No protection, nu business : An event study on stock volatility reactions to cyberattacks between 2010 and 2015 for firms listed in the USA

With the surge of Internet-based corporate communication, organization, andinformation management, financial markets have undergone radical transformation. Inthe interconnected economy of today, market participants are forced to acceptcyberattacks, data breaches, system failures, or security flaws a...

Full description

Bibliographic Details
Main Authors: Collin, Erik, Juntti, Gustav
Format: Others
Language:English
Published: Umeå universitet, Företagsekonomi 2016
Subjects:
Online Access:http://urn.kb.se/resolve?urn=urn:nbn:se:umu:diva-123549
id ndltd-UPSALLA1-oai-DiVA.org-umu-123549
record_format oai_dc
spelling ndltd-UPSALLA1-oai-DiVA.org-umu-1235492016-07-07T05:07:38ZNo protection, nu business : An event study on stock volatility reactions to cyberattacks between 2010 and 2015 for firms listed in the USAengCollin, ErikJuntti, GustavUmeå universitet, FöretagsekonomiUmeå universitet, Företagsekonomi2016stock volatilitycyberattackabnormal returnvolatilityevent studyinformation technologyUS stock marketcybersecurityreactionfinancial impactmarket efficiencyfinancefintechWith the surge of Internet-based corporate communication, organization, andinformation management, financial markets have undergone radical transformation. Inthe interconnected economy of today, market participants are forced to acceptcyberattacks, data breaches, system failures, or security flaws as any other (varying)cost of doing business. While cyberspace encompasses practically any firm indeveloped economies and a large portion in developing ones, combatting such risks isdeemed a question of firm-specific responsibility: the situation resembles an ‘every manfor himself’ scenario. Consulting standard financial theory, rational utility-maximizinginvestors assume firm-specific (idiosyncratic) risk under expectations of additionalcompensation for shouldering such risk – they are economically incentivized. The omnipresence of cyberattacks challenges fundamental assumptions of the CapitalAsset Pricing Model, Optimal Portfolio Theory, and the concept of diversifiability. Thethesis problematizes underlying rationality notions by investigating the effect of acyberattack on stock volatility. Explicitly, the use of stock volatility as a proxy for riskallows for linking increased volatility to higher risk premiums and increased cost ofcapital. In essence, we investigate the following research question: What is the effect ofa disclosed cyberattack on stock volatility for firms listed in the USA?. Using event study methodology, we compile a cyberattack database for events between2010 and 2015 involving 115 firms listed on US stock exchanges. The specified timeperiod cover prevailing research gaps; due to literature paucity the focus on volatilityfits well. For a finalized sample of 189 events, stock return data is matched to S&P500index return data within a pre-event estimation window and a post-event window tocalculate abnormal returns using the market model. The outputs are used to estimateabnormal return volatility before and after each event; testing pre and post volatilityagainst each other in significance tests then approximates the event-induced volatility.Identical procedures are performed for all subsamples based on time horizon, industrybelonging, attack type, firm size, and perpetrator motivation. The principal hypothesis, that stock volatility is significantly higher after a cyberattack,is found to hold within both event windows. Evidence on firm-specific characteristics ismore inconclusive. In the long run, inaccessibility and attacks on smaller firms seem torender significantly larger increases in volatility compared to intrusion and attacks onlarger firms; supporting preexisting literature. Contrastingly, perpetrator motive appearsirrelevant. Generally, stocks are more volatile immediately after an attack, attributableto information asymmetry. For most subsamples volatility seem to diminish with time,following the Efficient Market Hypothesis. Summing up, disparate results raisequestions of the relative importance of contingency factors, and also about futuredevelopments within and outside academic research. Student thesisinfo:eu-repo/semantics/bachelorThesistexthttp://urn.kb.se/resolve?urn=urn:nbn:se:umu:diva-123549application/pdfinfo:eu-repo/semantics/openAccess
collection NDLTD
language English
format Others
sources NDLTD
topic stock volatility
cyberattack
abnormal return
volatility
event study
information technology
US stock market
cybersecurity
reaction
financial impact
market efficiency
finance
fintech
spellingShingle stock volatility
cyberattack
abnormal return
volatility
event study
