Skip to main content

Do firms underreport information on cyber-attacks? Evidence from capital markets

Abstract

Firms should disclose information on material cyber-attacks. However, because managers have incentives to withhold negative information, and investors cannot discover most cyber-attacks independently, firms may underreport them. Using data on cyber-attacks that firms voluntarily disclosed, and those that were withheld and later discovered by sources outside the firm, we estimate the extent to which firms withhold information on cyber-attacks. We find withheld cyber-attacks are associated with a decline of approximately 3.6% in equity values in the month the attack is discovered, and disclosed attacks with a substantially lower decline of 0.7%. The evidence is consistent with managers not disclosing negative information below a certain threshold and withholding information on the more severe attacks. Using the market reactions to withheld and disclosed attacks, we estimate that managers disclose information on cyber-attacks when investors already suspect a high likelihood (40%) of an attack.

This is a preview of subscription content, access via your institution.

Fig. 1

Notes

  1. 1.

    For example, Target, the US retailer, experienced a data breach involving millions of its customers’ credit and debit cards and, after customers and credit card companies revealed the breach, the firm confirmed it. In some cases, the hackers themselves may reveal the breach. For example, hackers breached the LinkedIn network and stole a database containing 6.5 million users’ encrypted passwords in June 2013. The hackers later published the attack, hoping to receive help from fellow hackers in cracking the encrypted passwords. After the hackers published the passwords, LinkedIn acknowledged this breach.

  2. 2.

    According to Verizon (2015), more than 20,000 data breaches occurred in the US private sector during that period.

  3. 3.

    Mixed results exist also for specific types of data breaches. For example, Hovav and D’arcy (2003) and Kannan et al. (2007) find denial-of-service attacks have an insignificant effect, whereas Ettredge and Richardon (2003) find this kind of attack has a significant negative impact on the market value of firms. For further review of this literature, see Spanos and Angelis (2016).

  4. 4.

    The market reaction to data breaches is, on average, not different from zero also according to Hilary et al. (2016) and Gordon et al. (2010) find firms gain market value when they voluntarily disclose information on items pertaining to information security.

  5. 5.

    Baginski et al. (2018) show that managers’ career concerns lead them to delay disclosure of bad news.

  6. 6.

    As we will show, public firms reported only dozens of data breaches over our six-year sample, and thus the probability of significant attacks seems low.

  7. 7.

    Litigation costs that can deter withholding are also expected be low. Litigation follows almost every data breach (Southwell et al. 2017)—breaches that are voluntarily disclosed by firms as well as those withheld by firms and later discovered by third parties. It seems that firms withholding information avoid (in case the withheld breach is not discovered) the almost automatic litigation that follows, and therefore their expected litigation costs are not necessarily higher than those of firms voluntarily disclosing the breach (White 2014).

  8. 8.

    Dye (1985) assumes firm owners wish to maximize current share price and provide managers with incentives to withhold negative information. The assumption that, in general, managers wish to maximize share prices is reasonable because their career and reputation are often linked to share prices.

  9. 9.

    In practice, the probability of independent discovery by investors may affect the disclosure policy. However, Dye’s (1985) model does not consider the probability of independent discovery of bad news by investors (cyber-attack, in our case). He assumes that investors cannot discover bad news that the manager withheld. Because the probability of discovery of cyber-attacks by investors is practically very small, Dye’s (1985) model adequately describes disclosure of cyber-attacks, as we empirically demonstrate.

  10. 10.

    Jung and Kwon (1988) show how, in this setting, an increase in the probability with which investors believe managers have negative information will lower the disclosure threshold and will trigger the release of information managers would otherwise withhold.

  11. 11.

    As discussed below, the average market reaction to attacks that are discovered may be a biased estimate of the damage. Specifically, the decrease in price upon discovery may be larger than the damage due to the negative reputation effects and litigation risk associated with withholding. In this case, our withholding-probability estimate will be downward biased.

  12. 12.

