Research Briefs·Dec 14, 2020

Cybersecurity Risk

Stocks with high exposure to cybersecurity risk exhibit high expected returns on average, but they perform poorly in periods of increasing attention to cybersecurity risk.
Chris Florakis, Christodoulos Louca, Roni Michaely, and Michael Weber

Cybersecurity risk is at the top of many firms’ worry lists, and rightly so. Despite substantial investments in information security systems, firms remain highly exposed to cybersecurity risk, with possible losses amounting to $6 trillion annually by 2021. One open question for researchers has been whether a firm’s exposure to cybersecurity risk is priced into financial markets.

To address this question, the authors developed a firm-level measure of cybersecurity risk for all listed firms in the US, which allowed them to examine whether cybersecurity risk is priced in the cross section of stock returns. The authors analyzed firms that were subject to cyberattacks as a training sample, and then they compared the wording and language in the relevant risk-disclosure section in annual reports of the attacked firms with that of all other firms. They first extracted the discussion on cybersecurity risk in the firms’ 10-K reports from 2007-2018, which contain information about the most significant risk factors for each firm.

Next, they identified a sample of firms that were subject to a major cyberattack (involving lost personal information by hacking or malware-electronic entry by an outside party) in any given year, arguing that those firms have high cybersecurity risk, and which then served as the authors’ training sample. Finally, they estimated the similarity of each firm’s cybersecurity-risk disclosure with past cybersecurity-risk disclosures of firms in the training sample (i.e., from the one-year period prior to the firm’s filing date). The higher the measured similarity in cybersecurity risk disclosure for their sample firms and firms in the training sample, the greater the exposure to cybersecurity risk.

The authors then subject these measures to a number of validations that, in the end, drive their finding that firms with high exposure to cybersecurity risk outperform other firms by up to 8.3% per year. Among other findings, they offer one important caveat: A cybersecurity-mimicking portfolio performs poorly in times of heightened cybersecurity risk and investors’ concerns about data breaches. These results support the predictions of asset-pricing theory that investors require compensation for bearing cybersecurity risk.

View PDF View Working Paper
Related People
Related Research

More on this topic

Podcasts episode·Jun 11, 2025

AI, the Economy, and Public Policy

Tess Vigeland, Caroline Grossman, Anders Humlum, Sanjog Misra, Samir Mayekar, and Alex Tamkin
How is AI impacting the economy today? What might this mean for tomorrow? This episode brings you inside a discussion hosted at BFI in April. Moderated by Caroline Grossman, Executive Director of the Rustandy Center for Social Sector Innovation, the...
Topics: Technology & Innovation
Podcasts episode·Apr 1, 2025

Crypto’s Fatal Flaw: Trust, Scale, and the Economics of Blockchain

Tess Vigeland and Eric Budish
Crypto’s most groundbreaking innovation, permissionless consensus, may also be its greatest vulnerability. In this episode, Chicago Booth economist Eric Budish breaks down the core mechanics of blockchain trust, the staggering energy costs behind mining, and why these systems are fundamentally...
Topics: Financial Markets, Technology & Innovation
Research Briefs·Sep 4, 2024

What Middle-Income Countries Can Learn from America’s Innovation System

Somik Lall and Ufuk Akcigit
The American model of innovation has long been the envy of the world. From the garage tinkerers of Silicon Valley to the research labs of prestigious universities, the United States has consistently churned out groundbreaking technologies that have reshaped industries...
Topics: Technology & Innovation