the financial impact of data breaches on targeted companies and cyber security companies
TRANSCRIPT
THE FINANCIAL IMPACT OF DATA BREACHES ON TARGETED COMPANIES AND
CYBER SECURITY COMPANIES
A THESIS
Presented to
The Faculty of the Department of Economics and Business
The Colorado College
In Partial Fulfillment of the Requirements for the Degree
Bachelor of Arts
By
William Brokaw
April 2016
THE FINANCIAL IMPACT OF DATA BREACHES ON TARGETED COMPANIES AND
CYBER SECURITY COMPANIES
William Brokaw
April 2016
Economics
Abstract
Using event study methodology, this research examines the financial impact of data
breaches on targeted companies and cyber security companies by measuring their stock
price reactions after the public announcement of a cyber attack. Investigating thirteen
corporate breach events since 2006 and eleven cyber security companies, this study
estimates the cumulative abnormal returns (CAR) over a 3-day window starting the day
before the announcement of a breach. I find that targeted companies and cyber security
companies experience statistically insignificant abnormal returns. The results are
consistent with the theory that investors have difficultly quantifying the financial impact
of breaches on targeted companies. Additionally, the results indicate that cyber security
companies experience more substantial stock price reactions than targeted companies.
KEYWORDS: (Event Study, Data Breaches, Cumulative Abnormal Return, Cyber
Security)
JEL CODES: (G10, G14)
ON MY HONOR, I HAVE NEITHER GIVEN NOR RECEIVED
UNAUTHORIZED AID ON THIS THESIS
Signature
William Brokaw
Acknowledgements
I would like to thank my thesis advisor, Professor Neal Rappaport, for patiently helping
me throughout this process. Without your guidance and insight, this thesis would not
have been completed. Your dedication, humor and knowledge made this process
enjoyable. Most importantly, I want to thank you for fostering my love for economics.
You are a true inspiration.
Additionally, I want to thank my parents, Bags and Kerry, and my siblings, Winslow,
Roz, and Shea, for their unconditional love and support. You guys are the best.
TABLE OF CONTENTS
ABSTRACT
ACKNOWLEDGEMENTS
1 INTRODUCTION 1
2 LITERATURE REVIEW 2
. Breached Company Event Studies Without Significant Results………..
. Breached Company Event Studies With Significant Results……………..
. Cyber Security and IT Consulting Firm Studies……………………………….
. Hypothesis Testing………………………………………………………………………..
3 DATA AND RESEARCH METHODOLOGY 8
4 MODEL 11
4. Breached Company Model……………………………………………………………..
4. Cyber Security Company Model……………………………………………………..
5 RESULTS 15
. Breached Company Results…………………………………………………………...
. Cyber Security Company Results……………………………………………………
6 CONCLUSION 21
Introduction
Using event study methodology, this research examines the financial impact of
data breaches by measuring the stock market reaction on targeted companies and the
cyber security sector, respectively, after the public announcement of an attack. As the
frequency of attacks has progressively increased in the last decade, information security
incidents have become an expected cost of doing business. According to former FBI
director, Robert Mueller, “there are two types of companies: those that have been hacked,
and those that will be.”
While a targeted company’s public announcement could potentially have a
negative impact on shareholder value, the spillover effect on cyber security companies is
more ambiguous. Generally, data leaks call for an increase in cyber security; however, it
is uncertain if the escalation in demand for security outweighs the negative investor
sentiment on the defending cyber security firms when they fail to do their job: protect
clients’ confidential information. In this study, I will examine this paradox through the
implications of the price reaction on public cyber security companies after the event of a
data breach.
Using standard OLS regression analysis, this research estimates the cumulative
abnormal returns (CAR) that both publicly traded targeted companies and publicly traded
cyber security companies experience from the announcement of a data breach. First,
focusing on thirteen firms, this study finds that on average targeted companies experience
daily mean abnormal returns of .2% during the 3-day window starting the day before the
2
public announcement of an attack. However, this negative stock market reaction is
statistically insignificant at the .05 level (p value=.94). Further, during the 3-day window
starting the day before a targeted company announces an attack, on average cyber
security companies experience positive daily abnormal returns of 1.38%. Nevertheless,
again these results are statistically insignificant at the .01 level (p- value=.756). Given
these findings, both targeted companies and cyber security companies experience
statistically insignificant abnormal returns; however, the impact of cyber security
companies is greater than targeted companies.
