Researchers find that the impacts of successful cyber attacks can last for up to five years
- Published: Wednesday, 24 April 2019 08:00
Researchers at Warwick Business School have found that security breaches have a lasting impact on organizations, with breached companies typically paying lower dividends and invested less in research and development up to five years after the attack.
Despite these impacts chief executives were no more likely to be sacked, on the contrary, they were more likely to receive an increase in total and incentive pay for several years after a security breach.
Daniele Bianchi, assistant professor of finance at Warwick Business School, said: “Firms that suffer a data breach do not typically respond by firing the management, but by investing more in the existing CEO. At first sight, these results may look puzzling. However, they are consistent with the idea that the average response is to invest more in the management to address possible structural flaws, as well as maintaining the integrity of the firm in response to the reputational damage it has suffered. In the long run security breaches appear to have a more significant impact on firms’ strategies and policies than their cash flow.”
Dr Daniele Bianchi and Dr Onur Tosun, from Warwick Business School, analysed data breaches at 41 publicly listed companies in the US between 2004 and 2016 for their paper, ‘Cyber attacks and stock market activity’. They focussed solely on breaches reported by the media, including stolen hardware, insider attacks, poor security and hacking. These occurred at large companies, with an average size of $35.4 billion in total assets, ‘consistent with existing evidence that hackers are more likely to choose high-profile targets’.
The share value and liquidity of a firm dropped significantly on the day a breach was disclosed and the day after, but this reaction vanished after just two days. While operating performance recovered after a cyber-attack, these companies tended to invest less in research and development and paid lower dividends over the next five years as they sought to manage the financial risks caused by data breaches.