Impact of Cyberattacks on Stock Performance: A Comparative Study


Purpose
The study uses cyberattacks announcements on 96 firms that are listed on S&P 500 over the period from January 03, 2013, to December 29, 2017.


Design/methodology/approach
The empirical analysis was performed in two ways: cross-section and industry level. The authors use statistical tests that account for the effects of cross-section correlation in returns, returns series correlation, volatility changes and skewness in the returns.


Findings
These imply that studying the cumulative effects of cyberattacks on prices of listed firms without grouping them into the various sectors may be non-informative; financial sector firms tend to react cumulatively to cyberattacks over a three-day period than other sectors; and technology firms tend to be less reactive to the announcement of a data breach. Such firms may possibly have the necessary tools and techniques to address large-scale cyberattacks.


Research limitations/implications
For cross-section analysis, the outcome shows that the market does not significantly react to cyberattacks for all the event windows, except [−30, 30], while for the sector-level analysis, the analysis offers two main results.


Practical implications
First, while there is a firm reaction to cyberattacks for long event window for retail sector, there is no evidence of a cumulative firm reaction to cyberattacks for both short and long event windows for the industrial, information technology and health sectors. Second, the firms in the financial sector, there is a strong evidence of cumulative reaction to cyberattacks for [−1, 1] for the financial industry, and the reactions disappear for relatively longer event windows.


Social implications
These imply that studying the cumulative effects of cyberattacks on prices of listed firms without grouping them into the various sectors may be non-informative, the financial sector firms tend to react cumulatively to cyberattacks over a three-day period than other sectors, technology firms tend to be less reactive to the announcement of a data breach, possibly such firms may have the necessary tools and techniques to address large-scale cyberattacks.


Originality/value
The work provides new insights into the effect of cyber security on stock prices.



Introduction
Without any doubt, the year 2017 will go into the records book as the year, newsworthy of cyberattacks.The first half of the year (2017), experienced an unprecedented high-profile cyberattacks on firms and other corporate institutions across the globe in the history of universal digital migrations.Undoubtedly, cybersecurity remains one of the major concerns of many CEOs and heads of major state-owned institutions in modern times.Cyber threats have become a pervasive concern for all companies which depend on information resources, and for state-owned institutions, the challenge could even be more.According to a report by Price Waterhouse Coopers (PwC) [1], there was nearly 66% year-on-year compound annual growth rate of detected security incidents since 2009.The report further estimated global cost of cybercrime in 2014 to be more than USD$23 billion (excluding undetected compromises).
Additionally, it's estimated that the total number of cybersecurity attacks against critical infrastructure systems is ultimately unknown because many attacks are either not truly reported and/or the real (quantifiable) value of information resources is just too difficult to compute.In a related study, Ponemon Institute (involving 257 US multi-national companies) valued the mean annualised cybercrime cost for the year 2014 to be around US$12.7 million [2].
It is admitted, the actual value of the financial impact of a cyberattack on global firms may not be known, if such estimate is to include decreased revenues, disruption of business operations, regulatory penalties and erosion of customers' confidence.Moreover, breached firms suffer other non-financial impacts such as reputational damages, diversion of research and development information, loss of customer business, court settlements and other legal defence costs.To most investors, it is the reaction of the market (stock values) to the announcement of the attack that is very concerning.
The questions this paper seeks to answer are ' (1) does stock values react to cyberattacks and if so, (2) does stocks of different industries react to cyberattacks differently'?Appropriate answers to these questions may offer much insight to how an equity investor does industrial level diversification.To answer the question, attempt is made to estimate the impact of the announcement of a cyberattack on the firms' stock values with the emphasis on the firms' abnormal returns (AR) and cumulative abnormal returns (CAR).
The objective of the paper is to examine how the stock market reacts to the announcement of a cyberattack on the breached firms.The study's analysis is based on the stock data of Six S&P 500 companies (extracted from Yahoo finance [10]) between January 2013 and December 2017.In each case, the public announcement date of the breach event was used as the event window date [8].Breach Level Index (BLI) [11] provides the basis for establishing public announcements dates of recorded breach events.The purpose of using BLI is to limit the likelihood of information inconsistencies and asymmetries about cyberattack events.
Extant studies have suggested a positive correlation between stock prices and the public announcement of a cyberattack by the breached firms [3], [4], [5], [6] and [7].How much of this impact on average abnormal returns (AAR), and cumulative average abnormal returns (CAAR), has not been well explored using statistical tests that adjust for the effects of crosssection correlation, within-firm correlation, volatility changes, and skewness in the returns.
The paper contributes to literature in two folds.First, cross-section analysis was performed, where all the 96 firms are considered in one sample.Estimating the cumulative firms' reaction to the cyber-attacks, test statistics Patell Z ( [36]), Cross-sectional T, Generalized Sign Z ( [37]), StdCSect Z ( [38]), Generalized Rank Z ( [39]), Adjusted Patell Z ([40]), Generalized Rank T ( [39]), and Skewness Corrected T ( [41]) were performed.These tests produce estimates that are robust to the above estimation problems.Second, sector-level analysis for the industrial, information technology, financial and health sectors using the above test statistics was also performed.From these analysis, the authors are able to explore how firms in various sectors react to cyber-attack announcements in a varied manner as opposed to the cross-section analysis that assumes a homogenous firms reaction.
The empirical analysis delivers the following main results.For the cross-section analysis, the outcome shows that the market does not significantly react to cyberattacks for all the event windows except [-30, 30], while for the sector-level analysis, the analysis offers two main results.First, while there is reaction to cyberattacks for long event window for retail sector, there is insignificant evidence of a cumulative firms' reaction to cyberattacks for both short and long event windows for the industrial, information technology and health sectors.Second, for the firms in the financial sector, there is a strong evidence of cumulative reaction to cyberattacks for over a three-day period ([-1, 1] event window), and the reactions disappear for relatively longer event windows.
The rest of the paper is structured as follows.Section 2 looks at the state of the art of the subject matter from extant studies.Section 3 discusses the study methodology as the basis of the research approach.Section 4 examines the source data and analysis the expected results.Section 5 concludes the paper.

