There are only two types of companies: Those that have been hacked and those that don’t know they have been hacked.       

– John T. Chambers (2018), American Businessman

The Privacy Rights Clearinghouse defines a data breach as “a security violation in which sensitive, protected or confidential data is copied, transmitted, viewed, stolen or used by an unauthorised individual.” There have been over a dozen major data breaches in 2019, exposing over 30 million records with personally identifiable information, such as social security numbers, credit card numbers, health information, and user logon information. In July 2019, Capital One bank announced a breach affecting over 100 million customers, or 30 per cent of the entire population of the U.S., but even that failed to crack the top five largest breaches.

Organisations are rightfully concerned about data breaches. A data breach can result in extraordinary legal costs, class action settlements, state and federal fines, remediation costs, and costly new or upgraded computer systems. More importantly, data breaches can result in loss of productivity, intellectual property, and reputation. For example, according to Fortune Magazine, Equifax Inc. stock dropped 18.4 per cent after they reported their 2017 data breach affecting over 140 million people in the United States. Worldwide, the number and impact of data breaches continues to grow. Yet, companies continue to underinvest in cyber security.  With such (potentially) high cost and level of concern about cyber security, why aren’t companies working harder and investing more in cyber security to reduce the number of data breaches?

To gain insights on this question, we looked at potential economic impacts of data breaches. We grouped the economic impacts of data breaches into four main categories: stock market response, impact on accounting measures of performance, impact on audit and other fees, and impact on U. S. Sarbanes-Oxley Section 404 (SOX 404) internal control material weakness reporting. Although there are many studies that examine these four economic consequences, only a few studies examine multiple categories at the same time and on the full sample of firms. Thus, gaining a full understanding of the economic consequences to breached companies has been elusive. Some researchers argue that the stock market does not react appropriately to data breaches because investors do not have enough information to measure the breach’s impact. Our holistic approach examined how all four categories of economic consequences individually and collectively affects breached companies.

We found, surprisingly, that the consequences of data breaches are on average very small. Breaches result in average returns of -0.03 per cent and cumulative abnormal returns less than -0.274 per cent in the short window around the breach disclosure. Although this loss is significantly different than matched companies’ returns, the nominal difference in returns disappears within days after the breach. We found no difference between breach and matched companies for (1) future performance, (i.e., total revenue, sales growth, return on sales, and return on assets); (2) audit and other fees; and (3) U.S. SOX 404 reports of material internal control weaknesses.  On average, the economic impacts were not material. We only found substantial differences between breached companies and matched companies for rare catastrophic incidents. Given that malicious cyber activity cost the U.S. economy between $57 billion and $106 billion in 2016 (according to the Council of Economic Advisors 2018), our results do not suggest that breaches have no economic impact, but the effect seems to be at economy-wide and private citizen levels rather than the individual company level.

Our study should help regulators, executives, investors, analysts, and auditors understand the economic impact of data breaches. For regulators, our study is timely as the U.S. PCAOB and SEC are prioritising major cyber security initiatives. The results also provide useful information for companies attempting to quantify the cost of cyber risk and auditors seeking to factor the potential impact of cyber security into audit risk. They also should help investors and analysts better understand the long-term financial impact of a data breach to make/guide investment decisions.  Finally, we offer new insight into why executives are reluctant to spend on preventive cyber security measures. This viewpoint was supported by Jason Spaltro, Sony’s executive director of information security, who stated that “‘it’s a valid business decision to accept the risk of a security breach…I will not invest $10 million to avoid a possible $1 million loss.” Some would therefore conclude, there’s simply “much ado about nothing” since the expected loss for average company appears to be less than the cost to eliminate, or lower, potential data breaches.

♣♣♣

Notes:


Vernon J. Richardson is distinguished professor of accounting and the W. Glezen Chair in the Sam M. Walton College of Business at the University of Arkansas. He received his BA, MAcc, and MBA from Brigham Young University and a PhD in accounting from the University of Illinois at Urbana, Champaign. He has served as editor of the Accounting Review and Accounting Horizons, and has published articles in top-tier academic journals.

Rod Smith is a professor of accountancy and director of the Masters of Science in Accountancy program at California State University, Long Beach. He holds a Ph.D. from the University of California, Irvine. He has published research in leading journals and is a coauthor of the textbook: Accounting Information Systems, published by McGraw-Hill.

 

Marcia Weidenmier Watson is professor of accounting at UNC Charlotte. She has an M.B.A. in accounting and information systems as well as a Ph.D. in accounting from the University of Texas at Austin. Her research focuses on how information technology affects internal controls, business processes, and auditing. She has published in a variety of leading journals.