The Impact of Cybersecurity Breaches on Firm’s Market Value: the Case of the USA

In the context of global digitalization trends, the problem of the impact of cyberattacks on the company is significantly relevant. This article is devoted to the impact of cyberattacks on the firms’ market value since it is an indicator of firm performance. The authors used the event study methodology to study the impact of cyberattacks on the firm’s market value. In addition, linear regression analysis (OLS) was applied to study the factors influencing cumulative abnormal returns (CAR). The paper’s central hypothesis is the assumption that a cyberattack announcement is supposed to change market reaction, which is predicted to be harmful since cybercrime incidents can lead to high implicit and explicit costs. Therefore, an adverse market reaction reflects negative CAR during the event. The paper explores the effect of firm-specific and attack-specific characteristics of cyberattacks on the CAR with the data of cyberattacks for US firms from 2011 to 2020. Thus, the impact of cyberattacks on CAR by industry type and firm size was examined. Also, the type of cybercrime that is more harmful to the company was identified. The study results confirm the central hypothesis and show that cyberattacks negatively affect the firms’ market value. In addition, it was found that the market reaction to the breach is more harmful to small firms. Thus, large firms have advantages over medium and small ones in sustaining financially during cyberattacks. Additionally, the paper defines no consistent evidence that market reaction to cyberattacks depends on firm and breach types.

1. Campbell, K., Gordon, L. A., Loeb, M. P., & Zhou, L. (2003). The economic cost of publicly announced information security breaches: empirical evidence from the stock market. Journal of Computer security, 11(3), 431-448. https://doi.org/10.3233/JCS-2003-11308

2. Cavusoglu, H., Mishra, B., & Raghunathan, S. (2004). The effect of internet security breach announcements on market value: Capital market reactions for breached firms and internet security developers. International Journal of Electronic Commerce, 9(1), 70-104. https://doi.org/10.1080/10864415.2004.11044320

3. Chen, X., Bose, I., Leung, A. C. M., & Guo, C. (2011). Assessing the severity of phishing attacks: A hybrid data mining approach. Decision Support Systems, 50(4), 662-672. https://doi.org/10.1016/j.dss.2010.08.020

4. Das, S., Mukhopadhyay, A., & Anand, M. (2012). Stock market response to information security breach: A study using firm and attack characteristics. Journal of Information Privacy and Security, 8(4), 27-55. https://doi.org/10.1080/15536548.2012.10845665

5. Garg, A., Curtis, J., & Halper, H. (2003). The financial impact of IT security breaches: what do investors think?. Inf. Secur. J. A Glob. Perspect., 12(1), 22-33. https://doi.org/10.1201/1086/43325.12.1.20030301/41478.5

6. Garg, A., Curtis, J., & Halper, H. (2003). Quantifying the financial impact of IT security breaches. Information Management & Computer Security, 11(2), 74-83. https://doi.org/10.1108/09685220310468646

7. Garg, P. (2020). Cybersecurity breaches and cash holdings: Spillover effect. Financial Management, 49(2), 503-519. https://doi.org/10.1111/fima.12274

8. Gatzlaff, K. M., & McCullough, K. A. (2010). The effect of data breaches on shareholder wealth. Risk Management and Insurance Review, 13(1), 61-83. https://doi.org/10.1111/j.1540-6296.2010.01178.x

9. Goel, S., & Shawky, H. A. (2009). Estimating the market impact of security breach announcements on firm values. Information & Management, 46(7), 404-410. https://doi.org/10.1016/j.im.2009.06.005

10. Gordon, L. A., Loeb, M. P., & Lucyshyn, W. (2003). Sharing information on computer systems security: An economic analysis. Journal of Accounting and Public Policy, 22(6), 461-485. https://doi.org/10.1016/j.jaccpubpol.2003.09.001

11. Gordon, L. A., Loeb, M. P., & Zhou, L. (2011). The impact of information security breaches: Has there been a downward shift in costs?. Journal of Computer Security, 19(1), 33-56. https://doi.org/10.3233/JCS-2009-0398

12. Hiscox. (2020). Hiscox cyber readiness report 2020. [cited 10 August, 2023]. Available at: Hiscox_Cyber_Readiness_Report_2020_UK.PDF

13. Hovav, A., & D’Arcy, J. (2003). The impact of denial‐of‐service attack announcements on the market value of firms. Risk Management and Insurance Review, 6(2), 97-121. https://doi.org/10.1046/J.1098-1616.2003.026.x

14. Hovav, A. & D’Arcy, J. (2004). The Impact of Virus Attack Announcements on the Market Value of Firms. Information Systems Security, 13(3), 32-40. https://doi.org/10.1201/1086/44530.13.3.20040701/83067.5

15. Hovav, A., Han, J., & Kim, J. (2017). Market reaction to security breach announcements: Evidence from South Korea. ACM SIGMIS Database: the DATABASE for Advances in Information Systems, 48(1), 11-52. https://doi.org/10.1145/3051473.3051476

16. Janakiraman, R., Lim, J. H., & Rishika, R. (2018). The effect of a data breach announcement on customer behavior: Evidence from a multichannel retailer. Journal of marketing, 82(2), 85-105. https://doi.org/10.1509/jm.16.0124

17. Jeong, C. Y., Lee, S. Y. T., & Lim, J. H. (2019). Information security breaches and IT security investments: Impacts on competitors. Information & Management, 56(5), 681-695. https://doi.org/10.1016/j.im.2018.11.003

18. Kamiya, S., Kang, J. K., Kim, J., Milidonis, A., & Stulz, R. M. (2018). What is the impact of successful cyberattacks on target firms? (No. w24409). National Bureau of Economic Research.

19. Low, P. (2017). Insuring against cyber-attacks. Computer Fraud & Security, 2017(4), 18-20. https://doi.org/10.1016/S1361-3723(17)30034-9

20. MacKinlay, A. C. (1997). Event studies in economics and finance. Journal of economic literature, 35(1), 13-39.

21. Martin, K. D., Borah, A., & Palmatier, R. W. (2017). Data privacy: Effects on customer and firm performance. Journal of Marketing, 81(1), 36-58. https://doi.org/10.1509/jm.15.0497

22. Martin, K. D., & Murphy, P. E. (2017). The role of data privacy in marketing. Journal of the Academy of Marketing Science, 45, 135-155. https://doi.org/10.1007/s11747-016-0495-4

23. McWilliams, A., & Siegel, D. (1997). Event studies in management research: Theoretical and empirical issues. Academy of management journal, 40(3), 626-657. https://doi.org/10.5465/257056

24. Mukhopadhyay, A., Chatterjee, S., Saha, D., Mahanti, A., & Sadhukhan, S. K. (2013). Cyber-risk decision models: To insure IT or not?. Decision Support Systems, 56, 11-26. https://doi.org/10.1016/j.dss.2013.04.004

25. Murphy, H. & Bond, S. (2019). Capital One data breach sparks cloud security fears. Financial Times. [cited 14 August, 2023]. Available at: https://www.ft.com/content/5b3046ca-b2d4-11e9-bec9-fdcab53d6959

26. SIC-NAICS. (2021). SIC Code and NAICS Code Business List. [cited 10 July 2023]. Available at: http://siccode.com

27. Warrell, H. (2019). Malicious software attacks ‘spiralling out of control’, report warns. Financial Times. [cited 10 July 2023]. Available at: https://www.ft.com/content/f3cc4243-5942-46d0-8d26-ee757c8f225f