Risk management, firm reputation, and the impact of successful cyberattacks on target firms

Shinichi Kamiya, Jun Koo Kang, Jungmin Kim, Andreas Milidonis, René M. Stulz

Research output: Journal article publicationJournal articleAcademic researchpeer-review

13 Citations (Scopus)

Abstract

We develop a model where a firm has an optimal exposure to cyber risk. With rational, fully informed agents and with no hysteresis, a successful cyberattack should have no impact on a financially unconstrained target's reputation and post-attack policies. In contrast, when a successful attack involves the loss of personal financial information, there is a significant shareholder wealth loss, which is much larger than the attack's out-of-pocket costs. This excess loss is higher when the attack decreases sales growth more and lower when the board pays more attention to risk management before the attack. Further, an attack decreases a firm's risk appetite, as it beefs up its risk management and information technology and decreases the risk-taking incentives of management. Finally, successful cyberattacks adversely affect the stock price of firms in the target's industry. These results imply that successful attacks with personal financial information loss provide adverse information about cyber risk to target firms, their stakeholders, and their competitors.

Original languageEnglish
JournalJournal of Financial Economics
DOIs
Publication statusAccepted/In press - 1 Jan 2020

Keywords

  • Cyber risk
  • Cyberattack
  • Firm value
  • Reputation
  • Risk management
  • Stakeholders

ASJC Scopus subject areas

  • Accounting
  • Finance
  • Economics and Econometrics
  • Strategy and Management

Cite this