Cyber Breaches Lead to Cutbacks in Dividends and R&D Spending

In contrast, the CEO's total pay tends to increase in the years after a publicly disclosed cyber attack, finds a new study.
Vincent RyanMarch 18, 2019
Cyber Breaches Lead to Cutbacks in Dividends and R&D Spending

Not many institutional investors question an issuer’s approach to cybersecurity, but maybe they should.

After a cyber breach, companies are likely to suffer only a short-term hit to their share prices, according to a new study. But in the long run, they typically pay lower dividends and invest less in research and development, amounting to a “loss of their competitive edge.”

Drive Business Strategy and Growth

Drive Business Strategy and Growth

Learn how NetSuite Financial Management allows you to quickly and easily model what-if scenarios and generate reports.

Those findings come from a new study by two professors of Warwick Business School.

Companies that have been victims of a cyber attack tend to reduce the resources dedicated to R&D, dividend payments, or “investments generally” in the subsequent five years, the paper found, as they seek to manage the financial risks caused by data breaches. This occurs even though operating performance generally recovers. In addition, the effect on share prices on average lasts only three days.

“In the long run security breaches appear to have a more significant impact on firms’ strategies and policies than their cash flow,” said Daniele Bianchi, assistant professor of finance at Warwick

The study also found that, somewhat surprisingly, chief executive officers weather the storm of a publicly disclosed cyber attack well: their total compensation is likely to increase in the years after a breach.

“Firms that suffer a data breach do not typically respond by firing the management, but by investing more in the existing CEO,” said Bianchi.

This is consistent with the idea that “the average response is to invest more in the management to address possible structural flaws, as well as [to maintain] the integrity of the firm in response to the reputational damage it has suffered.”

Bianchi and co-author Onur Tosun analyzed data breaches at 41 publicly listed companies in the United States between 2004 and 2016 for their paper, “Cyber Attacks and Stock Market Activity.”

They focused solely on breaches reported by the media, including stolen hardware, insider attacks, poor security, and hacking. The incidents occurred at large companies, with an average size of $35.4 million, consistent with existing evidence that hackers are more likely to choose high-profile targets.