Top

Review of Accounting Studies

Published in:

19-06-2018

Do firms underreport information on cyber-attacks? Evidence from capital markets

Authors: Eli Amir, Shai Levi, Tsafrir Livne

Published in: Review of Accounting Studies | Issue 3/2018

Activate our intelligent search to find suitable subject content or patents.

search-config

AI-assisted search

Off

Abstract

Firms should disclose information on material cyber-attacks. However, because managers have incentives to withhold negative information, and investors cannot discover most cyber-attacks independently, firms may underreport them. Using data on cyber-attacks that firms voluntarily disclosed, and those that were withheld and later discovered by sources outside the firm, we estimate the extent to which firms withhold information on cyber-attacks. We find withheld cyber-attacks are associated with a decline of approximately 3.6% in equity values in the month the attack is discovered, and disclosed attacks with a substantially lower decline of 0.7%. The evidence is consistent with managers not disclosing negative information below a certain threshold and withholding information on the more severe attacks. Using the market reactions to withheld and disclosed attacks, we estimate that managers disclose information on cyber-attacks when investors already suspect a high likelihood (40%) of an attack.

previous article Accounting comparability and relative performance evaluation in CEO compensation

next article Corporate governance roles of information quality and corporate takeovers

Dont have a licence yet? Then find out more about our products and how to get one now:

Springer Professional "Wirtschaft+Technik"

Online-Abonnement

Mit Springer Professional "Wirtschaft+Technik" erhalten Sie Zugriff auf:

über 102.000 Bücher
über 537 Zeitschriften

aus folgenden Fachgebieten:

Automobil + Motoren
Bauwesen + Immobilien
Business IT + Informatik
Elektrotechnik + Elektronik
Energie + Nachhaltigkeit
Finance + Banking
Management + Führung
Marketing + Vertrieb
Maschinenbau + Werkstoffe
Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

inform now

Springer Professional "Wirtschaft"

Online-Abonnement

Mit Springer Professional "Wirtschaft" erhalten Sie Zugriff auf:

über 67.000 Bücher
über 340 Zeitschriften

aus folgenden Fachgebieten:

Bauwesen + Immobilien
Business IT + Informatik
Finance + Banking
Management + Führung
Marketing + Vertrieb
Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

inform now

For example, Target, the US retailer, experienced a data breach involving millions of its customers’ credit and debit cards and, after customers and credit card companies revealed the breach, the firm confirmed it. In some cases, the hackers themselves may reveal the breach. For example, hackers breached the LinkedIn network and stole a database containing 6.5 million users’ encrypted passwords in June 2013. The hackers later published the attack, hoping to receive help from fellow hackers in cracking the encrypted passwords. After the hackers published the passwords, LinkedIn acknowledged this breach.

According to Verizon (2015), more than 20,000 data breaches occurred in the US private sector during that period.

Mixed results exist also for specific types of data breaches. For example, Hovav and D’arcy (2003) and Kannan et al. (2007) find denial-of-service attacks have an insignificant effect, whereas Ettredge and Richardon (2003) find this kind of attack has a significant negative impact on the market value of firms. For further review of this literature, see Spanos and Angelis (2016).

The market reaction to data breaches is, on average, not different from zero also according to Hilary et al. (2016) and Gordon et al. (2010) find firms gain market value when they voluntarily disclose information on items pertaining to information security.

Baginski et al. (2018) show that managers’ career concerns lead them to delay disclosure of bad news.

As we will show, public firms reported only dozens of data breaches over our six-year sample, and thus the probability of significant attacks seems low.

Litigation costs that can deter withholding are also expected be low. Litigation follows almost every data breach (Southwell et al. 2017)—breaches that are voluntarily disclosed by firms as well as those withheld by firms and later discovered by third parties. It seems that firms withholding information avoid (in case the withheld breach is not discovered) the almost automatic litigation that follows, and therefore their expected litigation costs are not necessarily higher than those of firms voluntarily disclosing the breach (White 2014).

