Cybersecurity Risk and Bank Loan Contracting
The Accounting Review, forthcoming
56 Pages Posted: 24 Jun 2019 Last revised: 21 Aug 2025
Date Written: December 17, 2017
Abstract
Cybersecurity risk is a growing concern for public companies as economic activity increasingly relies on technology. Drawing on finance theory, which posits that lenders possess private information about borrowers, I hypothesize that lenders price cybersecurity risks into loan contracts. A priori, this relation is unclear, given the unpredictable nature of cybersecurity risk and the difficulty lenders face in assessing the likelihood and magnitude of associated losses. Using the private debt market, I find a positive association between cybersecurity risk and the cost of debt. This relation is weaker for borrowers with high-quality information technology (IT) and stronger in less competitive lending markets. I also find that, following successful cyberattacks, secondary market loan prices decline (increase) for borrowers with high (low) ex-ante cybersecurity risk. Overall, these results suggest that, while the SEC’s newly adopted cybersecurity disclosures may provide decision-useful information to retail investors, they may be less relevant for certain stakeholders.
Keywords: cost of debt, cybersecurity, technology, regulation, risk management, cyber risk
JEL Classification: M41, G32, O33
Suggested Citation: Suggested Citation
