For Immediate Release
Research finds that when one company experiences a cybersecurity breach, other companies in the same field also become less attractive to investors. However, companies that are open about their cybersecurity risk management fare significantly better than peers that don’t disclose their cybersecurity efforts.
“Previous studies have found evidence of this ‘contagion effect’ in the wake of cybersecurity breaches,” says Robin Pennington, co-author of a paper on the work and an associate professor of accounting in North Carolina State University’s Poole College of Management. “However, to our knowledge, ours is the first to test the issue experimentally. We not only confirmed the contagion effect, but found that there are clear steps companies can take to reduce its impact. Specifically, companies would be well advised to implement the voluntary reporting guidelines from the AICPA on disclosing cybersecurity efforts.”
To explore issues pertaining to the contagion effect, researchers conducted a study with 120 nonprofessional investors. In the study, participants were given information about a fictional company, which we’ll call Company A. Some of the participants were also told briefly about Company A’s cybersecurity risk management program. Participants were then asked to give an initial assessment of the attractiveness of investing in Company A, as well as the likelihood of purchasing stock in the company.
Study participants were then told that one of Company A’s peers was the victim of a cybersecurity breach. Participants were then asked to give a revised assessment of Company A’s attractiveness and the likelihood of investing in it. Participants were then given a news release from Company A. Some participants received a version of the release that included a reference to Company A’s cybersecurity risk management program. Study participants were then asked to give a final assessment of Company A’s attractiveness and the likelihood of purchasing stock in it.
The researchers found that companies who disclosed cybersecurity risk management efforts both before and after a competitor’s breach fared the best.
“While the company suffers some decline in attractiveness after the breach, on average it suffers the least if it discloses its cybersecurity risk management program, in a way that is similar to the AICPA’s voluntary reporting guidelines,” Pennington says.
The researchers also analyzed the study data to ascertain the impact of another effect, called the “competition effect,” which has previously been associated with cybersecurity breaches in archival research. In this context, the competition effect is when investors see a cybersecurity breach at one company as an advantage for that company’s competitors – making those competitors more attractive to investors.
“We did see evidence of the competition effect with some investors in our study, but on average the contagion effect overwhelmed the competition effect,” Pennington says.
“Our study offers experimental evidence for both the contagion and competition effects, as well as their relative strengths,” Pennington says. “But I think the takeaway here is that there are very real advantages to voluntarily disclosing cybersecurity risk management efforts, as the AICPA suggests. This is not a purely theoretical exercise – it can affect your company’s appeal to investors.”
The paper, “Do voluntary disclosures mitigate the cybersecurity breach contagion effect?” is published in the Journal of Information Systems. Corresponding author of the paper is Andrea Seaton Kelton of Middle Tennessee State University.
Note to Editors: The study abstract follows.
“Do voluntary disclosures mitigate the cybersecurity breach contagion effect?”
Authors: Andrea Seaton Kelton, Middle Tennessee State University; Robin R. Pennington, North Carolina State University
Published: Oct. 22, Journal of Information Systems
Abstract: In this study, we investigate the negative impact of a cybersecurity breach on a bystander (i.e., non-breached) firm in the same industry, referred to as investment contagion effects, and whether voluntary cybersecurity disclosures mitigate these effects. Using an experiment with nonprofessional investors, we provide strong evidence of investment contagion effects. However, we also find a portion of investor participants perceive the breach as positive news for the bystander firm, a phenomenon known as competition effects. Our evidence suggests contagion effects are dominate over competition effects, and cybersecurity disclosures provided prior to the breach announcement attenuate contagion effects. Additionally, we find cybersecurity disclosures provided subsequent to the breach announcement can reduce the magnitude of investment contagion effects. Our study informs standard setters and firms as we find some evidence that voluntary disclosures are effective in lessening investment contagion effects.