Dye (1985) assumes firm owners wish to maximize current share price and provide managers with incentives to withhold negative information. The assumption that, in general, managers wish to maximize share prices is reasonable because their career and reputation are often linked to share prices.

In practice, the probability of independent discovery by investors may affect the disclosure policy. However, Dye’s (1985) model does not consider the probability of independent discovery of bad news by investors (cyber-attack, in our case). He assumes that investors cannot discover bad news that the manager withheld. Because the probability of discovery of cyber-attacks by investors is practically very small, Dye’s (1985) model adequately describes disclosure of cyber-attacks, as we empirically demonstrate.

Jung and Kwon (1988) show how, in this setting, an increase in the probability with which investors believe managers have negative information will lower the disclosure threshold and will trigger the release of information managers would otherwise withhold.

As discussed below, the average market reaction to attacks that are discovered may be a biased estimate of the damage. Specifically, the decrease in price upon discovery may be larger than the damage due to the negative reputation effects and litigation risk associated with withholding. In this case, our withholding-probability estimate will be downward biased.

Dye (1985) uses the same assumption in the illustrative example of his theorem (p. 129). As discussed below, even if the loss is not uniformly distributed, we can still estimate the minimal probability of withholding, because the disclosure threshold will not be higher than the actual return reaction in the cases in which firms disclosed the cyber-attack.

Fuzzy matching is a textual search-algorithm that provides a score for the likelihood that a pair of text strings is similar. For instance, ‘Microsoft Corporation’, and ‘Microsoft corp.’ will receive a very high matching score by the algorithm.

This sample-selection criterion does not change the results, and results with all 320 incidents are similar to those presented below.

We classify cases as “withholding” only if the firm clearly learned of the attack before a party outside the firm discovered it. In many cases, firms eventually disclose the date on which they learned of the attack; AuditAnalytics, the data vendor, provides this date, and we collect this date for VCDB VERIS data cases.

Stringer, H. (2011, May 5). A Letter from Howard Stringer. Sony Corporation. Retrieved from http://blog.us.playstation.com.

Target (2013, December 19). Target Confirms Unauthorized Access to Payment Card Data in U.S. Stores. Retrieved from https://corporate.target.com.

We find stronger results when we define withholding as a case in which the firm did not disclose the breach for longer periods after it learned of it. For example, for firms that did not disclose the breach for at least 14 days, the returns in the month after the discovery is −4.83%, compared with −3.56% reported in Table 4.

Only enforcement agencies that investigate an attack can require a firm not to disclose the breach to allow them time to complete the investigation. We did not find any such requests in the withholding cases included in our sample.

In 30 out of the 86 immaterial cases, the firm ignored reports on cyber-attacks. For legal purposes, a nonresponse is considered a statement that the event was immaterial. These cases were indeed minor and occurred in large companies. Omitting these 30 cases from the sample does not change the results in any meaningful way.

This approach is equivalent to using a beta equal to 1, as firm-specific beta estimates are noisy (Fama and French, 1996).

Using alternative risk adjustments for smaller samples, we find similar results. See Table 9.

Negative reputation from withholding can also affect stock returns, and we control for this endogenous effect in Table 7 below.

Data on severity and Ret(−1,3) are available for the entire sample, whereas the damage variable is available only for a small subsample of firms. Note that we get similar results when we perform the analysis with the same subsample for damage, severity, and Ret(−1,3).

Less than 8% of the attack-discovery dates exactly coincide with the earnings announcements, and when excluding these observations, we get similar results.

The fact individuals can access a firm’s website over the Internet from other states is not sufficient to give these states jurisdiction over the firm (Rosenblatt 1999). We therefore use state of incorporation as an instrument for the disclosure level to which the firm is obligated.