The remainder of this paper proceeds as follows. In the next section I review the
relevant literature and develop my hypotheses. The third part of this paper explains my
data collection and research methodology. I outline my economic model in the fourth
section. The fifth section reports the results. Finally, I discuss implications of the results
and draw conclusions in the sixth section.
Literature Review
Using event methodology, previous literature evaluates the financial impact on
targeted companies by measuring the cumulative abnormal stock returns after the public
announcement of the incident. Given the extensive amount of research, studies have
found contradictory results when measuring the CAR of victimized firms. In this section,
I first explore the studies that find no significant negative CAR of companies that
experience an attack followed by studies that find a significant negative CAR. Finally, I
3
examine previous research measuring the CAR of public cyber security companies after
the announcement of a data breach.
Breached Company Event Studies Without Significant Results
Campbell, Lawrence, Gordon, Loeb, and Zhou (2003) find no significant negative
stock market reaction from the exposure of company information. However, the authors
propose that the type of attack impacts the returns. While leaks that did not disclose
confidential information had no significant negative impact, breaches involving
unauthorized access to confidential data resulted in significant negative abnormal returns
for the affected company. This research postulates that investors are sensitive to the
nature of the attack and the underlying assets exposed.
Similarly, Kannan, Rees and Sridhar (2007) perform an event study measuring the
CAR of targeted companies and determine that confounding external events carried a
significant impact on the magnitude of CAR. The authors computed cumulative abnormal
returns of targeted firms in relation to a control group of firms and the S&P 500 over 3-
day, 8-day and 30-day windows. They measured the impact of the window length on
different characteristics, including the type of targeted firm, the time period of the event,
and the type of attack.
While at first the overall negative CAR is found statistically significant, the
authors realize that these results were influenced by various circumstantial characteristics
and external factors. Specifically, the authors find that the September 11, 2001 terrorist
attacks significantly impacted stock market reactions; therefore, they designated the
corresponding data leaks as confounded events. Excluding these confounding events,
4
circumstantial characteristics, including the type of attack, type of firm and duration of
event window, proved to have insignificant impacts on CAR respectively.
Breached Company Event Studies With Significant Results
Gatzlaff and McCullough (2010) examine the stock market assessment of the cost
of data hacks at publicly traded companies in which personal information such as
customer or employee data are exposed. Studying 77 incidents between 2004 and 2006,
the authors find the overall effect on shareholder wealth to be negative and statistically
significant.
Taking into account factors that could potentially influence stock market returns,
the authors identify both firm and breach characteristics that could impact the magnitude
and direction of the stock market response. The firm characteristics include: the type of
firm, the firm’s response (did the firm announce the incident before the press?), the firm
size, the frequency of attacks on a particular firm, the firm’s subsidiary status, and finally
the firm’s growth opportunities signified by the market-to-book ratio. Second, the authors
identify hack characteristics that could potentially impact CAR. The characteristics
include: size and type of attack, interaction terms (prior expectations of data security),
and the time period (Gatzlaff & McCullough, 2010).
Overall, Gatzlaff and McCullough (2010) find that shareholders of targeted
companies experience significant negative CAR. Examining the significantly influential
firm characteristics, the authors find that firms that conceal breach information, are
smaller in size, do not have subsidiary status, and have higher growth opportunities
(market to book ratio) experience greater negative CAR, respectively. Further, the
5
authors find that the negative reaction is stronger for hacks of customer and employee
data. They find that the negative cumulative abnormal returns are greater for breaches
occurring in more recent time periods, largely because of increased costs associated with
new legislation. Surprisingly, the other characteristics, including size of breach and
interaction terms are statistically insignificant respectively.