    Dye (1985) uses the same assumption in the illustrative example of his theorem (p. 129). As discussed below, even if the loss is not uniformly distributed, we can still estimate the minimal probability of withholding, because the disclosure threshold will not be higher than the actual return reaction in the cases in which firms disclosed the cyber-attack.

  13. 13.

    Fuzzy matching is a textual search-algorithm that provides a score for the likelihood that a pair of text strings is similar. For instance, ‘Microsoft Corporation’, and ‘Microsoft corp.’ will receive a very high matching score by the algorithm.

  14. 14.

    This sample-selection criterion does not change the results, and results with all 320 incidents are similar to those presented below.

  15. 15.

    We classify cases as “withholding” only if the firm clearly learned of the attack before a party outside the firm discovered it. In many cases, firms eventually disclose the date on which they learned of the attack; AuditAnalytics, the data vendor, provides this date, and we collect this date for VCDB VERIS data cases.

  16. 16.

    Stringer, H. (2011, May 5). A Letter from Howard Stringer. Sony Corporation. Retrieved from http://blog.us.playstation.com.

  17. 17.

    Target (2013, December 19). Target Confirms Unauthorized Access to Payment Card Data in U.S. Stores. Retrieved from https://corporate.target.com.

  18. 18.

    We find stronger results when we define withholding as a case in which the firm did not disclose the breach for longer periods after it learned of it. For example, for firms that did not disclose the breach for at least 14 days, the returns in the month after the discovery is −4.83%, compared with −3.56% reported in Table 4.

  19. 19.

    Only enforcement agencies that investigate an attack can require a firm not to disclose the breach to allow them time to complete the investigation. We did not find any such requests in the withholding cases included in our sample.

  20. 20.

    In 30 out of the 86 immaterial cases, the firm ignored reports on cyber-attacks. For legal purposes, a nonresponse is considered a statement that the event was immaterial. These cases were indeed minor and occurred in large companies. Omitting these 30 cases from the sample does not change the results in any meaningful way.

  21. 21.

    This approach is equivalent to using a beta equal to 1, as firm-specific beta estimates are noisy (Fama and French, 1996).

  22. 22.

    Using alternative risk adjustments for smaller samples, we find similar results. See Table 9.

  23. 23.

    Negative reputation from withholding can also affect stock returns, and we control for this endogenous effect in Table 7 below.

  24. 24.

    Data on severity and Ret(−1,3) are available for the entire sample, whereas the damage variable is available only for a small subsample of firms. Note that we get similar results when we perform the analysis with the same subsample for damage, severity, and Ret(−1,3).

  25. 25.

    Less than 8% of the attack-discovery dates exactly coincide with the earnings announcements, and when excluding these observations, we get similar results.

  26. 26.

    The fact individuals can access a firm’s website over the Internet from other states is not sufficient to give these states jurisdiction over the firm (Rosenblatt 1999). We therefore use state of incorporation as an instrument for the disclosure level to which the firm is obligated.

  27. 27.

    The large coefficients on the withholding instrument do not necessarily suggest withholding has a larger effect in the 2SLS estimation. The distributions of the withholding variable (used in the OLS regression) and that of the withholding instrument differ. The withholding variable in the OLS regression is an indicator variable with a standard deviation of 0.433, whereas the withholding instrument, \( {\overline{Withholding}}_{it} \), is the expected value of withholding (a continuous variable) from the first stage of a 2SLS model, with a standard deviation of 0.046. One standard deviation change in the 2SLS withholding instrument does not necessarily lead to greater effects than a one standard deviation change in the OLS withholding variable. Moreover, when adding instrumental variables to the first stage of the 2SLS model (the two governance metrics, SOX404 and entrenchment), we find similar results. Hence our findings are unlikely to be driven by model specification.

  28. 28.

    On a univariate level, availability, confidentiality, and integrity attacks are associated with returns, Ret(−1,3), of −0.77%, −0.30%, and − 0.04%, respectively. Gordon et al. (2011) similarly find that availability attacks are associated with larger damages than confidentiality attacks, and integrity attacks are associated with the lowest damages. Once we control for the damage, the attack type does not provide any additional explanatory power.

