new ISS STOXX study in the Harvard Law School Forum on Corporate Governance tracked 176 reported cyber incidents across Russell 3000 companies from 2022–2024 and found that affected firms underperformed the market by nearly 5% over the following year. I thought it was well done and worth reading. Also worth interrogating.

The study finds that share price damage is sustained — not a quick dip and recovery, but a slow-building gap that peaks around 250 trading days post-disclosure.

The 5% figure sounds alarming until you run it as an expected value problem. A business leader deciding whether to authorize a major security investment is implicitly asking: what's the probability-weighted cost of an incident? A potential 5% comparative share price drag over 12 months — and only if the event is large enough to trigger mandatory state reporting — is not a number that's going to move most capital allocation decisions on its own. The correlation is also just that: the study can't tell us whether underperforming firms suffered incidents, or whether something about already-struggling firms made them more likely to have one.

The sectoral breakdown is the most interesting finding, and the authors underplay it. Finance and banking show underperformance that keeps compounding through the end of the measurement window — a genuine outlier. Everywhere else, including healthcare despite its sharp initial spike, the effect is largely transient, consistent with prior research. Finance aside, the picture is: bad quarter or two, then recovery.

That matters for how we think about cyber risk framing. The study confirms that incidents have real shareholder consequences. But it doesn't support the common claim that reputational damage is the dominant risk. If reputation were the primary mechanism, you'd expect more persistent, broad-based impairment. What the data actually suggests is that the more durable cost is organizational — the management attention consumed, the strategic options foreclosed, the bandwidth redirected long after the headlines fade. That's harder to put in a board deck, but probably the more honest account.