Further, Cardenas, Coronado, Donald, and Parra (2012) examine the CAR, risk
shifts, and volume changes to measure the impact of security infringements on the market
value of a victimized company. Examining the risk shifts, the authors measure the beta
(volatility or risk of a security in relation to the market as a whole) of the companies’
stock after a cyber attack. The authors find that targeted companies experience a negative
CAR that is not statistically significant. However, their analysis shows that a firm’s stock
beta significantly increases, indicating increased risk and stock volatility. Finally, they
observe that the targeted firms experience a significant abnormal trading volume of about
5% during the event window after a breach.
Cyber Security and IT Consulting Firm Studies
While numerous studies examine the abnormal stock returns of targeted
companies, there are few studies exploring the stock price reaction on the defending
cyber security and IT consulting firms. The final segment of this section reviews two
studies investigating the abnormal returns that cyber security providers experience after a
cyber attack.
Chen, Li, Yen and Bata (2011) evaluate the impact of information security
infringements on the stock price of IT consulting firms that “supplied the know-how and
6
infrastructure to create, implement, and maintain those information systems that were
hacked” (Chen et al., 2011). According to their findings, investors, clients and customers
may look beyond the faults of the victimized firms and put the blame on the IT providers
or cyber security firms. The authors investigate 83 incidents affecting a variety of firms
in the US in 2006 and 2007. They find that the market value of IT consulting firms is
positively associated with the disclosure of IT security breaches. According to their
results, IT firms have an average positive 4.01% abnormal return during the 2-day period
following the announcement. However, after examining the event study methodology and
the OLS regression analysis, they find that IT consulting firms experience less positive
CAR as the number of exposed records increases. Therefore, the larger the data attack,
the greater the adverse impact the IT consulting firm experiences. Finally, their findings
suggest that the impacts on IT consulting firms are stronger when certain market sectors
are targeted, namely technology and retail (Chen et al., 2011).
Similarly, Garg, Curtis and Halper (2003) examine the impact of 49 data breaches
between 1996 and 2002 on internet security stock returns. Using event study
methodology, the authors find that overall cyber security companies experience positive
CAR with increases between .9% and 3.3%. However, in analyzing the results, the
authors determine that the denial of service (internet portal inaccessible to users) attacks
in February 2000 were a turning point for investors. Before February 2000 the positive
market reaction of internet security stocks is amplified with average positive returns of
3.8% on the announcement day, increasing to 10.3% over three days (Garg et al., 2003).
However, following the event, cyber security companies experience insignificant positive
returns or even slightly negative returns. According to their research, after the dramatic
7
event, investors expected an increase in cyber attacks and demand for internet security,
leading to higher valuations on cyber security, which in turn led to less significant CAR.
Hypothesis Testing
Following standard research methodology, the null and alternatives hypotheses
for targeted companies are stated below.
H10: Targeted companies experience no abnormal returns from the public announcement
of a data leak.
H11: Targeted companies experience abnormal returns from the public announcement of
a data leak.
While previous literature finds positive stock price reactions for cyber security or
IT consulting companies after public announcements, it is apparent that these results are
contingent on the underlying relationship that a defending company has with the
victimized firm. More specifically, the impact of an attack on cyber security stocks
depends on the market perception of a targeted companies’ level of investment in security
services. If investors believe that a firm invested sufficiently in cyber security before the
incident, one could assume that the cyber security provider would experience a muted or
even negative stock price response. Conversely, if investors believe that a targeted
company invested insufficiently in cyber security, it is possible that a hack could have a
positive impact on cyber security firms as they would experience an increase in business.
This study examines this dichotomy by testing the null and alternative hypotheses below.
8
H20: Cyber security companies experience no abnormal returns after a targeted company
publicly announces a breach event.
H21: Cyber security companies experience abnormal returns after a targeted company
publicly announces a breach event.
Data and Research Methodology
First, in categorizing data attacks, I used a compilation of definitions used by
Chen et al. (2011). The authors state:
Data breaches involve unauthorized access to information leading to the break-ins into
systems and networks and to accidental or unlawful destruction, loss, and alteration of
personal data. For example, a breach that exposes the social security number, credit
card number or personal information of individuals is considered a data breach (Chen
et al., 2011).
