What is the Impact of Successful Cyberattacks on Target Firms?
We examine which firms are targets of cyberattacks and how they are affected. We find that cyberattacks cause firms to reassess the risks that they are exposed to and their consequences, so that they have real effects on firm policies even when targets are not financially constrained. Cyberattacks are more likely to occur at more visible firms, firms with more intangible assets, and firms with less board attention to risk management. Attacks where personal financial information is appropriated are associated with a negative stock-market reaction, a decrease in sales growth for large firms and retail firms, an increase in leverage, a deterioration in financial health, and a decrease in investment in the short run. Firms further respond to cyberattacks by reducing CEO bonuses and risk-taking incentives and by strengthening their risk management.
We thank Claudia Biancotti, Andrei Gonçalves, Jan Jindra, Christos Makridis, and seminar participants at Hong Kong Polytechnic University, Kent State University, Korea University, and the SEC for their useful comments. All errors are our own. The views expressed herein are those of the authors and do not necessarily reflect the views of the National Bureau of Economic Research.
René M. Stulz
René Stulz serves on the board of a bank and consults and provides expert testimony for financial institutions. He also belongs to the board of trustees of the Global Association of Risk Professionals.