Gilles Hilary is a Professor at Georgetown University McDonough School of Business. This post is based on a recent paper by Professor Hilary; Benjamin Segal, Associate Professor of Accounting and Taxation at Fordham University; and May H. Zhang, Assistant Professor of Accounting and Taxation at Fordham University.
Cyber-risk has become a burning issue for regulators, directors and executives. For example, in December 2015, U.S. Senators Jack Reed and Susan Collins introduced the bipartisan Cybersecurity Disclosure Act. The bill asks each publicly traded company to disclose information to investors on whether any member of the company’s Board of Directors is a cybersecurity expert, and if not, why having this expertise on the Board of Directors is not necessary because of other cybersecurity steps taken by the registrant.
Cyber-breaches have also made headlines in recent years with an increasing regularity. Consistent with this, we find in a recent study that the number of mentions of cyber-breaches in the popular press is high and still growing. Similarly, we find the number of Google queries regarding cyber-breaches is trending upward and regularly spikes after high profile cases play out in the media. In contrast, we find that public disclosure made by listed firms is limited and largely boiler plate. These results beg the question of whether this chasm is a market (or regulatory) failure or is it justified given an economic analysis of the phenomenon.
To answer this question, we start our analysis with a qualitative review of stock price behavior around breach announcements in five major cases (Sony, Home Depot, Target, Anthem and most recently, Yahoo). We do not identity a persistent and economically significant drop in stock price in any of these cases (the situation at Yahoo is less clear given the recency of the event). We then conduct a more systematic and quantitative analysis of all breaches that affected identifiable US listed firms contained in the Chronology of Data Breaches database. [1] We observe that the frequency of these events varies over the years but overall, reported data breaches remain relatively rare and most relate to loss of customers’ private information. Firms in the consumer or financial sectors, those with more transient shareholders and those with lower ROA report breaches more frequently. Perhaps more relevant for our purpose, the market reaction to the announcement of data breaches is limited. More specifically, the median (mean) three-day period market-adjusted abnormal return is approximately -0.5% (-0.7%), statistically significant but economically limited. In comparison, prior research has shown that the average reaction when a firm announces asset impairment is approximately -1.3%. We identify only 3 cases of 3-day return below -10% in the ten-year period that encompasses our sample (the worst case being a firm that actually provided cyber-security services). We do not find robust evidence of a price drift between the breach and its public announcement or in the twelve months following the announcement. We also find little effect on executive turn-over, operational performance (measured by Return on Assets, ROA) or corporate disclosure about cyber-threats. Finally, estimates of the costs provided by firms tend to be immaterial and significantly lower than some of the estimates that can be found in the press.
Overall, the lack of disclosure about cyber-risk does not seem to stem from a market failure. Although the breach database likely misses some events, the lack of market reaction in even the most prominent cases indicates that we did not miss many economically significant ones. Rather, our results suggest that the costs of mishandling information have been externalized to outside parties. Essentially, the price of privacy has been set to zero. Our findings have implications for regulators and investors. There is growing interest in cyber-issues among regulatory circles. The main justification for this interest appears to be large economic costs associated with cyber-attacks. Hence, this threat is viewed as a material risk for a large cross-section of firms. Our results suggest that, at least historically, neither senior management nor investors have considered cyber-breaches to be substantial. Although it is probably prudent to monitor this issue for a change in the environment, our results do not support the notion that financial regulators with limited resources should focus on this topic for the time being. In contrast, regulators in charge of privacy issues may consider imposing stiffer penalties on firms that have been breached. In line with standard risk management principles, the responsibility should stay with the firms that collect huge amount of data and are best equipped to minimize this risk.
Finally, we should caveat our analysis. First, we focus on large (listed) firms. It is possible that smaller organizations may be more severely impacted by cyber-breaches. Ashley Madison is a somewhat extreme example of this possibility. However, private (generally smaller) firms are not subject to SEC regulations. Second, our analysis does not focus on espionage, state-sponsored cases in particular. It is possible that the loss of intellectual property is a significant issue for high technology firms or that cyber-intrusion may materially affect mergers and acquisitions. Although financial transparency may require greater disclosure on this topic, large political and proprietary costs make this unlikely. Empirically, we find little corporate disclosure on this topic. A final concern is that our analysis is based on realizations, not on ex ante risk. It is possible that cyber-risk is a “peso problem” (a real risk that never materializes) or that firms have effectively mitigated the risk through preemptive measures. However, the lack of market reaction in extreme cases such as Sony or Anthem does not support these interpretations.
The full paper is available for download here.