Risk management, firm reputation, and the impact of successful cyberattacks on target firms
We develop a model where a firm has an optimal exposure to cyber risk. With rational, fully informed agents and with no hysteresis, a successful cyberattack should have no impact on a financially unconstrained target's reputation and post-attack policies. In contrast, when a successful attack i...
Saved in:
| Main Authors: | , , , , |
|---|---|
| Other Authors: | |
| Format: | Article |
| Language: | English |
| Published: |
2021
|
| Subjects: | |
| Online Access: | https://hdl.handle.net/10356/152432 |
| Tags: |
Add Tag
No Tags, Be the first to tag this record!
|
| Institution: | Nanyang Technological University |
| Language: | English |
| id |
sg-ntu-dr.10356-152432 |
|---|---|
| record_format |
dspace |
| spelling |
sg-ntu-dr.10356-1524322023-05-19T07:31:15Z Risk management, firm reputation, and the impact of successful cyberattacks on target firms Kamiya, Shinichi Kang, Jun-Koo Kim, Jungmin Milidonis, Andreas Stulz, René M. Nanyang Business School Business::Information technology Cyber Risk Cyberattack We develop a model where a firm has an optimal exposure to cyber risk. With rational, fully informed agents and with no hysteresis, a successful cyberattack should have no impact on a financially unconstrained target's reputation and post-attack policies. In contrast, when a successful attack involves the loss of personal financial information, there is a significant shareholder wealth loss, which is much larger than the attack's out-of-pocket costs. This excess loss is higher when the attack decreases sales growth more and lower when the board pays more attention to risk management before the attack. Further, an attack decreases a firm's risk appetite, as it beefs up its risk management and information technology and decreases the risk-taking incentives of management. Finally, successful cyberattacks adversely affect the stock price of firms in the target's industry. These results imply that successful attacks with personal financial information loss provide adverse information about cyber risk to target firms, their stakeholders, and their competitors. Accepted version 2021-08-13T02:23:29Z 2021-08-13T02:23:29Z 2020 Journal Article Kamiya, S., Kang, J., Kim, J., Milidonis, A. & Stulz, R. M. (2020). Risk management, firm reputation, and the impact of successful cyberattacks on target firms. Journal of Financial Economics, 139(3), 719-749. https://dx.doi.org/10.1016/j.jfineco.2019.05.019 0304-405X https://hdl.handle.net/10356/152432 10.1016/j.jfineco.2019.05.019 2-s2.0-85079172470 3 139 719 749 en Journal of Financial Economics © 2020 Elsevier B.V. All rights reserved. This paper was published in Journal of Financial Economics and is made available with permission of Elsevier B.V. application/pdf |
| institution |
Nanyang Technological University |
| building |
NTU Library |
| continent |
Asia |
| country |
Singapore Singapore |
| content_provider |
NTU Library |
| collection |
DR-NTU |
| language |
English |
| topic |
Business::Information technology Cyber Risk Cyberattack |
| spellingShingle |
Business::Information technology Cyber Risk Cyberattack Kamiya, Shinichi Kang, Jun-Koo Kim, Jungmin Milidonis, Andreas Stulz, René M. Risk management, firm reputation, and the impact of successful cyberattacks on target firms |
| description |
We develop a model where a firm has an optimal exposure to cyber risk. With rational, fully informed agents and with no hysteresis, a successful cyberattack should have no impact on a financially unconstrained target's reputation and post-attack policies. In contrast, when a successful attack involves the loss of personal financial information, there is a significant shareholder wealth loss, which is much larger than the attack's out-of-pocket costs. This excess loss is higher when the attack decreases sales growth more and lower when the board pays more attention to risk management before the attack. Further, an attack decreases a firm's risk appetite, as it beefs up its risk management and information technology and decreases the risk-taking incentives of management. Finally, successful cyberattacks adversely affect the stock price of firms in the target's industry. These results imply that successful attacks with personal financial information loss provide adverse information about cyber risk to target firms, their stakeholders, and their competitors. |
| author2 |
Nanyang Business School |
| author_facet |
Nanyang Business School Kamiya, Shinichi Kang, Jun-Koo Kim, Jungmin Milidonis, Andreas Stulz, René M. |
| format |
Article |
| author |
Kamiya, Shinichi Kang, Jun-Koo Kim, Jungmin Milidonis, Andreas Stulz, René M. |
| author_sort |
Kamiya, Shinichi |
| title |
Risk management, firm reputation, and the impact of successful cyberattacks on target firms |
| title_short |
Risk management, firm reputation, and the impact of successful cyberattacks on target firms |
| title_full |
Risk management, firm reputation, and the impact of successful cyberattacks on target firms |
| title_fullStr |
Risk management, firm reputation, and the impact of successful cyberattacks on target firms |
| title_full_unstemmed |
Risk management, firm reputation, and the impact of successful cyberattacks on target firms |
| title_sort |
risk management, firm reputation, and the impact of successful cyberattacks on target firms |
| publishDate |
2021 |
| url |
https://hdl.handle.net/10356/152432 |
| _version_ |
1772827595111399424 |