It's a headline that dominates our tech-driven world: A major company suddenly must warn its customers that their data may have been compromised in a cyberattack. Names, addresses, even credit card and Social Security numbers are seemingly up for grabs in a constant game of digital cops and robbers.
While affected companies around the globe stand to lose an average of $3.86 million per intrusion, at least one person affected by a cybersecurity breach generally makes out just fine, according to a newly released Warwick Business School study – the CEO.
"Firms that suffer a data breach do not typically respond by firing the management, but by investing more in the existing CEO," said Dr. Daniele Bianchi, assistant professor of finance at Warwick Business School.
Higher investment in management
The study, titled Cyber Attacks and Stock Market Activity and co-authored by Dr. Onur Tosun, looked into the data breaches of 41 publicly traded U.S. companies with an average size of $35.4 billion that took place between 2004 and 2016. The duo reportedly focused on breaches that made the news, including those that featured "stolen hardware, insider attacks, poor security and hacking." [Related: Small Business Guide to Cybersecurity]
Despite the hit to a company's stock market value following an attack, Bianchi and Tosun report that the average CEO's pay increased. During the study's five-year window, the average CEO's pay and benefits package at companies that were not affected by a cyberattack decreased by $2 million per year.
"At first sight, these results may look puzzling," Bianchi said. "However, they are consistent with the idea that the average response is to invest more in the management to address possible structural flaws, as well as maintaining the integrity of the firm in response to the reputational damage it has suffered."
Lower dividends and less R&D
In the days that followed most breaches, the study found that affected companies felt an immediate sting on Wall Street. While share value and liquidity "dropped significantly" the day news of a data breach was made public, the immediate backlash generally subsided after two days, according to the study.
Where the biggest impact was usually felt, officials said, was in how the companies operated, as they "typically paid lower dividends and invested less in research and development" over the five years following a cyberattack. [Related: Human Error Often to Blame for Cyberattacks]
"Incidents of security breaches that reveal sensitive and confidential information can lead to litigation and government sanctions, but also to a loss of competitive edge against competitors through a reduction of resources dedicated to R&D, dividend payments, or investments more generally," Tosun said.
It's for this reason, Tosun explained, that affected companies were often reticent to reveal a data breach until days or week after the initial attack. Tighter regulations, however, mean companies are forced to announce when a data breach occurs within 72 hours.
"Companies are often reluctant to reveal information about security breaches due to fear of both short-term and long-term market reactions," Tosun said. "Cybersecurity will therefore become an increasingly important consideration for companies to avoid the damaging fallout once a breach is made public."