Title: The Impact of Adoption of Identity Theft Countermeasures on Firm Value (fee or subscription required)
Authors: Indranil Bose (Indian Institute of Management Calcutta) and Alvin Chung Man Leung (University of Texas at Austin)
Publisher: Decision Support Systems; vol. 55, no. 3
Date Published: June 2013
For years, hackers have been the bane of the corporate world, stealing customers’ credit and debit card information and causing billions of dollars in losses. Now, a new research paper finds that companies that are most diligent about installing—and announcing—identity theft countermeasures can not only cut their losses but also get a bounce from investors.
Previous research has determined that identity theft and data breaches (whether through hacking, the use of a virus, or phishing scams) have a significant and deleterious impact on the market value of the firms affected, especially for e-commerce businesses. A 2011 Federal Reserve study estimated that credit card fraud costs companies and consumers in the United States more than US$50 billion a year. This paper is the first to look at the flip side of the issue: How does the adoption of identity theft countermeasures affect a firm’s market value? The short answer: It pays off significantly; investors immediately reward firms despite the high costs of installing such safeguards and the risks of inconveniencing customers.
The authors of this paper analyzed the impact on the stock price and market capitalization of firms that announced they were adopting countermeasures. The measures include dynamic password generators, one-time passwords sent via text message, personal digital certification, and electronic signatures. Some companies employ two-factor authentication as an extra layer of security. This measure requires proof of both something the user knows (a personal identification number) and something the user has (an ATM card or token).
Combining several databases, the authors tracked 87 announcements of countermeasures by publicly listed U.S. firms from 1995 to 2012. These announcements were delivered in a period without any other conflicting or offsetting news releases from the company, such as earnings reports or dividend declarations.
The authors then compared the market’s immediate response to these announcements against a regression analysis of a 200-day period leading up to the news release. The analysis showed that adoption of anti-identity-theft tools increased firms’ stock prices by 0.63 percent on average over the two days following the announcement. And that’s a significant boost: Considering the average stock price and number of outstanding shares for the firms in the study, the stock boost is equivalent to a $515 million gain in market capitalization per company.
The spike was even higher for very large firms—those with assets greater than $142.9 billion, the average for all companies in the sample. A subset of 15 big firms gained an average of $1.13 billion within the two-day period following the announcement, about 4.4 times the average gain of the smaller firms in the survey. In further analyses, the authors found that firms with high growth potential and credit ratings also had better market returns after announcing an anti-identity-theft program.
Additionally, timing counts. Firms that adopted countermeasures in or before 2005 were defined as early adopters because that’s when many identity theft laws took effect. These first movers had significantly higher returns and market capitalization after making their announcements, the authors found, suggesting that investors rewarded companies that took early and decisive action against identity thieves.
The analysis also showed that the market reward was tied to the type of the response. Adopters of more complex measures, such as two-factor authentication tools, received a 0.69 percent rise in their stock price, on average, whereas companies that announced less complex measures, such as user monitoring systems or text alerts of identity thefts, received little or no boost.
“Indeed, strong and sophisticated ITC [identity theft countermeasures] that needed more investments and more effort on the part of the adopting firm [were] heralded positively by the market because they provided additional layers of protection for the firm, and reflected that firms took security matters seriously,” the authors write.
Given the average costs of devices such as dynamic password generators ($35 to $40 per consumer) or brand monitoring and anti-phishing packages (about $70,000 per month, per package), there’s no question that the costs of protecting customers’ personal information add up for firms. But this analysis suggests that firms can quickly recoup their implementation expenses by announcing the installation of countermeasures, especially sophisticated ones.
Companies that announce they are installing countermeasures against identity theft get an immediate and significant boost to their stock price. Early adopters, firms that are very large or have high growth potential, and those that install more sophisticated safeguards get an even bigger bounce.
- Matt Palmquist is a freelance journalist based in Oakland, Calif.