Risk management, firm reputation, and the impact of successful cyberattacks on target firms

Article

Kamiya, Shinichi; Kang, Jun-Koo; Kim, Jungmin; Milidonis, Andreas; Stulz, Rene M.

Nanyang Technological University; Hong Kong Polytechnic University; University of Cyprus; University System of Ohio; Ohio State University

JOURNAL OF FINANCIAL ECONOMICS

0304-405X

10.1016/j.jfineco.2019.05.019

2021

719-749

We develop a model where a firm has an optimal exposure to cyber risk. With rational, fully informed agents and with no hysteresis, a successful cyberattack should have no impact on a financially unconstrained target's reputation and post-attack policies. In contrast, when a successful attack involves the loss of personal financial information, there is a significant shareholder wealth loss, which is much larger than the attack's out-of-pocket costs. This excess loss is higher when the attack decreases sales growth more and lower when the board pays more attention to risk management before the attack. Further, an attack decreases a firm's risk appetite, as it beefs up its risk management and information technology and decreases the risk-taking incentives of management. Finally, successful cyberattacks adversely affect the stock price of firms in the target's industry. These results imply that successful attacks with personal financial information loss provide adverse information about cyber risk to target firms, their stakeholders, and their competitors. (C) 2020 Published by Elsevier B.V.