The large coefficients on the withholding instrument do not necessarily suggest withholding has a larger effect in the 2SLS estimation. The distributions of the withholding variable (used in the OLS regression) and that of the withholding instrument differ. The withholding variable in the OLS regression is an indicator variable with a standard deviation of 0.433, whereas the withholding instrument, \( {\overline{Withholding}}_{it} \), is the expected value of withholding (a continuous variable) from the first stage of a 2SLS model, with a standard deviation of 0.046. One standard deviation change in the 2SLS withholding instrument does not necessarily lead to greater effects than a one standard deviation change in the OLS withholding variable. Moreover, when adding instrumental variables to the first stage of the 2SLS model (the two governance metrics, SOX404 and entrenchment), we find similar results. Hence our findings are unlikely to be driven by model specification.

On a univariate level, availability, confidentiality, and integrity attacks are associated with returns, Ret(−1,3), of −0.77%, −0.30%, and − 0.04%, respectively. Gordon et al. (2011) similarly find that availability attacks are associated with larger damages than confidentiality attacks, and integrity attacks are associated with the lowest damages. Once we control for the damage, the attack type does not provide any additional explanatory power.

We calculate the value of managers’ stocks and options based on Coles et al. (2006).

Amir, E., & Ziv, A. (1997). Recognize, disclose or delay; Timing the adoption of SFAS No. 106. Journal of Accounting Research, 35(Spring), 61–81.CrossRef

Baginski, S. P., Campbell, J. L., Hinson, L. A., & Koo, D. S. (2018). Do career concerns affect the delay of bad news disclosure? The Accounting Review, 93(2), 61–95.CrossRef

Bebchuk, L., Cohen, A., & Ferrell, A. (2009). What matters in corporate governance? Review of Financial Studies, 22(2), 783–827.CrossRef

Campbell, K., Gordon, L., Loeb, M., & Zhou, L. (2003). The economic cost of publicly announced information security breaches: Empirical evidence from the stock market. Journal of Computer Security, 11, 431–448.CrossRef

Cavusoglu, H., Mishra, B., & Raghunathan, S. (2004). The effect of internet security breach announcements on market value: Capital market reactions for breached firms and internet security developers. International Journal of Electronic Commerce, 9, 69–104.CrossRef

Chambers, A., & Penman, S. (1984). Timeliness of reporting and the stock price reaction to earnings announcements. Journal of Accounting Research, 22(1), 21–47.CrossRef

Chernick, M. (2007). Bootstrap methods: A guide for practitioners and researchers (2nd ed.). New York: Wiley.CrossRef

Coles, J. L., Daniel, N. D., & Naveen, L. (2006). Managerial incentives and risk-taking. Journal of Financial Economics, 79, 431–468.CrossRef

Daniel, K., Grinblatt, M., Titman, S., & Wermers, R. (1997). Measuring mutual fund performance with characteristic‐based benchmarks. Journal of Finance, 52(3), 1035–1058.

Dye, R. (1985). Disclosure of nonproprietary information. Journal of Accounting Research, 23(1), 123–145.CrossRef

Ettredge, M., & Richardson, V. (2003). Information transfer among internet firms: The case of acker attacks. Journal of Information Systems, 17, 71–82.CrossRef

Fama, E., & French, K. (1996). The CAPM is wanted, dead or alive. Journal of Finance, 51(5), 1947–1958.

Ge, W., & McVay, S. (2005). The disclosure of material weaknesses in internal control after the Sarbanes-Oxley Act. Accounting Horizons, 19(3), 137–158.CrossRef

Gordon, L. A., Loeb, M. P., & Sohail, T. (2010). Market value of voluntary disclosures concerning information security. MIS Quarterly, 34, 567–594.CrossRef

Gordon, L., Loeb, M., & Zhou, L. (2011). The impact of information security breaches: Has there been a downward shift in costs? Journal of Computer Security, 19, 33–56.CrossRef

Grossman, S. (1981). The informational role of warranties and private disclosure about product quality. Journal of Law and Economics, 24(3), 461–483.

Grossman, S., & Hart, O. (1980). Disclosure laws and takeover bids. Journal of Finance, 35(2), 323–334.