State of the Art
Between January 2013 and June 2017, BLI [11] database records over 5791 cases of cybersecurity breaches against both private and public institutions, firms and other agencies globally.The year 2014 was historic in a high-profile cyberattack that resulted in the theft of over one billion records worldwide [11].This is not to imply that the years 2015 and 2016 were relatively easy for information security.In 2015, there were special cases of damaging and highly publicised attacks.Most of these events consistently maintained cyber security in the headlines.According to the BLI database, there was a reported case of about 1,673 data breaches in 2015.Identity theft or stealing of Personally Identifiable Information (PII) outweighs all the other types of data theft, accounting for about 53% of all data breaches [11].
Furthermore, malicious outsiders accounted for nearly 58% of the data breaches incidents [11].In the same year, it was estimated that over one million nine hundred thousand (1,938,383) data records were either lost or stolen per day.This amounts to over eightythousand (80,766) stolen records per hour, and more than one thousand three hundred (1346) records per minute.Thus, the period it takes to read the previous sentence, about 400 data records would have been stolen or lost without notice.The statistics corroborate the argument that the actual number of compromised data is mostly understated.Could the high rate of cyberattack globally over the period be attributed to the high level of insecure computing practices?How do the events of cyberattack impact on firm's performance?In the USA, several States have enacted laws on data breach disclosure.The aim is to encourage safe reporting practices.As Romanosky, et al. suggest, the implementation of the disclosure laws and similar regulations do not necessarily reduce the impact of cyberattack [12].Rather, the affected firms suffer a negative impact on market values.Unfortunately, this negative market reaction does not become the only consequence of a data breach event.
As identified by the PwC report, the estimated financial cost of cyberattacks over the period runs over billions of dollars.Admittedly, it is impossible to truly quantify the actual cost of cybersecurity breach, and a method of doing so is worth exploring.The impacts of a cyberattack on firms' values differ from one firm to firm (depending on the industry and nature of attack).In the financial markets, investors are more concerned about the reaction of the market to the announcement of cyberattacks.Thus, the impact an attack has on the values of the stock values.Tsiakis and Stephanides argue that "the concept of investment has one purpose: to generate a return" (either in the capital, time or benefits) [13].Similarly, Goel and Shawky on their part posit, public announcement of security breaches can have a significant economic impact on firm stock values [5].In this study, it is argued, "with public disclosure laws passed, security breaches involving disclosure of clients' information can both damage firms' reputation and lead to Federal fines by government agencies" [5].
The relationship between cyberattack and stock values has been well explored by existing studies.For instance, Ko and Dorantes applied a matched-sample comparison analysis to investigate the impact of security breaches on firm performance [6].Their study concludes that while breached firms' sales and operating income did not decrease in the subsequent quarters following the breach, return on assets decreased in the third quarter.There are other related studies which appear to corroborate the positive correlation between the announcement of a cyber breach and a firm's performance (see [14], [15], [16], [17] and [18]).
The focus of this study is to determine the impact of data breach on the affected firms' abnormal profit and cumulative average abnormal profit.This approach provides the opportunity to assess the situational analysis of multiple firms' behaviour, providing a better result than the single firm window.

