by Dr. Daniele Bianchi and Dr. Onur Tosun

Security breaches and hacking cost publicly traded companies billions of dollars annually in stolen assets, lost business, and damaged reputations. Although detailed data are difficult to collate, the 2017’s annual Cost of Data Breach Study run by the Ponemon Institute for IBM estimated that the average per-capita cost of data breaches reached an all-time high of $225 (a 60% increase over the last decade). This is as much of a concern for businesses as it is for regulators.

As a matter of fact, the knock-on effect of a data breach can substantially affect a company’s reputation, resulting in abnormal customer turnover and loss of goodwill, which in turn affect firms’ policies and ultimately revenues and profits. For this reason, companies are often reluctant to reveal information about security breaches due to fear of both short-term and long-term market reactions.

The amount of cyber-attacks and threats increased significantly over the last few years with several security breaches dominating the media commentaries. For instance, on August 27, 2014, the Federal Bureau of Investigation (FBI) contacted several media channels including Bloomberg, CNBC, the Economist, the Guardian, USA Today, and CNN, about a cyber-attack to JP Morgan Chase. The hackers infiltrated the network of the bank and downloaded data containing checking and savings account information. Similarly, on March 24, 2016, the news release in media including USA Today, CBS News, CNBC, and Fortune, was about the hacking into the customer database of Verizon and the stolen contact information of more than 1.5 million customers. The news also claimed that customers’ contact information appeared in an underground cybercrime forum. All Fortune 500 companies use Verizon for its cybersecurity prowess, and the company also releases annual reports on avoiding cyber threats; however, these could not prevent Verizon to be a victim of a massive cyber-attack.

Although measuring the true cost of security damages to a business is often difficult, examining the changes in market activity and valuations around hacking events provides an efficient way to assess the immediate economic impact of security breaches. Study shows that the effect of security breaches on market activity is highly significant. By using a large sample of first-time, officially disclosed cyber-attacks from 2004 to 2016 on publicly traded U.S. firms, research shows that both stock prices, average traded volume, and liquidity are significantly affected between the event disclosure date and the day after. In particular, the risk adjusted stock performance of those firms affected by a fraudulent and intentional violation or an infraction of a security and/or privacy policy falls significantly compared to comparable firms which are not affected by hacking.

Such market reaction for affected firms is not only limited to stock returns. In fact, both trading activity, proxied by the dollar-valued traded volume, and market liquidity, proxied by a normalized bid-ask spread, suggest that market quality tends to deteriorate and is dominated by a selling pressure. This is consistent with the conventional wisdom that posits that successful cyber-attacks represent unexpected negative shocks to a firm’s reputation and, in turn, on its growth prospects.

Interestingly, studies show that the impact of hacking events is much weaker in the longer-term. In particular, operating performance of target firms seem to be unaffected in the long run. Contrary to that, research implies that security breaches are negatively, yet weakly, associated with dividend payments and R&D investments. Target firms tend to pay no dividends and invest less in research and development within the five years after a cyber-attack. Consistent with the idea that the average firm response to a data breach is to invest more in the management, possibly to address possible structural issues and flaws, the empirical evidence suggests that both CEO total pay and incentive pay tend to increase several years after a security breach compared to other firms, while CEO turnover for those firms subject to security breaches is not significantly different to comparable firms which are not targeted by cyber-attacks.

Dr. Daniele Bianchi and Dr. Onur Tosun are Assistant Professors of Finance at the Warwick Business School, University of Warwick.

The above post is adapted from Dr. Bianchi and Dr. Tosun’s article of the same name.

Disclaimer

The views, opinions and positions expressed within all posts are those of the author alone and do not represent those of the Program on Corporate Compliance and Enforcement (PCCE) or of New York University School of Law.  PCCE makes no representations as to the accuracy, completeness and validity of any statements made on this site and will not be liable for any errors, omissions or representations. The copyright of this content belongs to the author and any liability with regards to infringement of intellectual property rights remains with the author.