Working Paper: NBER ID: w24409
Authors: Shinichi Kamiya; Junkoo Kang; Jungmin Kim; Andreas Milidonis; Ren M. Stulz
Abstract: We examine which firms are targets of cyberattacks and how they are affected. We find that cyberattacks cause firms to reassess the risks that they are exposed to and their consequences, so that they have real effects on firm policies even when targets are not financially constrained. Cyberattacks are more likely to occur at more visible firms, firms with more intangible assets, and firms with less board attention to risk management. Attacks where personal financial information is appropriated are associated with a negative stock-market reaction, a decrease in sales growth for large firms and retail firms, an increase in leverage, a deterioration in financial health, and a decrease in investment in the short run. Firms further respond to cyberattacks by reducing CEO bonuses and risk-taking incentives and by strengthening their risk management.
Keywords: cyberattacks; firm performance; risk management; shareholder wealth
JEL Codes: G14; G32; G34; G35
Edges that are evidenced by causal inference methods are in orange, and the rest are in light blue.
| Cause | Effect |
|---|---|
| Successful cyberattacks (K24) | Decrease in shareholder wealth (G34) |
| Successful cyberattacks (K24) | Decline in sales growth (F61) |
| Loss of personal financial information (D14) | Decline in sales growth (F61) |
| Cyberattacks (K24) | Deterioration in financial health (G32) |
| Cyberattacks (K24) | Increase in leverage (G32) |
| Cyberattacks (K24) | Decline in shareholder net worth (G32) |
| Perception of risk post-attack (H12) | Changes in corporate governance (G38) |