Cybersecurity breaches and cash holdings: Spillover effect

• DOI: http://doi.org/10.1111/fima.12274
• Published date: 01 June 2020
• Date: 01 June 2020
• Author: Priya Garg

DOI: 10.1111/fima.12274

ORIGINAL ARTICLE

Cybersecurity breaches and cash holdings:

Spillover effect

Priya Garg∗

College of Management, University of

Massachusetts, Boston, Massachusetts

Correspondence

PriyaGarg, College of Management, University of

Massachusetts,Boston, MA 02125.

Email:priya.garg001@umb.edu

Abstract

This paper shows that firms significantly increase cash holdings after

they haveexperienced a cybersecurity attack, and this behavior per-

sists for years. A cyberattack increases cash holdings from a base

level of 23% of assets to 26.87%. Similar firms, defined by industry

and geographical proximity also increase their cash holdings. Sup-

pliers of attacked firms are also affected. Overall, the results of this

study indicate that the detrimental effects of a cybersecurity breach

are not isolated to the attackedfirms, and peer firms are quick to fol-

low in taking precaution.

KEYWORDS

Cash holdings, cyberattacks, cybersecurity breaches, financial poli-

cies, spillover

1INTRODUCTION

As managers recognize that cybersecurity hacks are one of the biggest threats they face in today’s technological era,

they have been allocating resources to combat this issue. Regulatory authorities are stepping up both disclosure and

corrective measures: in an effort to protect the information of European Union (EU) residents, the EU Parliament

approved and adopted the General Data Protection convention in 2016, which came into effect in May 2018. This

legislation affects all organizations within and outside of EU that offer goods and services to or monitor the activities

of EU residents. Noncompliance to the convention, such as untimely notification of breaches or inadequate impact

assessment, will now result in a fine of up to 4% of global turnover or €20 million, whichever is larger.1Thisis in stark

contrast to the cap set by the preceding regulation, the Data Protection Act 1998, which stood at £500,000.2

Indeed, firms have been taking drasticmeasures to ensure that cyber-risk is contained. After discovering a security

issue that impacted more than 50 million of its users,3Facebook reportedly approached multiple security companies

in hopes of possibly acquiring them.4Another example is when Targetannounced a breach of its customer database

in the last quarter of 2013. Over the following months, the Credit Union National Association and Consumer Banks

∗Theauthor is now affiliated with University of San Diego, California.

c

2019 Financial Management Association International

1https://eugdpr.org/the-regulation/.

2https://www.theguardian.com/technology/2018/jul/11/facebook-fined-for-data-breaches-in-cambridge-analytica-scandal.

3https://newsroom.fb.com/news/2018/09/security-update/.

4https://www.cnet.com/news/facebook-reportedly-shopping-for-a-cybersecurity-company/.

Financial Management. 2020;49:503–519. wileyonlinelibrary.com/journal/fima 503

504 GARG

Association reported that the breach cost Target more than $200 million, with the companyalso committing $100

million in efforts to updating its technology.5

Another risk a firm faces after a cyberattack is the possibility of being sued. In 2016, Targetsettled a lawsuit arising

from the 2013 data breach after paying $18.5 million across 47 states. Nationwide Mutual Insurance Company and

Allied Property and Casualty Insurance Company,collectively known as Nationwide, also settled a lawsuit arising from

the 2012 data breach incident by agreeing to pay $5.5 million across 33 states.6

However, the effects of a data breach are not isolated to the firm being attacked.Equifax Inc., a consumer credit

reporting agency,announced in September 2017 that it had suffered a massive breach, potentially compromising per-

sonal data of more than 140 million U.S. consumers.7Following news of the breach, the chief executiveof Fair Isaac’s

Corp, another credit scoring business, explainedthe effects of this breach on his firm. While he stressed that the breach

at Equifax did not compromise their operations, it prompted the company to hire a new chief information officer and

increase its investment in cybersecurity.8

In this paper,I investigate whether and how cyberattacks affect firms’ cash holdings. I use Privacy Rights Clearing-

house (PRC) to identify firms that havebeen attacked from 2005 to 2017, as it collects data on public announcements

by breached firms. In addition to public firms directly being attacked,I am also able to identify if a public firm’s unlisted

subsidiary has been attacked.

I find that an attackedfirm increases cash holdings after a data breach, from a base levelof 23% of assets to 26.87%.

This is consistent with prior literaturethat finds that firms are increasing cash holdings over time. This trend of building

cash holdings persists for up to three years after the breach. When I discriminate between a parent firm and unlisted

subsidiary being attacked, I find that a firm only increases cash holdings if a parent, visible firm has been breached.

These results are also persistent years after an attack.

Next, I turn my attention to the impact of data breach on peer firms’ cash holdings. Using multiple measures, I find

that the data breach has a spillover effect: peer firms are found to increase cash holdings after a breach. Interestingly,I

find that peer firms increase cash holdings evenif the unlisted subsidiary of a similar firm has been breached. Addition-

ally,I exploit customer-supplier links using Cohen and Frazzini’s (2008) framework to identify if suppliers also increase

cash holdings after their major customer is breached. Congruent with major customers holding predictive power over

supplier sales and operating income, I find that a cyberattackon a firm’s major customer results in the supplier increas-

ing its own cash holdings relative to its peers. Last, using geographical proximity, I find that firms within a 100-mile

radius of the headquarters of an attackedfirm also increase their cash holdings subsequent to a data breach.

Thisstudy makes several contributions to the literature. First, it adds to the growing literature on cyberattacks. Prior

literature on cyberattacks can be divided into three streams: determinants of such attacks, negative consequences

of these attacks, and corrective measure after firms have been attacked. Trade secrets (Ettredge, Guo, & Li, 2018),

audit quality (Higgs, Pinkser, Smith, & Young,2016), and presence of inexperienced technology committees (Chich-

ernea, Holder,Petkevich, & Robin, 2018) are directly related to the probability of a firm being attacked. Kamiya, Holder,

Petkevich, and Robin (2018) report that after a firm is successfully attacked,it faces negative abnormal returns when

this news is made public. They also find that sales growth decreases for attacked firms postbreach, and attackedfirms

increase board oversight toward such risks. With regard to market reaction, Mitts and Talley (2018) find that arbi-

trageurs do exploit advance knowledge of such firm vulnerabilities. They report significant levelsof abnormalities in

trading, measured in volume and open interest, prior to public announcements of breaches by attacked firms, indi-

cating that arbitrageurs can profit off such information. For remedial actions, Nordlund (2018) finds that there are

severelabor market outcomes for directors of attacked firms and that director experience at breached firms ultimately

increases cybersecurity risk monitoring at interlocking firms.

5https://www.ibtimes.com/timeline-targets-data-breach-aftermath-how-cybertheft-snowballed-giant-retailer-1580056.

6http://cmmllp.com/cybersecurity-side-nationwide-settles-data-breach-lawsuit-spanning-33-states/.

7https://www.wsj.com/articles/equifax-reports-data-breach-possibly-impacting-143-million-u-s-consumers-1504819765.

8https://blogs.wsj.com/cio/2017/09/22/fico-chief-increases-cybersecurity-spending-after-equifax-breach/.