Not many institutional investors question an issuer’s approach to cybersecurity, but maybe they should.
After a cyber breach, companies are likely to suffer only a short-term hit to their share prices, according to a new study. But in the long run, they typically pay lower dividends and invest less in research and development, amounting to a “loss of their competitive edge.”
Those findings come from a new study by two professors of Warwick Business School.
Companies that have been victims of a cyber attack tend to reduce the resources dedicated to R&D, dividend payments, or “investments generally” in the subsequent five years, the paper found, as they seek to manage the financial risks caused by data breaches. This occurs even though operating performance generally recovers. In addition, the effect on share prices on average lasts only three days.
“In the long run security breaches appear to have a more significant impact on firms’ strategies and policies than their cash flow,” said Daniele Bianchi, assistant professor of finance at Warwick
The study also found that, somewhat surprisingly, chief executive officers weather the storm of a publicly disclosed cyber attack well: their total compensation is likely to increase in the years after a breach.
“Firms that suffer a data breach do not typically respond by firing the management, but by investing more in the existing CEO,” said Bianchi.
This is consistent with the idea that “the average response is to invest more in the management to address possible structural flaws, as well as [to maintain] the integrity of the firm in response to the reputational damage it has suffered.”
Bianchi and co-author Onur Tosun analyzed data breaches at 41 publicly listed companies in the United States between 2004 and 2016 for their paper, “Cyber Attacks and Stock Market Activity.”
They focused solely on breaches reported by the media, including stolen hardware, insider attacks, poor security, and hacking. The incidents occurred at large companies, with an average size of $35.4 million, consistent with existing evidence that hackers are more likely to choose high-profile targets.