Bottom Line: High-profile companies that frequently use consumer data are targets, and negative effects linger for years.
In late 2013, retailer Target sustained a massive cyber-attack that led to the loss of almost 70 million customers’ credit card information and other data. The aftermath was costly. On the day it went public with news of the breach, Target lost US$890 million in market value. The firm subsequently spent $100 million on improvements to its IT system and other tech upgrades.
Target, of course, is not alone. Assessments vary, because cybercrime is underreported. But it costs companies an estimated $445 billion worldwide annually.
Despite the growing awareness of the threat, and some high-profile cases, we still don’t know much about which companies are most likely to be targeted and how an attack affects growth and shareholder value over time. But a new study explores these issues through a massive sample of data breaches that affected U.S. public corporations from 2005 through 2014 and examines the repercussions three years out.
The authors found that large, highly valued, and visible firms — such as Fortune 500 companies — are attacked most often, despite seemingly having the resources to contend with cybercrime. Companies that use customers’ personal data to conduct daily business, such as those in the financial and retail sectors, are also more frequent targets, regardless of size. But financially constrained firms are rarely targeted; this is an oddity, as one would think these companies would lack resources to protect their data.
The most commonly attacked sectors were service, wholesale, retail, transportation, and communication. Having a large number of customers didn’t make a firm a more likely target, but possessing and using sensitive consumer information did.
In warding off cybercrime, vigilance at the top pays off: Firms that had a risk management committee to oversee security efforts were much less likely to be hacked than those that had no such group.
After a cyber-attack, companies are so wary of risk that they tend to reduce their CEO’s incentives to act boldly.
When hackers did gain access to customers’ personal data, a company lost more than $600 million, on average, in equity value in the days immediately following. The biggest firms, as well as those in retail, also saw a drop in sales growth in the three years after an attack, showing that the effects linger.
Financially, firms typically pull back after a cyber-attack. They try to overcome losses by reducing investments and, in turn, raising long-term debt, the authors found.
CEOs also feel the heat. After a cyber-attack, companies are so wary of risk that they tend to reduce their CEO’s incentives to act boldly, slashing bonuses and swapping stock options for more restrictive compensation.
These changes can indeed be beneficial, the authors write, “if a cyberattack leads to a reassessment of firm risk and of the costs of adverse outcomes.”
Source: “What Is the Impact of Successful Cyberattacks on Target Firms?” by Shinichi Kamiya (Nanyang Technological University), Jun-Koo Kang (Nanyang Technological University), Jungmin Kim (Hong Kong Polytechnic University), Andreas Milidonis (University of Cyprus), and René M. Stulz (the Ohio State University), Fisher College of Business Working Paper No. 2018-03-004, March 2018