Using this information, I researched all cyber attacks since 2006 from the website
Informationisbeautiful.net. After excluding all breaches of government agencies,
universities, and private companies, I compiled a list of public companies that were
categorized as “hacked” since 2006. Hacks are defined as breaches that involve external
parties breaking into the targeted companies’ system. This excludes all exposures
involving data that was lost, accidentally published or stolen from an internal member of
the breached organization.. Narrowing down this sample, my data set is comprised of
companies that experienced a data attack on more than 1,000,000 accounts, and
9
implemented free credit monitoring services for all compromised individuals involved in
the incident. Finally, for the purpose of simplifying the data collection, I selected
companies that were traded on the New York Stock Exchange and Nasdaq.
Moreover, I reviewed widespread media outlets to find definitive announcement
dates for the thirteen major data attacks in which this study focuses. Moreover, to control
for extenuating factors on stock returns, I searched for confounding events during the two
week period around the public announcement, such as earnings reports, M&A activity,
stock splits, and new product announcements. This process left thirteen firms covering
various market sectors that would be used to test my hypotheses. Table 1 lists the sample
selection of targeted companies and the corresponding announcement dates.
Table 1
Targeted Company Name Ticker Announcement Date
Target Corp. TGT 12/18/2013
JP Morgan Chase & Co. JPM 8/27/2014
Adobe Systems Inc. ADBE 10/3/2013
Heartland Payment Systems, Inc. HPY 1/20/2009
Global Payments, Inc. GPN 3/30/2012
Sony Corp. SNE 4/26/2011
Home Depot, Inc. HD 9/3/2014
Fiserv, Inc. FISV 12/12/08
Amazon.com, Inc. AMZN 1/17/2012
Anthem, Inc. ANTM 2/4/2015
Staples, Inc. SPLS 12/19/2014
Community Health Systems, Inc. CYH 8/18/2014
The TJX Companies, Inc. TJX 1/17/2007
Furthermore, after selecting thirteen breach events, I compiled a sample selection
of cyber security companies for the purpose of measuring the impact on the cyber
security industry. In gathering cyber security companies, I selected the PureFunds ISE
10
Cyber Security ETF (HACK), which is an Exchange Traded Fund comprised of 32
companies imitating the ISE Cyber Security Index, which follows the overall cyber
security market sector. According to Yahoo! Finance, “the fund invests 80% of its total
assets in the component securities of the index and in ADRs and GDRs based on the
component securities in the index” (“HACK Profile,” 2016). In selecting a data sample,
eleven of the firms had public stock data since 2006 and were traded on the New York
Stock Exchange or Nasdaq. Following this data collection, the remaining cyber security
companies were selected to measure the abnormal returns cyber security companies
experience after the thirteen breach announcements shown on Table 1. Table 2 lists the
selected cyber security companies.
Table 2
Cyber Security Company Name Ticker
VASCO Data Security International Inc. VDSI
Juniper Networks, Inc. JNPR
Check Point Software Technologies Ltd. CHKP
Cisco Systems, Inc. CSCO
Symantec Corporation SYMC
Radware Ltd. RDWR
VeriSign, Inc. VRSN
ManTech International Corporation MANT
Zix Corporation ZIXI
F5 Networks, Inc. FFIV
Leidos Holdings, Inc. LDOS
Finally, in formulating a regression model for targeted companies and cyber
security companies, a Chow test is used to determine if hacks have different impacts on
targeted and cyber companies respectively. In order to evaluate the structural difference,
11
I measured the combined regression statistics of the targeted companies’ and cyber
security companies’ abnormal returns. The result for the F statistic was 812.42 compared
to the critical F value of 9.0. Given these results, I reject the Chow test’s null hypothesis
that the F statistic and the critical F value are equal. This indicates that there is a
structural difference between the stock market reactions of targeted companies and cyber
security companies. Consequently, this study uses respective economic models to
evaluate the cumulative abnormal returns of breached and cyber companies.
