Christos A. Makridis serves as an assistant research professor at Arizona State University.
Corporate data breaches have risen over the past fifteen years, with spectacular mega-breaches increasingly frequent and common. However, it is not clear how these breaches exact an economic consequence on the affected firms, aside from legal costs in the aftermath. Economic research has produced ambiguous estimates of how data breaches affect these firms’ share prices. One could even infer that based on shareholder response (or lack thereof), capital markets care little about corporate data protection.
My original research (summarized in a recent policy brief with the Foundation for Defense of Democracies) finds that publicly reported data breaches can actually improve the reputations of firms.
While the economics and finance literature generally produces ambiguous results when investigating the effects of data breaches on firm outcomes, the implications are significant for regulatory policy. If companies do not suffer consequences for cyber incidents, then they will have no reason to make more than a minimal investment to protect the data of their stakeholders, ranging from customers to suppliers. So far, publicly held companies do not appear to pay a steep price.
In a new working paper, I leveraged newly-licensed data from Tenet Partners measuring brand power and familiarity at a firm-level going back to 2001 for a wide array of publicly traded firms. Their index captures the sentiment among informed decision-makers in the marketplace about firm brands. After combining the data with information on firm employment, revenue, and capital expenditures on a sample of forty-three publicly traded firms, I estimated statistical models that compare the reputational outcomes after a data breach with its outcomes before the breach. Crucially, these comparisons were done for each firm, meaning that the analysis is not comparing systematically different firms. That is important since firms differ in many ways, so comparing one with another is not necessarily valid.
My main results suggest that an average firm’s brand power and familiarity increase by 22 percent and 13 percent, respectively, following a data breach. This could seem counterintuitive given the conventional view that negative publicity hurts brand value and firm performance. Nonetheless, there is some evidence that negative publicity can have positive effects. For example, negative press can actually elevate a firm’s public profile if it is not well-known. This is consistent with the old adage, “any publicity is good publicity.”
However, data breaches have a tipping point. When restricting the sample to the largest and most spectacular data breaches, brand power declines by 17 percent and familiarity declines by 16 percent. Moreover, when focusing on firms with a larger public profile, there is an even greater decline of 26 percent and 18 percent in brand power and familiarity, respectively. This would indicate that better-known brands are more sensitive to positive and negative media.
Although data breaches have become more common, businesses are not always making the necessary cybersecurity investments to keep pace with the growing danger. While many publicly traded companies are exposed to significant cyber risk, these results suggest that firms choose to under-invest in their security infrastructure if the economic consequences are not severe.
To address this underinvestment, Congress should create a national and harmonized data breach notification law. While nearly all states now have their own version of data breach notification laws, they differ in meaningful ways. Because publicly traded companies often operate in some capacity across all U.S. states and territories, the lack of a clear and unified national standard creates uncertainty and fragmentation. Similar to the suggestion by the congressionally chartered Cyberspace Solarium Commission, the federal government could establish a minimum standard that individual states would adhere to and volunteer to enhance.
While such a law should standardize reporting, it is still likely to fall short of the reforms needed to internalize the costs of malicious cyber threats. Two recommendations build upon it.
First, procurement policies for federal contractors and defense companies should be enhanced. The federal government has significant purchasing power, which it can leverage to improve cybersecurity best practices in the private sector by requiring contractors to maintain a baseline of cybersecurity precautions and performance. While the government should not be in the business of micro-managing, it is reasonable to set performance standards, particularly with defense companies, to ensure improvements across the contractor community. Since supply chains are inherently interconnected, a change in policy for defense companies could generate important ripple effects across other industries that lead to the adoption of new best practices.
Second, the U.S. government should maintain a secure national database of malicious cyber incidents for research. While several existing databases track data breaches and other malicious cyber incidents, the data are insufficient for serious research that can benefit U.S. businesses. Current data either omit firm names or overlook certain malicious cyber incidents, making it tough to build predictive models that relate malicious attacks with financial outcomes. The National Cyber Investigative Joint Task Force already has a strong record in working to “coordinate, integrate, and share information to support cyber threat investigations, supply and support intelligence analysis for community decision-makers, and provide value to other ongoing efforts in the fight against the cyber threat to the nation.” This successful interagency structure could provide a model for securely sharing data on malicious cyber incidents, including granular information about both the exposed firm and the attacker.
Parts of the piece are excerpted from the version on the Foundation for Defense of Democracies website, together with three policy recommendations.