The Pricing of Firm-Level Cybersecurity Risk in Financial Markets
Chris Florackis - University of Liverpool;
Christodoulos Louca - Cyprus University of Technology;
Roni Michaely - University of Geneva;
Michael Weber - University of Chicago
-- Cybersecurity risk is deemed to be one of the top global concerns for firms in developed countries, and rightly so, given the rapid increase in major cyber-attacks in recent years. Despite substantial investments in information systems security, firms remain highly exposed to cybersecurity risk, with a potential for damages to reach $10.5 trillion annually by 2025 (see
Cybersecurity Ventures). These attacks and the prevention methods have been extensively studied in the literature, but an open question is whether a firm’s exposure to cybersecurity risk is priced in financial markets.
To address this question, our recent paper, “Cybersecurity Risk,” develops a firm-level measure of cybersecurity risk for all listed stocks in the US.
In this measure construction, we focus on firms that were subject to cyber-attacks and compare the wording and language in the “Item 1A. Risk Factor” section of the attacked firms’ 10-K annual reports with that of all other firms (information about the most significant risk factors for each firm on Edgar from 2007-2018). The sample of firms identified as having been subject to the loss of personal information by hacking or malware-electronic entry in any given year serving as the training sample, we argue that these firms exhibit high cybersecurity risk. The similarity of each firm’s cybersecurity-risk disclosure with past cybersecurity-risk disclosures of firms in the training sample (i.e., from the one-year period prior to the firm’s filing date) is then estimated. The higher the measured similarity in cybersecurity risk disclosure for our sample firms and firms in the training sample, the greater the exposure to cybersecurity risk.
Our measure is subjected to a number of validations: (1) firms that score high on the measure emphasize cybersecurity risk in their filings relative to low scoring firms; (2) high scoring firms provide more comprehensive disclosures around cybersecurity risk (litigation risk); (3) high-score firms actively manage cybersecurity risk exposure with real actions; (4) the measure shows an increasing trend over time consistent with increasing disclosure obligations and vulnerability to attacks; (5) it is higher in industries that are more reliant on technology; (6) it is correlated with firm characteristics that prior research has linked to cyber-attacks (e.g. size, growth, profitability, etc.); (7) cybersecurity risk exposure, once materialized, should induce negative asymmetry in stock returns; and (8) higher scoring firms are more likely to experience a future cyber-attack.
Most important of all measure properties is the finding that firms with high exposure to cybersecurity risk outperform other firms by up to 8.3% p.a. specifically, a portfolio long on stocks with high cybersecurity risk and short low cybersecurity risk. We confirm a statistically significant association between future stock returns and their cybersecurity risk measure, with cybersecurity risk predicting variation in returns up to 12 months into the future.
In conclusion, our study systematically analyses cybersecurity risk and its implications at the firm level. Using textual analysis techniques on US firms that file 10-K reports, we show that stocks with high exposure to cybersecurity risk exhibit high expected returns on average, but they perform poorly in periods of increasing attention to cybersecurity risk. These results ultimately support the predictions of asset-pricing theory that investors require compensation for bearing cybersecurity risk.