No protection, nu business : An event study on stock volatility reactions to cyberattacks between 2010 and 2015 for firms listed in the USA

Abstract: With the surge of Internet-based corporate communication, organization, andinformation management, financial markets have undergone radical transformation. Inthe interconnected economy of today, market participants are forced to acceptcyberattacks, data breaches, system failures, or security flaws as any other (varying)cost of doing business. While cyberspace encompasses practically any firm indeveloped economies and a large portion in developing ones, combatting such risks isdeemed a question of firm-specific responsibility: the situation resembles an ‘every manfor himself’ scenario. Consulting standard financial theory, rational utility-maximizinginvestors assume firm-specific (idiosyncratic) risk under expectations of additionalcompensation for shouldering such risk – they are economically incentivized. The omnipresence of cyberattacks challenges fundamental assumptions of the CapitalAsset Pricing Model, Optimal Portfolio Theory, and the concept of diversifiability. Thethesis problematizes underlying rationality notions by investigating the effect of acyberattack on stock volatility. Explicitly, the use of stock volatility as a proxy for riskallows for linking increased volatility to higher risk premiums and increased cost ofcapital. In essence, we investigate the following research question: What is the effect ofa disclosed cyberattack on stock volatility for firms listed in the USA?. Using event study methodology, we compile a cyberattack database for events between2010 and 2015 involving 115 firms listed on US stock exchanges. The specified timeperiod cover prevailing research gaps; due to literature paucity the focus on volatilityfits well. For a finalized sample of 189 events, stock return data is matched to S&P500index return data within a pre-event estimation window and a post-event window tocalculate abnormal returns using the market model. The outputs are used to estimateabnormal return volatility before and after each event; testing pre and post volatilityagainst each other in significance tests then approximates the event-induced volatility.Identical procedures are performed for all subsamples based on time horizon, industrybelonging, attack type, firm size, and perpetrator motivation. The principal hypothesis, that stock volatility is significantly higher after a cyberattack,is found to hold within both event windows. Evidence on firm-specific characteristics ismore inconclusive. In the long run, inaccessibility and attacks on smaller firms seem torender significantly larger increases in volatility compared to intrusion and attacks onlarger firms; supporting preexisting literature. Contrastingly, perpetrator motive appearsirrelevant. Generally, stocks are more volatile immediately after an attack, attributableto information asymmetry. For most subsamples volatility seem to diminish with time,following the Efficient Market Hypothesis. Summing up, disparate results raisequestions of the relative importance of contingency factors, and also about futuredevelopments within and outside academic research.