information technology
US stock market
cybersecurity
reaction
financial impact
market efficiency
finance
fintech
Collin, Erik
Juntti, Gustav
No protection, nu business : An event study on stock volatility reactions to cyberattacks between 2010 and 2015 for firms listed in the USA
description With the surge of Internet-based corporate communication, organization, andinformation management, financial markets have undergone radical transformation. Inthe interconnected economy of today, market participants are forced to acceptcyberattacks, data breaches, system failures, or security flaws as any other (varying)cost of doing business. While cyberspace encompasses practically any firm indeveloped economies and a large portion in developing ones, combatting such risks isdeemed a question of firm-specific responsibility: the situation resembles an ‘every manfor himself’ scenario. Consulting standard financial theory, rational utility-maximizinginvestors assume firm-specific (idiosyncratic) risk under expectations of additionalcompensation for shouldering such risk – they are economically incentivized. The omnipresence of cyberattacks challenges fundamental assumptions of the CapitalAsset Pricing Model, Optimal Portfolio Theory, and the concept of diversifiability. Thethesis problematizes underlying rationality notions by investigating the effect of acyberattack on stock volatility. Explicitly, the use of stock volatility as a proxy for riskallows for linking increased volatility to higher risk premiums and increased cost ofcapital. In essence, we investigate the following research question: What is the effect ofa disclosed cyberattack on stock volatility for firms listed in the USA?. Using event study methodology, we compile a cyberattack database for events between2010 and 2015 involving 115 firms listed on US stock exchanges. The specified timeperiod cover prevailing research gaps; due to literature paucity the focus on volatilityfits well. For a finalized sample of 189 events, stock return data is matched to S&P500index return data within a pre-event estimation window and a post-event window tocalculate abnormal returns using the market model. The outputs are used to estimateabnormal return volatility before and after each event; testing pre and post volatilityagainst each other in significance tests then approximates the event-induced volatility.Identical procedures are performed for all subsamples based on time horizon, industrybelonging, attack type, firm size, and perpetrator motivation. The principal hypothesis, that stock volatility is significantly higher after a cyberattack,is found to hold within both event windows. Evidence on firm-specific characteristics ismore inconclusive. In the long run, inaccessibility and attacks on smaller firms seem torender significantly larger increases in volatility compared to intrusion and attacks onlarger firms; supporting preexisting literature. Contrastingly, perpetrator motive appearsirrelevant. Generally, stocks are more volatile immediately after an attack, attributableto information asymmetry. For most subsamples volatility seem to diminish with time,following the Efficient Market Hypothesis. Summing up, disparate results raisequestions of the relative importance of contingency factors, and also about futuredevelopments within and outside academic research.
author Collin, Erik
Juntti, Gustav
author_facet Collin, Erik
Juntti, Gustav
author_sort Collin, Erik
title No protection, nu business : An event study on stock volatility reactions to cyberattacks between 2010 and 2015 for firms listed in the USA
title_short No protection, nu business : An event study on stock volatility reactions to cyberattacks between 2010 and 2015 for firms listed in the USA
title_full No protection, nu business : An event study on stock volatility reactions to cyberattacks between 2010 and 2015 for firms listed in the USA
title_fullStr No protection, nu business : An event study on stock volatility reactions to cyberattacks between 2010 and 2015 for firms listed in the USA
title_full_unstemmed No protection, nu business : An event study on stock volatility reactions to cyberattacks between 2010 and 2015 for firms listed in the USA
title_sort no protection, nu business : an event study on stock volatility reactions to cyberattacks between 2010 and 2015 for firms listed in the usa
publisher Umeå universitet, Företagsekonomi
publishDate 2016
url http://urn.kb.se/resolve?urn=urn:nbn:se:umu:diva-123549
work_keys_str_mv AT collinerik noprotectionnubusinessaneventstudyonstockvolatilityreactionstocyberattacksbetween2010and2015forfirmslistedintheusa
AT junttigustav noprotectionnubusinessaneventstudyonstockvolatilityreactionstocyberattacksbetween2010and2015forfirmslistedintheusa
_version_ 1718339333702811648