Risk Management, Firm Reputation, and the Impact of Successful Cyberattacks on Target Firms
Charles A. Dice Working Paper No. 2018-03-04
78 Pages Posted: 7 Mar 2018 Last revised: 12 Aug 2019
Date Written: July 25, 2019
We develop a model where a firm has an optimal exposure to cyber risk. With rational, fully informed agents and with no hysteresis, a successful cyberattack should have no impact on a financially unconstrained target’s reputation and post-attack policies. In contrast, when a successful attack involves the loss of personal financial information, there is a significant shareholder wealth loss, which is much larger than the attack’s out-of-pocket costs. This excess loss is higher when the attack decreases sales growth more and lower when the board pays more attention to risk management before the attack. Further, an attack decreases a firm’s risk appetite as it beefs up its risk management and information technology and decreases the risk-taking incentives of management. Finally, successful cyberattacks adversely affect the stock price of firms in the target’s industry. These results imply that successful attacks with personal financial information loss provide adverse information about cyber risk to target firms, their stakeholders, and their competitors.
Keywords: Cyber risk, Cyberattack, Hacking, Risk management, Firm value, Leverage, Compensation policy
JEL Classification: G14, G32, G34, G35
Suggested Citation: Suggested Citation