Data breaches have become more than just a tech issue. A single breach can expose thousands or even millions of consumers to the risk of identity theft while resulting in major costs and reputational damage for the company. Two recent securities lawsuits show that the company’s leaders can be held accountable, making data breaches a D&O issue on top of a cyber liability issue.
The F5 and Coupang Lawsuits
According to The D&O Diary, securities class action lawsuits have been filed against two tech companies in separate incidents involving data breaches, highlighting the D&O exposures involved in cyber incidents.
One lawsuit is against Coupang, which experienced a drop in share price after the details of a data breach were disclosed. The lawsuit names certain current and former executives. It also includes allegations that the company failed to disclose that inadequate cybersecurity protocols allowed a former employee to access data, and that the company did not report the data breach after becoming aware of it.
The other lawsuit is against F5, which also experienced a drop in share price after the discovery of a data breach was announced. The lawsuit names F5 and certain executives, alleging that the defendants made materially false and misleading statements or concealed material adverse facts regarding their security capabilities. According to the complaint, information provided to investors “routinely emphasized the importance of effective security measures to its clientele.”
Taking Cybersecurity Seriously
The Identity Theft Resource Center (ITRC) says 1,732 data compromises were reported in the first half of 2025, impacting more than 165 million individuals. This is slightly more than half of the total number of compromises seen in all of 2024, indicating that the risk of data breaches is not lessening.
Each incident is costly. According to the IBM 2025 Cost a Data Breach Report, the global average cost of a data breach came to $4.4 million in 2025. This is actually a decrease of 9% compared to 2024, and IBM says faster identification and containment are helping to bring down costs. Nevertheless, data breaches are still extremely expensive. The fact that many companies are succeeding in lowering costs also means that people may come to expect better responses to cyber incidents. If your cybersecurity measures aren’t keeping up, you’re falling behind.
How Data Breaches Impact a Company
Data breaches expose sensitive records to cybercriminals and other bad actors, putting individuals at risk for identity theft and fraud. To protect people, the National Conference of State Legislatures says that all 50 states have enacted data breach notification laws, giving people the right to know when their information has been compromised.
After a data breach, companies typically need to organize investigations to determine which records have been compromised, how it happened, and how to stop further intrusions. They are required to send notifications to the people affected, and they may have to pay for credit monitoring. They also face the risk of class-action lawsuits, as well as bad press.
Given all of this, it’s not surprising that news of a data breach can also cause share prices to plummet. However, how much stock prices fall, and how quickly they recover, can vary tremendously.
A Company’s Response Matters
According to Comparitech, which analyzed 118 companies’ data breaches, stock prices fell by an average of 1.4% 41 days after a breach, and prices recovered 53 days after a breach. However, some companies see steeper losses. ISTARI shows that Capital One share prices fell by nearly 14% in the two weeks after a breach, and Equifax saw its share prices fall by 60% following a breach.
This raises an important question: Why do some companies fare worse than others? According to ISTARI, evidence shows that the company’s response to the breach plays an important role in how investors view the incident.
Cybersecurity Is More Than a Buzzword
If your company stores email addresses, credit card information, or other sensitive information, you have a target on your back. Hackers want your data, and if they succeed in getting it, your company could face major financial losses, falling share prices, and securities litigation.
-
Are your cybersecurity measures best in class? Cyberattacks and defenses are continually improving in a never-ending arms race. Even if your cybersecurity measures followed best practices in the past, they may no longer be considered excellent.
-
Are you accurately disclosing your capabilities and risks? If your company’s leadership overstates its security or downplays the potential impact of a data breach incident, you could be accused of making misleading statements.
-
Do you have a robust cyber incident response plan in place? No matter how strong your cybersecurity measures are, there’s a risk that a breach will occur. A fast response is critical for regulatory compliance, loss containment and investor confidence. Having a solid cyber incident response plan in place will facilitate swift action.
One more thing – does your D&O insurance provide sufficient protection? Contact NSI for a complimentary review of your D&O coverage.
