Research Briefs·Dec 14, 2020

Cybersecurity Risk

Stocks with high exposure to cybersecurity risk exhibit high expected returns on average, but they perform poorly in periods of increasing attention to cybersecurity risk.
Chris Florakis, Christodoulos Louca, Roni Michaely, and Michael Weber

Cybersecurity risk is at the top of many firms’ worry lists, and rightly so. Despite substantial investments in information security systems, firms remain highly exposed to cybersecurity risk, with possible losses amounting to $6 trillion annually by 2021. One open question for researchers has been whether a firm’s exposure to cybersecurity risk is priced into financial markets.

To address this question, the authors developed a firm-level measure of cybersecurity risk for all listed firms in the US, which allowed them to examine whether cybersecurity risk is priced in the cross section of stock returns. The authors analyzed firms that were subject to cyberattacks as a training sample, and then they compared the wording and language in the relevant risk-disclosure section in annual reports of the attacked firms with that of all other firms. They first extracted the discussion on cybersecurity risk in the firms’ 10-K reports from 2007-2018, which contain information about the most significant risk factors for each firm.

Next, they identified a sample of firms that were subject to a major cyberattack (involving lost personal information by hacking or malware-electronic entry by an outside party) in any given year, arguing that those firms have high cybersecurity risk, and which then served as the authors’ training sample. Finally, they estimated the similarity of each firm’s cybersecurity-risk disclosure with past cybersecurity-risk disclosures of firms in the training sample (i.e., from the one-year period prior to the firm’s filing date). The higher the measured similarity in cybersecurity risk disclosure for their sample firms and firms in the training sample, the greater the exposure to cybersecurity risk.

The authors then subject these measures to a number of validations that, in the end, drive their finding that firms with high exposure to cybersecurity risk outperform other firms by up to 8.3% per year. Among other findings, they offer one important caveat: A cybersecurity-mimicking portfolio performs poorly in times of heightened cybersecurity risk and investors’ concerns about data breaches. These results support the predictions of asset-pricing theory that investors require compensation for bearing cybersecurity risk.

View PDF View Working Paper
Related People
Related Research

More on this topic

Research Briefs·Sep 4, 2024

What Middle-Income Countries Can Learn from America’s Innovation System

Somik Lall and Ufuk Akcigit
The American model of innovation has long been the envy of the world. From the garage tinkerers of Silicon Valley to the research labs of prestigious universities, the United States has consistently churned out groundbreaking technologies that have reshaped industries...
Topics: Technology & Innovation
Podcasts episode·Jul 3, 2024

Using Cellphone Data to Observe Religious Worship in the United States

Tess Vigeland and Devin Pope
Using Cellphone Data to Observe Religious Worship in the United States What do location data from roughly 2.1 million cellphones say about religiosity in the United States? In this episode of The Pie, Devin Pope, Professor of Economics and Behavioral...
Topics: Technology & Innovation
Research Briefs·May 17, 2024

Gaining Steam: Incumbent Lock-in and Entrant Leapfrogging

Anders Humlum and Richard Hornbeck
The adoption of new technologies can be slowed if companies become locked into alternatives that are cheaper at the outset. During the mid 1800s, small mills used waterpower because of its low fixed costs; their failure to switch to steam...
Topics: Technology & Innovation