(Under) Investment in Cyber Skills and Data Protection Enforcement: Evidence from Activity Logs of the UK Information Commissioner's Office
48 Pages Posted: 6 Aug 2022 Last revised: 24 Apr 2023
Date Written: July 23, 2022
Data breaches account for a significant share of cyber attacks. While they severely impact customers who lose valuable personal data, they often have a limited effect on the operations of the data-holding companies. This might lead firms to underinvest in cybersecurity. Do stronger data protection laws alleviate the effects of these misaligned incentives? Using the universe of online job postings from the UK, we answer this question by examining the link between firms’ cybersecurity hirings and stronger data protection laws and enforcement. We study two institutional changes that affect data protection enforcement by the Information Commissioner’s Office (ICO). The first change is the removal of the requirement to prove substantial damage and distress in 2015, which gave greater discretion to the ICO to issue monetary penalties. The second one is the enactment of the Data Protection Act 2018, which significantly raised the ceiling of monetary penalties. To study these changes, we assemble a novel dataset with more than 5,000 supervisory actions from ICO activity logs and measure industry-level exposure to ICO enforcement. Combining sectoral variation with the timing of the legal changes, we show that stronger data protection enforcement significantly increases the demand for cybersecurity skills by up to 52%. The effect is particularly strong among data-intensive firms, firms using cloud technologies, and firms with higher cash holdings. While regulation is effective in boosting investment in cybersecurity skills, we find that it slows down the firm dynamics, reducing the entry rate by up to 12%, and increasing the exit rate by up to 13%.
Keywords: Cybersecurity, Skill Acquisition, Data Protection, GDPR, Law Enforcement, Data Intensity, Cash Holding, Firm Dynamics
JEL Classification: G31, G38, J23, J24, K20, K24
Suggested Citation: Suggested Citation