Event Study Methodology
Event-study methodology (ESM) has widely been used in the accounting and finance strands of literature [20], [21], [22], [23] and [24].Notwithstanding, the model's application in cybersecurity research is in its elementary stage.Very few studies have applied the methodology in cybersecurity studies [25], [14], [26] and [6].Following the IT strand of literature, the study investigates the effects of public announcements of cyberattacks on stock markets.Specifically, examining how stock prices of firms (in S&P 500) which have experienced cyberattacks (during the study period) react after the events have been made public.According to Boehmer [27] and Fama et al. [28], ESM is premised on the semi-strong form efficient market hypothesis: new publicly available information is instantly and rationally incorporated into the prices of equities.It is expected that stock prices react to cyberattack announcements, and hence the study captures this behaviour and the overall markets impact using two methods; naïve benchmark approach and the risk-adjusted or market model.For the naïve benchmark approach, market index was used to capture the market effects.The market model (single-factor model) on the other hand uses the capital asset pricing model (see [29], [25] and [30]) stated as: , where is the return on equity i on day t, is the return of the market index m on day t.
, and are the intercept, gradient, and the residuals, respectively.Using the S&P 500 market index and an estimation window of 250 daily returns of each stock ( [29], [33], and [25]), parameters of equation ( 1) was estimated.For instance, to estimate the parameters of equation ( 1) for the event window [-10, 10] (i.e. 10 days before the announcement and 10 after the announcement), an estimation window from day 260 to day 11 before the cyberattack announcement was used to avoid parameter contamination by the event under study.The abnormal return (AR) on a different day within the event window is computed as the difference between the actual return and the estimated return of equation ( 1) ( ) as follows: ( where is the abnormal return for stock i on day t.Furthermore, the cumulative market reaction for the event window for individual firms and groups of firms was also captured.For individual firms, cumulative abnormal return (as the accumulation of price reactions over the event window) was calculated as follows: , is the cumulative price reaction to an attack between day 'a' and day 'b', and is the corresponding abnormal return on day t.For the group level, equation (2) controls for the contemporaneous market-level fluctuations (see [30]).This effect was controlled by computing the average abnormal return (AAR) for the period under consideration which is given by , where is the average abnormal return on day t for N firms, is the abnormal return for firm i on day t.Further, the cumulative average abnormal return (CAAR), which measures the accumulated stock prices reaction to the cyberattacks over a given event window was estimated using: ) where is the CAAR from day a to b, and is the average abnormal return at day t.

Test of Significance
To evaluate the statistical significance of the cyberattacks on equity returns, the paper adopts various parametric and non-parametric tests of significance.First, classical cross-section t-test (under the null hypothesis, ) was applied as follows ( [23]; [26, p. 200] ; [24]; [30]; among others)., Where is the standard deviation across firms at time t: , The cross-section t-statistical for CAAR ( ) is given by , These simple tests are prune to cross-sectional correlation and volatility changes, among others, and as such lack power ( [34]; [35]; among others).Given the weakness of the simple test for AAR and CAAR, the study employs statistical tests that account for the effects of cross-section correlation in returns, returns series correlation, volatility changes, and skewness in the returns.

