Risk Management, Firm Reputation, and the Impact of Successful Cyberattacks on Target Firms

78 Pages Posted: 7 Mar 2018 Last revised: 12 Aug 2019

See all articles by Shinichi Kamiya

Shinichi Kamiya

Nanyang Technological University (NTU) - Nanyang Business School

Jun-Koo Kang

Nanyang Technological University (NTU) - Nanyang Business School

Jungmin Kim

School of Accounting and Finance, Hong Kong Polytechnic University

Andreas Milidonis

University of Cyprus - Department of Accounting and Finance

René M. Stulz

Ohio State University (OSU) - Department of Finance; National Bureau of Economic Research (NBER); European Corporate Governance Institute (ECGI)

Multiple version iconThere are 2 versions of this paper

Date Written: July 25, 2019

Abstract

We develop a model where a firm has an optimal exposure to cyber risk. With rational, fully informed agents and with no hysteresis, a successful cyberattack should have no impact on a financially unconstrained target’s reputation and post-attack policies. In contrast, when a successful attack involves the loss of personal financial information, there is a significant shareholder wealth loss, which is much larger than the attack’s out-of-pocket costs. This excess loss is higher when the attack decreases sales growth more and lower when the board pays more attention to risk management before the attack. Further, an attack decreases a firm’s risk appetite as it beefs up its risk management and information technology and decreases the risk-taking incentives of management. Finally, successful cyberattacks adversely affect the stock price of firms in the target’s industry. These results imply that successful attacks with personal financial information loss provide adverse information about cyber risk to target firms, their stakeholders, and their competitors.

Keywords: Cyber risk, Cyberattack, Hacking, Risk management, Firm value, Leverage, Compensation policy

JEL Classification: G14, G32, G34, G35

Suggested Citation

Kamiya, Shinichi and Kang, Jun-Koo and Kim, Jungmin and Milidonis, Andreas and Stulz, Rene M., Risk Management, Firm Reputation, and the Impact of Successful Cyberattacks on Target Firms (July 25, 2019). Fisher College of Business Working Paper No. 2018-03-004; Journal of Financial Economics (JFE), Forthcoming. Available at SSRN: https://ssrn.com/abstract=3135514 or http://dx.doi.org/10.2139/ssrn.3135514

Shinichi Kamiya

Nanyang Technological University (NTU) - Nanyang Business School ( email )

Singapore, 639798
Singapore

Jun-Koo Kang

Nanyang Technological University (NTU) - Nanyang Business School ( email )

Nanyang Avenue, Block S3-01b-54
Singapore, 639798
Singapore
(+65) 6790-5662 (Phone)
(+65) 6791-3697 (Fax)

HOME PAGE: http://www.nbs.ntu.edu.sg/nbs_corporate/divisions/bnf/index.asp

Jungmin Kim

School of Accounting and Finance, Hong Kong Polytechnic University ( email )

M757 Li Ka Shing Tower
Hung Hom, Kowloon
Hong Kong
852 2766 7061 (Phone)

Andreas Milidonis

University of Cyprus - Department of Accounting and Finance ( email )

P.O. Box 20537
Nicosia CY-1678
Cyprus
+357 22 893 626 (Phone)

HOME PAGE: http://www.ucy.ac.cy/~amilidon/

Rene M. Stulz (Contact Author)

Ohio State University (OSU) - Department of Finance ( email )

2100 Neil Avenue
Columbus, OH 43210-1144
United States

HOME PAGE: http://www.cob.ohio-state.edu/fin/faculty/stulz

National Bureau of Economic Research (NBER)

1050 Massachusetts Avenue
Cambridge, MA 02138
United States

European Corporate Governance Institute (ECGI)

c/o ECARES ULB CP 114
B-1050 Brussels
Belgium

Register to save articles to
your library

Register

Paper statistics

Downloads
752
Abstract Views
2,717
rank
31,145
PlumX Metrics