Heckman, J. (1979). Sample selection bias as a specification error. Econometrica, 47(1), 153–161.CrossRef

Hilary, G., Segal, B., & Zhang, M. (2016). Cyber-risk disclosure: Who cares? Georgetown McDonough School of Business Research Paper No. 2852519, p. 59.

Hovav, A., & D’Arcy, J. (2003). The impact of denial-of-service attack announcements on the market value of firms. Risk Management and Insurance Review, 6, 97–121.CrossRef

Jung, W., & Kwon, Y. (1988). Disclosure when the market is unsure of information endowment of managers. Journal of Accounting Research, 26(1), 146–153.CrossRef

Kannan, A., Rees, J., & Shridhar, S. (2007). Market reactions to information security breach announcements: An empirical analysis. International Journal of Electronic Commerce, 12, 69–91.CrossRef

Kasznik, R., & Lev, B. (1995). To warn or not to warn: Management disclosures in the face of an earnings surprise. Accounting Review, 70(1), 113–134.

Kothari, S. P., Shu, S., & Wysocki, P. (2009). Do managers withhold bad news? Journal of Accounting Research, 47(1), 241–276.CrossRef

Kvochko, E., & Pant, R. (2015). Why data breaches don’t hurt stock prices. Harvard Business Review, March, 31, 2015.

Levitt, A. (1998). The numbers game. The CPA Journal, 68(12), 14–19.

Rosenblatt, B. (1999). Principles of jurisdiction. Harvard University, Berkman Klein Center for Internet & Society. Retrieved from https://cyber.harvard.edu.

Securities and Exchange Commission (2011). Division of corporation finance, CF disclosure guidance, Topic no. 2 – Cybersecurity, October 13, 2011. Securities and Exchange Commission. Retrieved from http://www.sec.gov.

Securities and Exchange Commission (2018). Commission statement and guidance on public company cybersecurity disclosures, February 26, 2018. Securities and Exchange Commission. Retrieved from http://www.sec.gov.

Skinner, D. (1994). Why firms voluntarily disclose bad news? Journal of Accounting Research, 32(1), 38–60.CrossRef

Skinner, D. (1997). Earnings disclosures and stockholder lawsuits. Journal of Accounting and Economics, 23, 249–282.CrossRef

Southwell, A., Vandevelde, E., Bergsieker, R., & Bisnar-Maute, J. (2017). Gibson Dunn Reviews U.S. Cybersecurity and Data Privacy, February 3, 2017. The CLS Blue Sky Blog, Columbia Law School. Retrieved from http://clsbluesky.law.columbia.edu.

Spanos, G., & Angelis, L. (2016). The impact of information security events on the stock market: A systematic literature review. Computers & Security, 58, 216–229.CrossRef

Verizon Enterprise Solutions (2015). Verizon 2015 Data Breach Investigations Report. Verizon Enterprise Solutions. Retrieved from http://www.verizonenterprise.com.

White, M. J. (2014). Opening Statement at SEC Roundtable on Cybersecurity, March 26, 2014. Securities and Exchange Commission. Retrieved from http://www.sec.gov.

Title: Do firms underreport information on cyber-attacks? Evidence from capital markets
Authors: Eli Amir
Shai Levi
Tsafrir Livne
Publication date: 19-06-2018
Publisher: Springer US
Published in: Review of Accounting Studies / Issue 3/2018
Print ISSN: 1380-6653
Electronic ISSN: 1573-7136
DOI: https://doi.org/10.1007/s11142-018-9452-4

Springer Professional

Abstract

Please log in to get access to your license.

Dont have a licence yet? Then find out more about our products and how to get one now:

Springer Professional "Wirtschaft+Technik"

Springer Professional "Wirtschaft"

Other articles of this Issue 3/2018

Information transfer and conference calls

Defining, measuring, and modeling accruals: a guide for researchers

Opportunistic financial reporting around municipal bond issues

The effect of tax-motivated income shifting on information asymmetry

Debt contracts in the presence of performance manipulation

Decomposing the market, industry, and firm components of profitability: implications for forecasts of profitability