Researchers at the Warwick Business School have found that the lasting effect of a security breach included firms paying lower dividends and less investment into research and development for up to five years following the breach.
The immediate “shock” of investors selling their shares, after a breach, only lasts a few days.
Chief executives are also no more likely to be fired. In fact, they are more likely to receive an increase to their total and incentive pay several years after the attack.
Researchers compared this to the average CEO pay at firms who hadn’t been targeted, which fell by $2m, per year, over the same period.
Daniele Bianchi, the assistant professor of finance at Warwick Business School, said: “Firms that suffer a data breach do not typically respond by firing the management, but by investing more in the existing CEO.
Data breach reports see 75% increase in last two years
“At first sight these results may look puzzling.
“However, they are consistent with the idea that the average response is to invest more in the management to address possible structural flaws, as well as maintaining the integrity of the firm in response to the reputational damage it has suffered.
“In the long run security breaches appear to have a more significant impact on firms’ strategies and policies than their cash flow.”
The latest annual Cost of Data Breach Study for IBM estimated that the average cyber attack can cost firms $7.9m in 2017
Dr Bianchi and Onur Tosun from the Warwick Business School analysed data breaches at 41 publicly listed companies in the US between 2004 and 2016 for their paper, ‘Cyber attacks and stock market activity’
The focus was on breaches reported by the media, including stolen hardware, insider attacks, poor security and hacking.
All of those mentioned happened at large companies, with an average size of $35.4m, aiming to be consistent with existing evidence that hackers are more likely to choose high profile targets.
The share value and liquidity of a firm dropped significantly on the day a breach was disclosed and the day after, but this reaction only lasted two days.
Data breaches reported to FCA have risen 480% from financial services firms
The release from Dr Bianchi used the example of Sony Pictures being hacked by the Guardians of Peace in November 2014.
Shares in Sony Pictures dropped by 10% after copies of unreleased films, emails and personal information about employees and their families were stolen.
While operating performance recovered after a cyber attack, measures such as lower investment in research and development and paying lower dividends are used to try and manage the financial risks of data breaches.
Dr Tosun, assistant professor of finance at Warwick Business School, said: “Incidents of security breaches that reveal sensitive and confidential information can lead to litigation and government sanctions, but also to a loss of competitive edge against competitors through a reduction of resources dedicated to R&D, dividend payments, or investments more generally.
“For this reason, companies are often reluctant to reveal information about security breaches due to fear of both short-term and long-term market reactions.
“However, many firms won’t have a choice with tighter regulations demanding that firms report data breaches within 72 hours.
“Cyber security will therefore become an increasingly important consideration for companies to avoid the damaging fallout once a breach is made public.”