  29. 29.

    We calculate the value of managers’ stocks and options based on Coles et al. (2006).

References

  1. Amir, E., & Ziv, A. (1997). Recognize, disclose or delay; Timing the adoption of SFAS No. 106. Journal of Accounting Research, 35(Spring), 61–81.

    Article  Google Scholar 

  2. Baginski, S. P., Campbell, J. L., Hinson, L. A., & Koo, D. S. (2018). Do career concerns affect the delay of bad news disclosure? The Accounting Review, 93(2), 61–95.

    Article  Google Scholar 

  3. Bebchuk, L., Cohen, A., & Ferrell, A. (2009). What matters in corporate governance? Review of Financial Studies, 22(2), 783–827.

    Article  Google Scholar 

  4. Campbell, K., Gordon, L., Loeb, M., & Zhou, L. (2003). The economic cost of publicly announced information security breaches: Empirical evidence from the stock market. Journal of Computer Security, 11, 431–448.

    Article  Google Scholar 

  5. Cavusoglu, H., Mishra, B., & Raghunathan, S. (2004). The effect of internet security breach announcements on market value: Capital market reactions for breached firms and internet security developers. International Journal of Electronic Commerce, 9, 69–104.

    Article  Google Scholar 

  6. Chambers, A., & Penman, S. (1984). Timeliness of reporting and the stock price reaction to earnings announcements. Journal of Accounting Research, 22(1), 21–47.

    Article  Google Scholar 

  7. Chernick, M. (2007). Bootstrap methods: A guide for practitioners and researchers (2nd ed.). New York: Wiley.

    Book  Google Scholar 

  8. Coles, J. L., Daniel, N. D., & Naveen, L. (2006). Managerial incentives and risk-taking. Journal of Financial Economics, 79, 431–468.

    Article  Google Scholar 

  9. Daniel, K., Grinblatt, M., Titman, S., & Wermers, R. (1997). Measuring mutual fund performance with characteristic‐based benchmarks. Journal of Finance, 52(3), 1035–1058.

  10. Dye, R. (1985). Disclosure of nonproprietary information. Journal of Accounting Research, 23(1), 123–145.

    Article  Google Scholar 

  11. Ettredge, M., & Richardson, V. (2003). Information transfer among internet firms: The case of acker attacks. Journal of Information Systems, 17, 71–82.

    Article  Google Scholar 

  12. Fama, E., & French, K. (1996). The CAPM is wanted, dead or alive. Journal of Finance, 51(5), 1947–1958.

  13. Ge, W., & McVay, S. (2005). The disclosure of material weaknesses in internal control after the Sarbanes-Oxley Act. Accounting Horizons, 19(3), 137–158.

    Article  Google Scholar 

  14. Gordon, L. A., Loeb, M. P., & Sohail, T. (2010). Market value of voluntary disclosures concerning information security. MIS Quarterly, 34, 567–594.

    Article  Google Scholar 

  15. Gordon, L., Loeb, M., & Zhou, L. (2011). The impact of information security breaches: Has there been a downward shift in costs? Journal of Computer Security, 19, 33–56.

    Article  Google Scholar 

  16. Grossman, S. (1981). The informational role of warranties and private disclosure about product quality. Journal of Law and Economics, 24(3), 461–483.

  17. Grossman, S., & Hart, O. (1980). Disclosure laws and takeover bids. Journal of Finance, 35(2), 323–334.

  18. Heckman, J. (1979). Sample selection bias as a specification error. Econometrica, 47(1), 153–161.

    Article  Google Scholar 

  19. Hilary, G., Segal, B., & Zhang, M. (2016). Cyber-risk disclosure: Who cares? Georgetown McDonough School of Business Research Paper No. 2852519, p. 59.

  20. Hovav, A., & D’Arcy, J. (2003). The impact of denial-of-service attack announcements on the market value of firms. Risk Management and Insurance Review, 6, 97–121.