Event Study Timeline
The ESM covers four major time periods (figure 1): i.The interval t0 to t1 illustrates the estimation window.It indicates how firms were faring in this period prior to the event window.This is considered to be two hundred (200) days prior to the event period.It is assumed that there will be normal behaviour of firms' market activities during this period.
ii.The interval t1 to t2 is the event window(s) a. T1 to 0 is the pre-event window.This illustrates the probability of some people knowing about the attacks (i.e. the event) even before it became public or before the announcement dates (see table 1).T0 is set to thirty (30) days.b. t2 to t3 is the post-event window.This illustrates the probability that some people got to hear of the attack later than the day of the announcement.T3 is set to thirty (30) after the attack (events) iii.Time 0 is the event date in calendar time (the attacked date for each firm).It represents the actual date when the news about the attack is made known to the public via announcements.iv.Interval t0 to t3 is the observation period.It indicates the overall performance of the firm with respect to the attack.This shows whether the breached firm responded positively or negatively to the attack.

Result & Discussion
The study uses the information of the announcements of a data breach on firms listed on S&P 500 between the period of January 2013 and December 2017.Specifically, 96 firms that experienced cyberattacks were chosen (see Table 1 in the appendix for the list of the firms).
The event dates are considered as the first public announcement of the attacks.The empirical analysis was performed in two ways: cross-section and industry level.Figures 1 and 2 show cross-section and industry level cumulative reaction of firms, respectively.It is obvious from the figures that firms react to cyberattacks in a varied manner.A and Panel B of Table 1 present the cross-section and industry level analyses, respectively.The test statistics of our cross-section analysis show that markets do not significantly react to cyberattacks for all the event windows except [-30,30] where Generalized Sign Z, that adjusts for cross-section correlations, shows a marginal cumulative market reaction.For industry level, the analysis offers three main results.Firstly, there is no evidence of a cumulative firm reaction to cyberattacks for all the estimation windows for the industrial, information technology and health sectors.Secondly, for the retail sector, only the generalized Z test shows that the firms marginally reacted cumulatively over the [-20, 20] event window.
For the financial sector, there is a strong evidence of cumulative reaction to cyberattacks for [-1, 1], and the reactions disappear for relative longer event windows.
The outcome of the analysis implies the following: Firstly, studying the cumulative effects of cyberattacks on prices of listed firms using event study methodology without grouping the firms into various sectors may not be informative.Secondly, firms in the financial sector to react cumulatively to cyberattacks over a 3-day period than firms in other sectors.
Furthermore, there is not much reaction to the stock values of technology firms in terms of public announcement of a cyberattack.This may be due to the fact that such firms usually have tools and techniques to respond quickly to counteract the potential impact of such event.represents only financially quantifiable estimates, yet many companies underestimate the cybersecurity risk they face and how quickly such risk may escalate.Additionally, the actual and total impacts (in terms of cost) of cybercrime activities are never known as many attacks remain undetected and/or unreported.Studies have also shown that stock market reacts strongly to the events of cyberattacks and potential investors continue to monitor such market reactions.For instance, in February 2017, Yahoo had to agree to take a price cut on the original $4.8bn sale of its core business to Verizon, making it one of the first times that the discovery of a cyberattack had resulted in revising an acquisition price [43].In this paper, an attempt has been made to explore and explain the reaction of stock markets to high-profile cyberattacks in the S&P 500 index firms.
In all data involving 97 firms were studied.
The empirical analysis was performed in two ways: cross-section and industry level.The test statistics of the cross-section analysis show that markets do not react significantly to cyberattacks for all the event windows except [-30,30] where Generalized Sign Z, that adjusts for cross-section correlations, shows a marginal cumulative market reaction.For industry level, the analysis offers three main results.Firstly, there is no evidence of a cumulative firm reaction to cyberattacks for all the estimation windows for the industrial, information technology and health sectors.Secondly, for the retail sector, only the generalized Z test shows that the firms marginally reacted cumulatively over the [-20, 20] event window.For the financial sector, there is a strong evidence of cumulative reaction to cyberattacks for [-1, 1], and the reactions disappear for relative longer event windows.

Figure 1a :
Figure 1a: Cross-section Analysis: Cumulative reaction of all firms -All Industries