Ex-Intrusion Corporate Cyber-Risk: Evidence from Internet Protocol Networks
Journal of Operational Risk (2021) Vol. 16, No. 3
37 Pages Posted: 20 Jul 2021 Last revised: 22 Nov 2021
Date Written: March 26, 2021
Previous event studies of corporate cyber-risk have been limited to successful attacks on public firms but are biased samples constructed based on the economic magnitude of equity losses. To address this selection bias, we construct a larger and more representative sample of cyber intrusions only to find diminished negative equity (and insignificant corporate bond) market reactions compared to these prior studies. To identify cyber-risk irrespective of observing successful attacks, we match public firms to Internet protocol (IP) network data from the American Registry for Internet Numbers (ARIN) from 1991 to 2017. We find that both stockholders and creditors incorporate external IP network size into firm value. Further, debt and equity market reactions to cyberattacks are mitigated for firms with registered IP networks and that have larger network deployments. Overall, our study demonstrates an important public data source that can help institutions proxy for and more accurately price firm cybersecurity risk.
Keywords: Bank Loans, Cyber-risk, Cybersecurity, Cyberattack, Event Study, Firm Risk, Hacking, Internet, Tobin’s Q
JEL Classification: D82, G14, G24, G32
Suggested Citation: Suggested Citation