    Article  Google Scholar 

  21. Jung, W., & Kwon, Y. (1988). Disclosure when the market is unsure of information endowment of managers. Journal of Accounting Research, 26(1), 146–153.

    Article  Google Scholar 

  22. Kannan, A., Rees, J., & Shridhar, S. (2007). Market reactions to information security breach announcements: An empirical analysis. International Journal of Electronic Commerce, 12, 69–91.

    Article  Google Scholar 

  23. Kasznik, R., & Lev, B. (1995). To warn or not to warn: Management disclosures in the face of an earnings surprise. Accounting Review, 70(1), 113–134.

    Google Scholar 

  24. Kothari, S. P., Shu, S., & Wysocki, P. (2009). Do managers withhold bad news? Journal of Accounting Research, 47(1), 241–276.

    Article  Google Scholar 

  25. Kvochko, E., & Pant, R. (2015). Why data breaches don’t hurt stock prices. Harvard Business Review, March, 31, 2015.

    Google Scholar 

  26. Levitt, A. (1998). The numbers game. The CPA Journal, 68(12), 14–19.

    Google Scholar 

  27. Rosenblatt, B. (1999). Principles of jurisdiction. Harvard University, Berkman Klein Center for Internet & Society. Retrieved from https://cyber.harvard.edu.

  28. Securities and Exchange Commission (2011). Division of corporation finance, CF disclosure guidance, Topic no. 2 – Cybersecurity, October 13, 2011. Securities and Exchange Commission. Retrieved from http://www.sec.gov.

  29. Securities and Exchange Commission (2018). Commission statement and guidance on public company cybersecurity disclosures, February 26, 2018. Securities and Exchange Commission. Retrieved from http://www.sec.gov.

  30. Skinner, D. (1994). Why firms voluntarily disclose bad news? Journal of Accounting Research, 32(1), 38–60.

    Article  Google Scholar 

  31. Skinner, D. (1997). Earnings disclosures and stockholder lawsuits. Journal of Accounting and Economics, 23, 249–282.

    Article  Google Scholar 

  32. Southwell, A., Vandevelde, E., Bergsieker, R., & Bisnar-Maute, J. (2017). Gibson Dunn Reviews U.S. Cybersecurity and Data Privacy, February 3, 2017. The CLS Blue Sky Blog, Columbia Law School. Retrieved from http://clsbluesky.law.columbia.edu.

  33. Spanos, G., & Angelis, L. (2016). The impact of information security events on the stock market: A systematic literature review. Computers & Security, 58, 216–229.

    Article  Google Scholar 

  34. Verizon Enterprise Solutions (2015). Verizon 2015 Data Breach Investigations Report. Verizon Enterprise Solutions. Retrieved from http://www.verizonenterprise.com.

  35. White, M. J. (2014). Opening Statement at SEC Roundtable on Cybersecurity, March 26, 2014. Securities and Exchange Commission. Retrieved from http://www.sec.gov.

Download references

Acknowledgments

We thank Peter Easton (Editor), Eti Einhorn, Tsahi Versano, two anonymous referees, and seminar participants at the 2017 American Accounting Association annual meeting in San Diego, 2017 European Accounting Association annual meeting in Valencia, Bar Ilan University, Ben Gurion University, ESSEC, Exeter University, Hebrew University of Jerusalem, INSEAD, University of Padua, and Tel Aviv University for useful comments. We also thank the Blavatnik Interdisciplinary Cyber Research Center, the Jeremy Coller Foundation, and Henry Crown Institute of Business Research for financial support.

Author information

Affiliations

Authors

Corresponding author

Correspondence to Shai Levi.

Rights and permissions

Reprints and Permissions

About this article

Verify currency and authenticity via CrossMark

Cite this article

Amir, E., Levi, S. & Livne, T. Do firms underreport information on cyber-attacks? Evidence from capital markets. Rev Account Stud 23, 1177–1206 (2018). https://doi.org/10.1007/s11142-018-9452-4

Download citation

Keywords

  • Cyber attacks
  • Data breaches
  • Disclosure

Jel classification

  • M41
  • G14