Model
For the purpose of this study, event study methodology is defined as “the
semistrong version of the efficient markets hypothesis, which maintains that as new
publicly available information is received, it is immediately absorbed by investors and
incorporated into share prices” (Garg et al., 2003). Following this methodology, the
announcement would cause the market to immediately revaluate the affected company
causing a potential fluctuation in share prices.
Breached Company Model
Using event study methodology, the evaluation of CAR is based on the Capital
Asset Pricing Model (CAPM) and the estimation of expected returns is based on the OLS
regression. In this equation, the independent variable is the market index for time (t), and
the dependent variable is the return of firm (i) at time (t) as shown in Equation 1.
Rit =i + i Rmt + it (1)
12
where,
Ri,t= the daily return for firm i in period t;
Rm,t=the daily return for a value-weighted market portfolio of stocks on day t (S&P 500);
i=market model intercept and slope parameter, respectively, for firm i;
i,t=error or disturbance term.
Following previous events studies, my estimation window consists of 120 trading
days prior to the announcement date (t=0), and 20 trading days after the announcement (-
121, 20). This estimation window provides the expected returns for a particular firm in
relation to the S&P 500. In order to measure the abnormal returns, I use a window of 3
days starting one day before the announcement (t=-1, t=0, t=1).
The abnormal return (AR) is computed measuring the disparity between the
firm’s actual stock returns and overall market returns. For the purpose of this study, I
used the S&P 500 index as my market benchmark. The computation of average daily
abnormal returns (AR) is shown in Equation 2.
ARit=Rit – (̑i + ̂̑1 Rmt) (2)
Often times the markets do not fully adjust to new information or announcements
take a couple days to become widespread media. Consequentially, it is necessary to
measure the cumulative abnormal returns of a couple days after the announcement of a
breach. This research measures the cumulative abnormal returns (CAR) during a 3-day
13
event window (t=-1,t=0,t=1) beginning a day before the announcement. The computation
of CAR is shown in Equation 3.
CARi = ∑�=+1�=−1 ARit (3)
Furthermore, using cross-sectional regression analysis, I estimate the regression model in
Equation 4.
ARi = I + 1Rmt + 2Di + it (4)
where,
AR is the mean abnormal return for each day;
Di is an indicator variable for the breach event, where Di =1 during t=-1, t=0, t=1, and
Di=0 otherwise.
Cyber Security Company Model
In determining if cyber security companies experience abnormal returns after the
public announcement of an attack, I use the same economic model as specified above. In
this equation, the independent variable is the market index for time (t), and the dependent
variable is the return of cyber security firm (i) at time (t) as shown in Equation 5.
Rit =i + 1 Rmt + it (5)
where,
Ri,t= the daily return for cyber security firm i in period t;
Rm,t=the daily return for a value-weighted market portfolio of stocks on day t (S&P 500);
14
i=market model intercept and slope parameter, respectively, for cyber security firm i;
i,t=error or disturbance term.
Furthermore, the abnormal returns (AR) and cumulative abnormal returns (CAR) are
expressed in the following equations.
ARit=Rit – (̑i + ̂̑1 Rmt) (6)
CARi = ∑�=+1�=−1 ARit (7)
In order to test the hypotheses, this research uses standard OLS regression analysis to
determine the cross-sectional variance of the samples.
ARi = I + 1Rmt + 2Di + i (8)
where,
AR is the mean daily abnormal return for each day
Di is an indicator variable for the breach event window, where Di =1 during t=-1, t=0,
t=1, and Di =0 otherwise.
