What is the Impact of Successful Cyberattacks on Target Firms?

René M. Stulz is the Everett D. Reese Chair of Banking and Monetary Economics at Ohio State University and National Bureau of Economic Research. This post is based on a recent paper by Professor Stulz; Shinichi Kamiya, Assistant Professor of Insurance at Nanyang Technological University; Jun-Koo Kang, Canon Professor of Finance at Nanyang Technological University; Jungmin Kim, Assistant Professor of Finance at Hong Kong Polytechnic University; and Andreas Milidonis, Associate Professor of Finance at University of Cyprus.

Despite the widespread recognition of emerging threats posed by cyber risk and its importance as a new type of risk, there is little evidence on how successful cyberattacks affect corporations. In particular, we know little about which types of firms are more likely to experience cyberattacks, and how such attacks affect target firm shareholder wealth, growth, and financial strength. We also know little about how firms change managerial risk-taking incentives and their risk management after attacks. In this study, we investigate these important issues by analyzing a comprehensive sample of data breach events caused by successful cyberattacks reported in the Privacy Rights Clearinghouse (PRC) over the period 2005 to 2014. We include as cyberattack events only malicious external actions, such as hacking and malware.

In our analysis, we distinguish between cyberattacks that change the assessment of the costs and likelihood of cyberattacks (loss distribution of cyberattacks) versus those that have no such impact. With a cyberattack that leaves the loss distribution unchanged, affected firms will experience a reduction in their value that is equivalent to out-of-pocket costs. As long as these costs do not make the firm financially constrained, the cyberattack has no implications beyond the sunk cost resulting from the attack. If the firm had good growth opportunities before the attack, it still has these opportunities and thus should take advantage of them (“no learning” hypothesis). If the attack worsens financial constraints or makes the firm financially constrained, it will not be able to put itself back in the situation it was in before the attack. As a result, it will have to change its policies (e.g., cutting investment) to reflect its financially constrained state.

On the other hand, if the cyberattack changes the loss distribution of cyberattacks, it could be because customers infer from the cyberattack that the probability of an attack was higher than they had previously thought, which reduces their demand for the firm’s products. Firms could also learn that the probability or the cost of an attack is higher than they originally thought. For instance, the attack may reveal defensive weaknesses that the firm is not aware of or that the firm is too optimistic in its assessment that defensive weaknesses would not be discovered by outsiders. In this case, the attack would lead the firm to make further investments to decrease the risk of an attack, to invest more in risk management, and to become less willing to take risks generally (“learning” hypothesis). Financially constrained firms might not be able to make some investments and might have to cut back on capital expenditures, for instance, to release resources to cope with the aftermath of the attack. The change in the assessment of the loss distribution may be rational—the result of the firm having more information—or can be due to behavioral reactions to adverse outcomes believed to have an extremely low probability.

We show that firms are more likely to experience cyberattacks when they are visible (i.e., large firms and firms included in the Fortune 500 list), and have lower leverage, higher growth opportunities, and more intangible assets. It is rare for an attacked firm to be financially constrained. We also find that cyberattacks are more likely to occur in firms operating in industries that are less competitive. Firm-level corporate governance characteristics, such as institutional block ownership, CEO-chair duality, the proportion of outside directors on the board, and board size, do not predict the likelihood of cyberattacks. Lastly but importantly, firms that pay more attention to risk management at the top are less likely to be attacked.

We find a significant negative abnormal return for firms that announce a cyberattack. In particular, for firms experiencing cyberattacks that result in loss of personal financial information such as social security numbers, bank account, and credit card information, their mean cumulative abnormal returns from one day before to one day after the cyberattack announcement date is -1.12%, which implies an average value loss of $607 million. Cyberattacks have a much worse impact when the incident is a recurring event within one year and when affected firms are older. The impact is especially negative when the affected firm does not have evidence of board attention to risk management as the abnormal return is lower by 6 percentage points for such a firm.

Our difference-in-differences analyses for post-attack changes in operating performance, financial health, and corporate policies show results that are largely consistent with the learning hypothesis. First, consistent with the prediction that sales growth falls if customers learn about the risk, we find that sales growth significantly declines after the attack, particularly for large firms and firms operating in the retail industry. Though we do not find an adverse impact of cyberattacks on ROA and cash flow/total assets, they do have an adverse impact for large firms and firms operating in durable goods industries.

Second, we find some evidence that firms reduce capital expenditures and experience a greater financing deficit after the attack. Target firms use debt rather than equity to address their funding requirements, and they use long-term debt rather than short-term debt, so that the maturity of their debt lengthens. By lengthening the maturity of their debt, affected firms reduce their exposure to rollover risk. These results further support the learning hypothesis that a cyberattack changes the perception of the board and management about the likelihood and cost of cyberattacks.

Third, further supporting the view that the board and management reassess the risks the firm is exposed to after an attack, we find that victims of a cyberattack are more likely to increase board oversight of firm risk.

Finally, we find that attacked firms do not change the proportion of equity-based compensation in CEO total pay after a cyberattack. However, attacked firms significantly increase the payment of restricted stock grants (a form of equity-based compensation that does not share the convexity of stock options) and reduce option awards, suggesting that a cyberattack leads a board to reconsider the risk-taking incentives of the CEO and decreases these incentives. Affected firms also respond to cyberattacks by significantly reducing the proportion of CEO bonus to total pay.

Our results provide important insights into the overall effects of cyber risk on firm value and policies, the importance of firms’ attention to risk management in mitigating adverse impacts of cyberattacks, and how boards adjust the mix of the CEO’s equity-based pay in responding to uncertainty-increasing exogenous events.

The complete paper is available here.

Both comments and trackbacks are currently closed.