Do Financial Markets Understand Cybersecurity: Evidence from a Direct Measure of Firm Network Vulnerabilities
72 Pages Posted: 19 Feb 2021 Last revised: 29 May 2026
Date Written: December 20, 2023
Abstract
Despite the growing importance of cybersecurity, measuring cybersecurity exposures has proven challenging. Existing methods rely on textual and statistical analysis of firm disclosures, which require managers to have accurate appraisals of cybersecurity risks and disclose these risks in an unbiased manner. We introduce a novel firm-level measure of cybersecurity exposures that counts the number of network ports accessible from the public internet, sidestepping the need to rely on managerial reporting. Our process replicates “port scans,” a technique hackers implement to identify vulnerable firms. We find that cybersecurity exposures predict future realized breaches. High cybersecurity exposure stocks underperform other stocks by 0.33% per month. Our findings differ from studies relying on disclosure-based measures of cybersecurity exposures, which find cybersecurity risk to be priced (higher exposures predicting higher returns). Our study highlights the cost of cybersecurity exposures and provides guidance to managers and investors in identifying potential exposures.
Keywords: Abnormal Returns, Cybersecurity, Data breaches, Asset pricing, Cyber vulnerabilities, Productivity
JEL Classification: G12, G14, G41, H23, H56
Suggested Citation: Suggested Citation