Companies gave CEOs a pay rise while cutting dividend payments and research and development investment in the wake of a data breach, analysis by researchers at Warwick Business School has revealed.
Scrutinising 41 publicly listed US companies that had suffered from data breaches (reported in the media), the researchers discovered affected business tended to increase pay to top brass in the five years that followed. Affected companies were also no more likely to fire their chief executive.
By comparison, the average CEO pay at firms that were not targeted by hackers fell by more than $2 million per year over the period studied (2004 to 2016).
“Firms that suffer a data breach do not typically respond by firing the management, but by investing more in the existing CEO. At first sight, these results may look puzzling,” said Dr Daniele Bianchi, assistant professor of finance at Warwick.
“However they are consistent with the idea that the average response is to invest more in the management to address possible structural flaws, as well as maintaining the integrity of the firm in response to the reputational damage it has suffered,” she added.
The research, detailed in yet-to-be-published paper Cyber Attacks and Stock Market Activity, also found that “affected firms tend to pay less dividends and invest less in R&D” after suffering a breach.
“Incidents of security breaches that reveal sensitive and confidential information can lead to litigation and government sanctions, but also to a loss of competitive edge against competitors through a reduction of resources dedicated to R&D, dividend payments, or investments more generally,” said co-author Dr Onur Tosun.
The researchers’ analysis found reports of breaches – be they the result of stolen hardware, insider attacks, poor security or hacking – did lead to a stock market “shock” as investors rushed to sell their shares.
“The main results show that daily excess returns drop, trading volume increases, and liquidity deteriorate upon the public disclosure of first-time corporate hacking events. The evidence suggests that trading volume increases due to selling pressure,” the researchers write.
The shock selling, however, “fails to incorporate the actual effect of security breaches on firms’ profitability and cash-flows” the researchers added.
Typically the shock “vanished after just two days”.
The paper points to the example of Sony Pictures, and the 2014 hack on the company which resulted in a massive amount of the company’s internal documents and data being dumped on the Internet and a large number of its computers having their files wiped.
Shares plunged more than 10 per cent immediately after the attack, but a year later were up nearly 25 per cent.
“Interestingly, the empirical results show that the impact of security breaches is much weaker in the longer-term, which somewhat contradicts the conventional wisdom that hacking events have some sticky influence on companies’ reputation and growth prospects,” the researchers write.
Cyber incidents are not without cost to affected companies, of course. The potential direct economic loss of cybersecurity incidents – defined as tangible losses in revenue, decreased profitability and fines, lawsuits and remediation – on Australian businesses is AU$29 billion per year, according to a Microsoft commissioned report by Frost & Sullivan.
IBM’s Cost of a Data Breach study for 2018 reports the global average cost of a data breach is up 6.4 per cent over the previous year to US$3.86 million. The average cost for each lost or stolen record containing sensitive information also increased by 4.8 per cent year over year to $148, according to the study.