Investors’ Reaction to Cyber-attacks

In our latest blog, Dr. Onur Kemal Tosun, Assistant Professor of Finance, gives insight into effect of data breaches on company reputation.

Security breaches have always been a fundamental issue for particularly large companies. The Covid-19 pandemic has just accelerated that. The 2020 annual Cost of Data Breach Study run by the Ponemon Institute for IBM estimates that the average per-record-compromised cost of data breaches reached the all-time high of $392 million for breaches of more than 50 million records.

The substantial influence that security breaches have on businesses and regulators raises questions regarding the economics of information security and, ultimately, on the actual impact of hacking on targeted firms, which could be detrimental to their financial performance.

Further, the knock-on effect of a data breach can be devastating for a company’s reputation, resulting in abnormal customer turnover and loss of goodwill, which in turn affect cash flows and profits. Moreover, incidents of security breaches that reveal sensitive and confidential information can not only lead to litigation and government sanctions, but also to a loss of competitive edge against same-industry competitors through a reduction of resources dedicated to R&D, dividend payments, or investments more generally.

Considering the gravity of cyber-attacks, I examined both the short-term and the long-term market reaction to security breaches at large publicly traded US firms during the period from March 2004 to December 2019. The main empirical results provide strong evidence of a significant market reaction to cyber-attacks, especially in the short term.

In particular, those firms affected by security breaches lose about 88 basis points compared to their peers the day after a cyber-attack announcement. Further, my report on Google Search Volume Index (SVI) reveals that the vast majority of data breaches influence the firm’s reputation by drawing negative attention from investors, consumers, and, more generally, stakeholders.

My analyses on investor reactions show that both traded volume and liquidity of target companies’ stocks tend to be significantly higher compared to their peers when security breaches are publicly announced. That is, higher trading activity is matched by higher liquidity of shares. Interestingly, further examination unveils the high trading volume is due to a significant sell pressure indicating that the investors try to sell the stocks of target firms.

Who are these firms suffering from such losses by security breaches? My investigation shows that hackers target larger firms with higher leverage, higher growth, and higher operating profits. About 40% of target firms operate in electronics sector while another 20% are wholesale & retail firms, followed by financial companies and restaurants & hotels. Due the security breaches, these firms experience larger return drops and more trading, sell orders in particular, compared to smaller and less risky firms.

Do such vicious attacks have any significant long-term impacts on firms? My analyses reveal that the effect of security breaches is weaker on firms from three to five years after a hacking event. Target firms’ performance actually recover while they cut down dividend payments. They rely on the guidance by existing management in such troubled times, and subsequently, invest more on their CEO particularly through incentive-based remuneration.

These findings have strong implications. They reveal how investors react following security breaches that is key information for other traders in the market. They can rely on these results forming their investment strategies. Moreover, this study provides further guidance for target firms as what to do on the road to recovery in the long term.

The paper, “Cyber-attacks and stock market activity” is published in the International Review of Financial Analysis.

Dr. Onur Kemal Tosun
Assistant Professor of Finance
Cardiff Business School.