15
Results
Breached Company Results
Table 3
Regression of all targeted firms
Percent Daily Return
Percent Daily Market
Return
1.214***
(.0707)
Breach Event .1983
(2.8208)
Constant 1.030***
(.3478)
Number of
Observations
1,833
R Squared
F Stat (2,1830)
F Stat P-value
.441
147.4
0.0000
Robust standard errors in parentheses
*** p<0.01, ** p<0.05, * p<0.1
As shown on Table 3, companies experience statistically insignificant abnormal
returns after the announcement of a successful leak. According to the results, the average
daily abnormal return for a targeted firm is roughly .2% during the 3-day window starting
the day before the announcement, and is statistically insignificant at the .05 level (p
value=.94). The coefficient of the indicator variable “Breach Event” specifies the
average daily abnormal return for targeted companies during t=-1, t=0, t=1. In other
words, this value determines the elasticity of the average targeted firm’s returns in
relation the cyber attack. Given these results, I fail to reject the null hypothesis (H10) that
targeted companies experience no significant abnormal returns after their announcement
of a cyber attack. Moreover, in calculating the CAR for all breached companies, the sum
16
of the mean daily abnormal returns is taken for the 3-day window producing a cumulative
abnormal return of .6%. These insignificant results postulate that investors have difficulty
evaluating the financial impact of cyber crime on targeted companies. Because this study
focuses on the initial announcements of potential hacks, the stock price reaction could be
muted from lack of information about the attack characteristics and underlying assets
affected by the incident. These results are consistent with the arguments that data attacks
have insignificant impacts on affected companies.
17
Table 4
Regression of all breached companies using indicator
variables for each company
Percent Daily Return
Percent Daily Market Return 1.2276***
(.0698)
Breach Event .31085
(2.850)
Company Indicator Variables
AMZN .1778
(1.8113)
ANTM .1952
(1.2099)
CYH 1.4122
(1.7190)
FISV -.5255
(1.3272)
GPN -.2674
(1.2092)
HD -.0802
(1.1601)
HPY 7.7411*
(3.284)
JPM -.3388
(1.1255)
SNE .2692
(1.8292)
SPLS 2.4200
(2.1129)
TGT -.3538
(1.4784)
TJX
Constant
-.3713
(1.1342)
.3477
(1.0486)
Number of Observations 1,833
R Squared
F Stat (14,1830)
F Stat P-value
.4309
29.32
0.0000
Robust standard errors in parentheses
*** p<0.01, ** p<0.05, * p<0.1
Furthermore, the results in Table 4 are computed using indicator variables to
distinguish the impacts of data attacks on the individual companies breached in
18
comparison to the omitted company: Adobe Systems Incorporated. In relation to Adobe
Systems Incorporated, half of the companies have negative shareholder reactions. These
results indicate that targeted companies have experience mixed stock price reactions from
initial announcements. In other words, data breaches generate no definitive stock return
outcome for affected companies.
Cyber Security Company Results
Table 5
Regression of all cyber security companies
Percent Daily Return
Percent Daily Market
Return
.5045***
(.0339)
Breach Event 1.3772
(4.439)
Constant 7.2227***
(1.5806)
Number of
Observations
18,626
R Squared
F Stat (2,18623)
F Stat P-value
.0108
116.17
.0000
Robust standard errors in parentheses
*** p<0.01, ** p<0.05, * p<0.1
As shown in Table 5, cyber security companies experience positive daily
abnormal returns after a targeted company publicly announces a data breach. During a 3-
day window period specified as “Breach Event,” average daily abnormal returns are
1.38%, but are statistically insignificant at the .05 level (p- value=.756). Consequentially,
I fail to reject the null hypothesis (H20) that cyber security companies experience no
19
abnormal returns after a targeted company announces a successful data attack. Moreover,
in order to measure the cumulative impact over the 3-day breach event window, I
multiply the average daily abnormal return by 3, which produces a cumulative abnormal
return of 4.14%. While these results are consistent with previous studies’ findings that
data breaches positively impact the stock returns of internet security firms, this study
does not find statistical significance.
Additionally, the R squared value determines how well the economic model fits
the actual data. In other words, R squared measures the degree to which the model
explains the observed outcomes. Given the low R squared value (.0108), I determine that
the model explains only a small percentage of the overall daily returns of the cyber
security industry. While R squared does not reflect the extent to which any particular
independent variable explains the variance of the dependent variable (daily returns of the
cyber security industry), it measures the overall association of the model and the
observed outcomes. Due to countless factors and market “noise” affecting daily stock
returns, it is not surprising that this model explains a small percentage of the daily returns
of the cyber security industry.
