Do Firms Under-Report Information on Cyber-Attacks?

A cyber-attack is a risk that every firm must manage. Prior studies raised doubts about how harmful cyber-attacks actually are. In particular, studies used the market reaction to cyber-attacks to show that they cause only small losses that decrease over time. These studies conjecture that as news media increasingly report that data breaches cause relatively minor damage, investors will lower their assessment of the costs of data breaches.

Most prior studies, however, rely almost entirely on cyber-attacks that were disclosed by firms. In contrast, we collect data on cyber-attacks from different sources and distinguish between cyber-attacks that were voluntarily disclosed and those that were hidden from investors and later independently discovered. We find that in the latter cases, the market reaction is negative and significant. These results suggest cyber-attacks that are unknown to investors are more likely to be severe, and that the market reaction reported in prior studies understates the damage cyber-attacks cause firms.

SEC disclosure guidelines require registrants to disclose information on cyber-attacks that materially damage their businesses. However, because investors are unable to discover most cyber-attacks independently, and because managers often have incentives to withhold negative unobservable information from investors, firms may under-report cyber-attacks. The most common reason for not disclosing is immateriality – firms often argue that since the attack had an immaterial effect, disclosure is not required. However, the true reason for non-disclosure is probably litigation; disclosure of cyber-attacks is almost automatically followed by lawsuits.

We estimate the extent to which publicly traded firms withhold information on cyber-attacks. We identify cyber-attacks that firms disclosed and attacks that were hidden and later independently discovered by sources outside the attacked firm. We then use the differential market reaction to these attacks to estimate the extent of under-reporting.

A review of data on cyber-attacks between 2010 and 2015 suggests many disclosures on cyber-attacks are made after investors discover the attack. Data breaches are revealed to the market, for example, by customers whose information was stolen or by the hackers themselves. For example, Target, the U.S. retailer, experienced a data breach involving millions of its customers’ credit and debit cards, and after customers and credit card companies revealed the breach, the firm confirmed it. In some cases, the hackers themselves may reveal the breach to the public. For example, hackers breached the LinkedIn network in 2013 and stole a database containing 6.5 million users’ encrypted passwords. The hackers later publicized the attack, hoping to receive help from fellow hackers in cracking these encrypted passwords. After the hackers published the passwords, LinkedIn acknowledged the data breach. In addition, the 300 or so cyber-attacks that public companies disclosed during that period seems low in comparison with the thousands of attacks reported by independent sources. For example, a report by Verizon in 2015 argues that more than 20,000 data breaches occurred in the U.S. private sector during the period.

The extent to which information is withheld is unobservable, and we are aware only of data breaches that are eventually revealed either by the attacked firms or by sources outside the firm. We estimate the extent of withholding from the market reaction to revealed attacks, where market reaction serves as a proxy for the damage caused by cyber-attacks. We find that in cases where the firms immediately disclosed the cyber-attack, equity values declined by 0.3 percent, on average, in the three days after disclosure and by 0.72 percent in the month after disclosure. In comparison, the decline in market values was much larger in cases where firms did not disclose the attack and parties outside the firm later discovered the attack: 1.5 percent in the three days after the discovery of the attack, and 3.56 percent in the month after discovery. These findings suggest firms hide more severe cyber-attacks from investors. From the differential market reaction to disclosed and hidden attacks, we estimate that managers disclose cyber-attacks when there’s a 40 percent chance that investors already believe that an attack has occurred; when uncertainty about the existence of a cyber-attack is higher, managers withhold the information.

Using alternative estimates of damage caused by cyber-attacks, we also find that companies hide the occurrence of more severe attacks. Specifically, we use damage estimates released by the attacked firms and an objective index that measures the severity of cyber-attacks based on type of data breached, the number of records stolen, and the source of the breach. Both damage estimates show that firms fail to disclose more severe attacks but not less serious ones.

As evidence of the link between corporate characteristics and the likelihood that an attack will be disclosed, we find that non-disclosing firms have less analyst coverage, weaker corporate governance, and lower litigation risk than disclosing firms. Investors follow more closely firms with greater analyst coverage, and the chance of discovery in these firms is higher. In addition, firms with stronger governance are less likely to conceal negative news from their investors. Specifically, firms with less entrenched management and fewer material weaknesses reported under Section 404 of the Sarbanes-Oxley Act are more likely to disclose information on cyber-attacks. Using membership in the hi-tech industry as a proxy for high litigation risk, we find disclosing firms are more likely than non-disclosing firms to be in hi-tech industries. The high risk of litigation increases the cost of withholding information, making disclosure more attractive.

We contribute to the literature that examines corporate decisions on when to disclose bad news. Prior studies found that firms warn investors of upcoming negative earnings surprises, delay the adoption of new accounting standards with negative financial effects, and delay earnings announcements that contain, on average, bad news. Prior studies also found that the magnitude of negative stock-price reaction to bad news is greater than the magnitude of positive stock-price reaction to good news, suggesting that managers accumulate and withhold bad news up to a certain threshold but leak and immediately reveal good news. While firms cannot indefinitely delay the announcement of earnings or most other significant information, unreported cyber-attacks will likely never be revealed to investors. In addition, for cyber-attacks that are eventually revealed, the data indicate when the firm first learned of the attack, and therefore whether information withholding occurred. This setting and data enable us to distinguish between cases of disclosing and withholding and show that managers withhold more negative information and voluntarily disclose less severe attacks.

Our findings are consistent with the under-reporting of cyber-attacks. If regulators wish to ensure information on cyber-attacks reaches investors, they should consider tightening disclosure requirements. At the request of Congress, the SEC is revising cyber-security disclosure rules and requiring publicly owned companies to disclose more about their cyber-security and data breaches.

This post comes to use from professors Eli Amir and Shai Levi at Tel Aviv University and Tsafrir Livne, a PhD candidate at the University of North Carolina, Chapel Hill. It is based on their recent article, “Do Firms Underreport Information on Cyber-Attacks? Evidence from Capital Markets,” available here.