by Pat Akey, Stefan Lewellen, and Inessa Liskovich
Corporations have reputations, just like individuals. However, the costs of protecting a corporate reputation, or the costs of losing one, are not well understood. Negative reputation shocks can be costly, and recent scandals at well-known firms such as News Corp. and Volkswagen have reaffirmed the fragility of corporate reputations. However, corporations can also invest in technologies such as corporate social responsibility (CSR) to build their reputations or to provide insurance against a future reputation shock. In a recent paper, we find that negative reputation shocks are at least partially insurable through CSR and that firms actively invest in CSR as the result of a negative reputation shock.
We focus specifically on data breaches because evidence suggests that they can negatively affect corporate reputation. For example, according to a 2016 survey (PDF: 407 KB) by the Economist Intelligence Unit, C-level executives listed corporate reputation as the single most important company asset requiring protection from cyberattacks. In addition, data breaches are largely idiosyncratic, the timing of such breaches is plausibly random, and except in rare cases, the breaches themselves do not specifically affect the quality of the products or services offered by the affected company.
Firms affected by a material data breach experience significant cumulative abnormal returns in the 30 days following the disclosure of the breach, though this effect is smaller at firms with a greater pre-event stock of CSR. Hence, high levels of prior investment in costly reputation-enhancing technologies such as CSR can be helpful to firms when they experience an unexpected negative reputation shock.
However, corporate data breaches also have long-lasting effects on a firm’s value, profitability and reputation. Indeed, reputation shocks still have a negative impact on equity returns and price/earnings ratios at least four years after the disclosure of a data breach. Therefore, while a high pre-existing stock of CSR seems to mitigate the market’s initial reaction to data breaches, the long-lasting negative effects of data breaches on firm value suggest that firms might respond to such breaches by making additional investments in reputation-enhancing activities such as CSR. In line with this hypothesis, our findings confirm that affected companies significantly increase their CSR investments in the years following the data breach.
We examine different types of data breaches to determine whether certain types of reputation shocks are more costly to firms than others. In particular, most data breaches affect either customer records or employee records. While value declines are more pronounced for data breaches involving customer records, firms subsequently increase CSR investment in cases involving both types of breaches. Moreover, affected firms predominantly increase their investment in the “environment” and “diversity” categories (relative to unaffected firms). Under the assumption that firms are optimizing their CSR investments, this result suggests that firms believe that better environmental and diversity policies represent the CSR investments that provide the largest potential reputation gains conditional on their costs and implementation time.
In sum, our paper makes three primary contributions to the existing literature. First, we contribute to the literature on corporate social responsibility by empirically investigating a widely-held theoretical motivation for investing in CSR – namely, maintaining and rebuilding corporate reputation. Second, we contribute to the literature on corporate reputations by identifying a setting in which firms experience a negative reputation shock that is arguably unrelated to the products or services offered by the firm. We also contribute to this literature by showing that a plausibly exogenous negative reputation shock can cause large, long-term reductions in firm value that make it difficult for firms to recover. Third, we add to the literature on firms’ reactions to corporate data breaches by showing that data breaches have long-term negative value effects and by examining how firms attempt to rebuild their reputations following a data breach through investing in reputation-building activities such as CSR.
Pat Akey is an assistant professor of finance at the University of Toronto. Stefan Lewellen is an assistant professor of finance at London Business School and a visiting assistant professor at the Tepper School of Business, Carnegie Mellon University. Inessa Liskovich is an assistant professor of finance at the McCombs School of Business, University of Texas at Austin. The authors would like to thank Avi Schiff for excellent research assistance.
This post is adapted from a Rotman School of Management Working Paper.
Disclaimer
The views, opinions and positions expressed within all posts are those of the author alone and do not represent those of the Program on Corporate Compliance and Enforcement (PCCE) or of New York University School of Law. PCCE makes no representations as to the accuracy, completeness and validity of any statements made on this site and will not be liable for any errors, omissions or representations. The copyright of this content belongs to the author and any liability with regards to infringement of intellectual property rights remains with the author.