20
Table 6
Regression of all cyber security companies using indicator
variables for each company
Percent Average Daily Return
Percent Daily Market Return .5051***
(.0335)
Breach Event 1.6216
(4.3748)
Company Indicator Variables
CSCO -20.9421***
(5.6150)
FFIV 19.5118
(12.2294)
JNPR -19.4895***
(5.7355)
LDOS -2.1564
(6.0148)
MANT -15.9898**
(6.5400)
RDWR -1.2596
(5.5851)
SYMC -21.3389***
(5.4056)
VDSI -16.1599***
(5.3971)
VRSN -9.9807
(6.2718)
ZIXI
Constant
-6.5673
(5.3864)
15.8410
(4.9994)
Number of Observations 18,626
R Squared
F Stat (12,18613)
F Stat P-value
0.0146
36.08
0.0000
Robust standard errors in parentheses
*** p<0.01, ** p<0.05, * p<0.1
Using indicator variables, Table 6 identifies the average impact of all thirteen
breaches on each cyber security company in relation to the omitted company: Check
21
Point Software Technologies Ltd. In comparison to the returns of Check Point Software
Technologies, all of the cyber companies except F5 Networks (FFIV) have negative stock
returns as specified by the indicator variable coefficients. Theorizing F5 Network’s
results, positive stock returns could be a consequence of an increase in demand of its
services. F5 Networks may see an increase in clients as victimized companies and
vulnerable companies with suboptimal security look to increase their security
mechanisms.
Conclusion
By measuring the disparity of stock market returns after the announcement of
cyber attacks, this study enhances the literature examining the financial impact of data
hacks on targeted and cyber security companies. Although previous literature examines
the CAR of companies after a cyber attack, this study contributes to previous findings
because it examines many recent attacks that haven’t been analyzed in this context.
Moreover, while there are various studies investigating the financial impact on targeted
companies and cyber security companies respectively, previous literature does not use
event study methodology to analyze the combined impact of cyber crime events on both
the targeted company and defending cyber security companies.
Similar to Campbell et al. (2003) and Kannan et al. (2007), this study finds that
cyber attacks have insignificant stock price impacts on targeted companies. More
specifically, the study finds that initial breach announcements have no adverse affects on
targeted companies. Speculating on these results, there are many theories that could
22
explain this lack of investor reaction. First, given the commonality of corporate cyber
crime, breaches could be an expected cost of doing business in today’s digital world. As
the frequency of attacks increases, investors could be numb to announcements declaring
investigations into stolen confidential information.
Additionally, because this study focuses on initial public announcements,
shareholders may not have enough information to accurately evaluate the financial
impact. When companies initially announce potential attacks, the notifications are
generally very ambiguous stating investigations into potential hacks or withholding
information on the underlying assets impacted by the breach. Moreover, even when
companies disclose information about the lost assets and/or amount of records stolen, the
financial impact is still very difficult to quantify. While loss of sensitive data, intellectual
property and customer trust can adversely impact companies in the long-run, investors
cannot determine the full financial implications of information security incidents after the
initial reports. According to a Harvard Business Review, “shareholders still don’t have
good metrics, tools, and approaches to measure the impact of cyber attacks on businesses
and translate that into a dollar value” (Kvochko and Pant, 2015). Given the frequency of
attacks, uncertainty after initial announcements, and lack of ability to quantify the
financial impact, shareholders could be hesitant to immediately sell stock when a
company experiences an information security leak.
While previous studies examine the financial impact of a wide range of cyber
attacks including denial of service, privacy breaches, etc., this study focuses on security
incidents involving third party hackers gaining access to confidential information in
targeted companies’ systems. These breaches are often a result of highly skilled hackers,
23
faulty existing security, and/or inadequate investments in security, consequently,
requiring victimized companies to examine their security mechanisms. In other words,
this excludes data leaks involving an internal party, which is nearly impossible to prevent
with an increase in cyber security.
