Do security breaches matter? The shareholder puzzle
| Published date | 01 March 2020 |
| Date | 01 March 2020 |
| Author | Israel Shaked,Jacob Oded,Allen Michel |
| DOI | http://doi.org/10.1111/eufm.12236 |
Eur Financ Manag. 2020;26:288–315.wileyonlinelibrary.com/journal/eufm288
|
© 2019 John Wiley & Sons Ltd.
DOI: 10.1111/eufm.12236
ORIGINAL ARTICLE
Do security breaches matter? The shareholder
puzzle
Allen Michel
1
|
Jacob Oded
2
|
Israel Shaked
1
1
Questrom School of Business,
Boston University, Boston, Massachusetts
2
Coller School of Management, Tel Aviv
University, Tel Aviv, Israel
Correspondence
Allen Michel, Questrom School of
Business, Boston University, 595
Commonwealth Ave., Boston, MA, 02215.
Email: amichel@bu.edu
Funding information
Henry Crown Institute of Business
Research, The Michel–Shaked Group, Steve
Ross and the Squire Ridge Company, LLC;
Jeremy Coller Foundation
Abstract
This article analyzes the effect of computer breaches on
publicly traded equities from 2005 to 2017. An event
study is performed and breaches analyzed conditioned
on whether the breach announcement has been made in
the mainstream media or through other channels. We
find that in the period prior to the announcement date
in the media, the mean abnormal return is negative,
reflecting a likely leakage of information. In the period
following the announcement date, the mean abnormal
return is positive, often more than offsetting the
previous declines. The findings have important implica-
tions for analysts, portfolio managers, institutional
investors, and regulators.
KEYWORDS
computer breaches, event study, information leakage, regulation
inconsistencies
JEL CLASSIFICATION
G14, G18
EUROPEAN
FINANCIAL MANAGEMENT
We thank John Doukas (the Editor) and an anonymous referee for valuable input and suggestions. We also thank Rohit Singh
for his outstanding statistical analysis and research assistance and Paul Yap for his excellent research contribution. We would
also like to thank Andrea Farner and Dawn DeRossette for their valuable editorial assistance. Importantly, we were guided to
the significance of this topic by Pierre Leroy, board member of Capital One. We appreciate the helpful comments received from
Dino Palazzo and Rui Albuquerque. We are particularly grateful to the Henry Crown Institute of Business Research, The
Michel–Shaked Group, Steve Ross and the Squire Ridge Company, LLC, and the Jeremy Coller Foundation for their generous
financial assistance with this project. All errors are our own.
1
|
INTRODUCTION
Computer breaches have received significant attention in the financial press, yet little attention
in the academic financial literature. Investors and analysts currently have little guidance as to
the expected effects of breaches on security prices. To understand the effect of breaches on
publicly traded equity issues, we analyze all such available breach data by type and by industry
from 2005 to 2017. We find that typically in the period immediately before the announcement of
a breach in the media, the mean cumulative abnormal return (CAR) is negative, while
immediately following the announcement, the mean CAR is positive, often more than offsetting
the prior decline.
Currently, when analysts, portfolio managers, and institutional investors hear about a
security breach, they have very little guidance as to the potential impact of the breach on the
breached company’s stock. Surprisingly, it will be shown that in general, following the breach
announcement, one is more likely to observe an increase rather than a decrease in the stock
price. This is counterintuitive to the expectations of analysts, portfolio managers, and investors.
Moreover, a negative CAR in the period prior to the breach announcement should serve as a
flag to regulators. The most likely reason for a decline is information leakage. The Securities
and Exchange Commission (SEC) is regularly analyzing any abnormal trading activity prior to
announcements of mergers and acquisitions and, for decades, it has been well known that
insider trading activity may take place prior to these M&A announcements. This article suggests
that the regulators should also consider a routine trading history analysis of the stock of
companies that have been breached. The focus of regulators’attention should be the several
weeks prior to the breach announcement.
2
|
LITERATURE REVIEW
Much of the literature discussing data breaches focuses on the informational aspects of the
breach, with the vast majority of the papers published in the management information system
literature. Several are focused on the costs and determination of methodologies to remedy the
occurrence of breaches. For example, Gwebu, Wang, and Xie (2014) determine that the damage
caused by a data breach primarily stems from direct costs such as compensation or litigation
costs rather than diminished market share or sales. Goode, Hoehle, Venkatesh, and Brown
(2017) assess the intention to repurchase product following data breaches at the Sony
PlayStation Network.
Several papers published in information security journals also assess the results of event
studies surrounding breaches. Pirounias, Mermigas, and Patsakis (2014) find that firms incur
negative statistically significant returns resulting from breaches and that technology firms tend
to incur higher costs in breaches than non‐technology firms. Schatz and Bashroush (2016) find
that no strong conclusions can be drawn relating the impact on the market value of multiple
data breaches. In an early work, Cavusoglu, Mishra, and Raghunathan (2004) find that the
breached firm lost an average 2.1% of market value within 2 days of the announcement of the
breach. Campbell, Gordon, Loeb, and Zhou (2003) in another early paper find that there is a
significant negative reaction to a breach when there is a loss of confidential information and no
significant market reaction when the breach does not involve confidential information. While
the prior papers find that there is generally a significant negative reaction to breaches, Kannan,
Rees, and Sridhar (2007) find no significant abnormal return around the breach date. Hovav
MICHEL ET AL.EUROPEAN
FINANCIAL MANAGEMENT
|
289
To continue reading
Request your trial