Shinichi Kamiya, Jun-Koo Kang, Jungmin Kim, Andreas Milidonis, René M. Stulz
{"title":"What is the Impact of Successful Cyberattacks on Target Firms","authors":"Shinichi Kamiya, Jun-Koo Kang, Jungmin Kim, Andreas Milidonis, René M. Stulz","doi":"10.3386/W24409","DOIUrl":null,"url":null,"abstract":"We examine which firms are targets of successful cyberattacks and how they are affected. We find that cyberattacks are more likely to occur at larger and more visible firms, more highly valued firms, firms with more intangible assets, and firms with less board attention to risk management. These attacks affect firms adversely when consumer financial information is appropriated, but seem to have little impact otherwise. Attacks where consumer financial information is appropriated are associated with a significant negative stock market reaction, an increase in leverage following greater debt issuance, a deterioration in credit ratings, and an increase in cash flow volatility. These attacks also affect sales growth adversely for large firms and firms in retail industries, and there is evidence that they decrease investment in the short run. Affected firms respond to such attacks by cutting the CEO's bonus as a fraction of total compensation, by reducing the risk-taking incentives of management, and by taking actions to strengthen their risk management. The evidence is consistent with cyberattacks increasing boards' assessment of target firm risk exposures and decreasing their risk appetite.","PeriodicalId":18934,"journal":{"name":"National Bureau of Economic Research","volume":"27 1","pages":""},"PeriodicalIF":0.0000,"publicationDate":"2018-03-16","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"11","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"National Bureau of Economic Research","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.3386/W24409","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}
引用次数: 11
Abstract
We examine which firms are targets of successful cyberattacks and how they are affected. We find that cyberattacks are more likely to occur at larger and more visible firms, more highly valued firms, firms with more intangible assets, and firms with less board attention to risk management. These attacks affect firms adversely when consumer financial information is appropriated, but seem to have little impact otherwise. Attacks where consumer financial information is appropriated are associated with a significant negative stock market reaction, an increase in leverage following greater debt issuance, a deterioration in credit ratings, and an increase in cash flow volatility. These attacks also affect sales growth adversely for large firms and firms in retail industries, and there is evidence that they decrease investment in the short run. Affected firms respond to such attacks by cutting the CEO's bonus as a fraction of total compensation, by reducing the risk-taking incentives of management, and by taking actions to strengthen their risk management. The evidence is consistent with cyberattacks increasing boards' assessment of target firm risk exposures and decreasing their risk appetite.