Additionally, although this study finds no statistically significant effects, it is
consistent with previous literature’s conclusions that cyber security and IT consulting
firms are positively impacted when a targeted firm announces that hackers have exposed
confidential information. Sampling companies comprised of the overall cyber security
market sector, this study finds that cyber companies experience average cumulative
abnormal returns of 4.14% around breach announcements. In speculation, this positive
spillover effect on cyber companies could be a consequence of an increase in demand for
cyber security services. If investors attribute the breach to the targeted companies’
suboptimal investments in cyber security, cyber companies would most likely experience
positive stock returns from increase in expected business. Although cyber firms that
provided security to targeted companies prior to security incidents most likely experience
negative investor reactions, this study indicates that overall the cyber security industry
gains from internet security attacks. The results suggest that investors perceive attacks as
a indication of insufficient investments in security and evidence that cyber security
spending could increase in the future.
Moreover, while it is difficult to accurately quantify the financial impact of cyber
crime, overall attacks cause more prominent price reactions for cyber security stocks than
targeted company stocks. Theorizing these results, it is possible that internet security
companies experience more substantial abnormal returns because there is a greater
24
impact on the materiality of their business. More specifically, while the materiality of
retail stores like Target Corp. remain largely unaffected after an attack, cyber security
companies’ services revolve around cyber crime. The profitability of a cyber security
company could significantly increase from an influx of new clients seeking security after
falling victim to an attack. This could have implications on the different shareholder
responses following an information security incident.
While this research reviews an accurate representation of the cyber security
market sector, a more robust analysis of the cyber security sector would evaluate the
financial impact on the entire PureFunds ISE Cyber Security ETF. Because cyber crime
is a recent phenomenon, most of the holdings of the PureFunds ISE Cyber Security ETF
had initial public offerings in the past five years. Consequentially, this study could only
examine the eleven holdings that have stock data since 2006. Future studies will be able
to cover a more robust sample of the cyber security industry given wider availability of
stock data.
Finally, due to previous litigation on companies like Target Corp., hacked
companies have begun announcing initial breach investigations before any confirmation.
As in the case of JP Morgan Chase & Co, investigations are announced to the public a
few months before the magnitude of the breach is realized. Consequently, the share price
impact from the first announcement of a potential attack could be diluted for targeted and
cyber security companies. Future studies could examine the stock price reaction after
various announcement stages including the initial investigation, confirmation, and size of
the breach.
References
Campbell, K., Gordon, L. A., Loeb, M. P., & Zhou, L. (2003). The economic cost of
publicly announced information security breaches: empirical evidence from the stock
market. Journal of Computer Security, 11(3), 431-448.
Cardenas, J., Coronado, A., Donald, A., Parra, F., & Mahmood, M. A. (2012).
The Economic Impact of Security Breaches on Publicly Traded Corporations:
An Empirical Investigation.
Chen, J. V., Li, H. C., Yen, D. C., & Bata, K. V. (2011). Did IT consulting firms
gain when their clients were breached?. Computers in Human Behavior,28(2),
456-464.
Cost of Data Breach Grows as does Frequency of Attacks. (2015, May 27).
Retrieved April 11, 2016, from http://www.ponemon.org/blog/cost-of-data-
breach-grows-as-does-frequency-of-attacks
Das, S., Mukhopadhyay, A., & Anand, M. (2012). Stock market response to
information security breach: A study using firm and attack
characteristics.Journal of Information Privacy and Security, 8(4), 27-55.
Garg, A., Curtis, J., & Halper, H. (2003). The financial impact of IT security
breaches: what do investors think?. Information Systems Security, 12(1), 22-33.
Gatzlaff, K. M., & McCullough, K. A. (2010). The effect of data breaches on
shareholder wealth. Risk Management and Insurance Review, 13(1), 61-83.
HACK Profile | PureFunds ISE Cyber Security ET Stock - Yahoo! Finance. (n.d.).
Retrieved April 11, 2016, from http://finance.yahoo.com/q/pr?s=HACK%2BProfile
Kannan, K., Rees, J., & Sridhar, S. (2007). Market reactions to information security
breach announcements: An empirical analysis. International Journal of Electronic
Commerce, 12(1), 69-91.
Kvochko, E., & Pant, R. (2015, March 31). Why Data Breaches Don't Hurt Stock Prices.
Retrieved from https://hbr.org/2015/03/why-data-breaches-dont-hurt-stock-prices