosures and stock price crash risk: Evidence from data breach notification laws , International Review of Financial Analysis, Volume 93, 103164, ISSN 1057-5219, 2024. https://doi.org/10.1016/j.irfa.2024.103164. [4] MSCI: The Global Industry Classification Standard (GICS ®),
https://www.msci.com/our-solutions/indexes/gics (Accessed 2025-07-11) [5] Ivan Obaydin, Limin Xu, Ralf Zurbruegg. The unintended cost of data breach notification laws: Evidence from managerial bad news hoarding, Journal of Business Finance & Accounting, 1–28, 2024. https://doi.org/10.1111/jbfa.12794 [6] The Securities and Exchange Commission. Form 8-K
https://www.sec.gov/files/form8-k.pdf (Accessed 2025-07-11) [7] Georgios Spanos and Lefteris Angelis. The impact of information security events to the stock market: A systematic literature review, Computers & Security, Volume 58, 2016, pp. 216-229. [9] Gemma Team. Gemma 3 Technical report, Google DeepMind, 2025. [10] Wenxuan Zhang et al. Sentiment Analysis in the Era of Large Language Models: A Reality Check, Findings of the Association for Computational Linguistics: NAACL 2024, Association for Computational Linguistics, pp. 3881-3906.
Company Filing date Document (prefix with https://www.sec.gov/Archives/edgar/data/) AT&T INC. (T, TBB, TBC, T-PA, T-PC) (CIK 0000732717) 0000732717/000073271724000046/t-20240506.htm B. Riley Financial, Inc. (RILY, RILYG, RILYK, …) (CIK 0001464790) 0001464790/000121390024031252/ea0203500-8k_briley.htm BASSETT FURNITURE INDUSTRIES INC (BSET) (CIK 0000010329) 0000010329/000143774924022743/bset20240715_8k.htm 15.07.2024 0000010329/000143774924024679/bset20240805_8ka.htm 06.08.2024 BRANDYWINE REALTY TRUST (BDN) (CIK 0000790816) 0000790816/000119312524133132/d824906d8k.htm 0000790816/000119312524147625/d774339d8ka.htm CONDUENT Inc (CNDT) (CIK 0001677703) 0001677703/000167770325000067/cndt-20250409.htm Cencora, Inc. (COR) (CIK 0001140859) 0001140859/000110465924028288/tm247267d1_8k.htm 0001140859/000110465924084351/tm2420501d1_8ka.htm Coinbase Global, Inc. (COIN) (CIK 0001679788) 0001679788/000167978825000094/coin-20250514.htm Crimson Wine Group, Ltd (CWGL) (CIK 0001562151) 0001562151/000156215124000032/cwgl-20240725.htm DROPBOX, INC. (DBX) (CIK 0001467623) 0001467623/000146762324000024/dbx-20240429.htm ENGLOBAL CORP (ENG) (CIK 0000933738) 0000933738/000165495424015098/eng_8k.htm First American Financial Corp (FAF) (CIK 0001472787) 0001472787/000095017023073848/faf-20231220.htm GLOBE LIFE INC. (GL, GL-PD) (CIK 0000320335) 0000320335/000032033524000029/gl-20240614.htm HALLIBURTON CO (HAL) (CIK 0000045012) 0000045012/000004501224000052/hal-20240830.htm Hewlett Packard Enterprise Co (HPE) (CIK 0001645590) 0001645590/000164559024000009/hpe-20240119.htm KEY TRONIC CORP (KTCC) (CIK 0000719733) 0000719733/000071973324000015/ktcc-20240506.htm 0000719733/000071973324000035/ktcc-20240506.htm 0000719733/000071973324000047/ktcc-20240506.htm LEE ENTERPRISES, Inc (LEE) (CIK 0000058361) 0000058361/000162828025005855/lee-20250212.htm MARINEMAX INC (HZO) (CIK 0001057060) 0001057060/000095017024030041/hzo-20240310.htm 0001057060/000095017024038881/hzo-20240310.htm META MATERIALS INC. (MMATQ) (CIK 0001431959) 0001431959/000095017024089345/mmat-20240725.htm 10.05.2024 14.06.2024 06.08.2024 12.03.2024 01.04.2024 19.01.2024 08.03.2024 06.03.2025 14.05.2025 12.04.2024 20.03.2024 05.07.2024 05.08.2024 09.04.2025 09.02.2024 29.03.2024 26.06.2025 22.02.2024 08.03.2024 24.04.2024 18.12.2023 18.01.2024 13.06.2025 NATIONAL PRESTO INDUSTRIES INC (NPK) (CIK 0000080172) 0000080172/000143774925006475/npk20250306_8k.htm NUCOR CORP (NUE) (CIK 0000073309) 0000073309/000119312525119311/d795264d8k.htm ORASURE TECHNOLOGIES INC (OSUR) (CIK 0001116463) 0001116463/000119312524094797/d825009d8k.htm RADIANT LOGISTICS, INC (RLGT) (CIK 0001171155) 0001171155/000095017024033954/rlgt-20240319.htm SONIC AUTOMOTIVE INC (SAH) (CIK 0001043509) 0001043509/000104350924000060/sah-20240705.htm 0001043509/000104350924000063/sah-20240705.htm Sensata Technologies Holding plc (ST) (CIK 0001477294) 0001477294/000147729425000047/st-20250406.htm UNITED NATURAL FOODS INC (UNFI) (CIK 0001020859) 0001020859/000102085925000036/unfi-20250621.htm