Corporate Innovation in the Age of Cyber Threats

Firms’ increasing reliance on information technologies has reshaped the global economy and disrupted entire industries while also presenting new and rapidly evolving sources of risk. Recent successful cyberattacks have harmed consumers, shareholders, and market professionals, often resulting in the illegal appropriation of corporate trade secrets like blueprints, chemical formulas, and customer information (Rowe (2016)). Yet, despite the widespread recognition of these emerging threats, little is known about their effects on corporate innovation, limiting policymakers’ ability to assess their economic consequences and to develop appropriate responses.

In a new study, we provide much needed empirical evidence of how such threats are changing the level of and return on research and development (R&D) and firms’ reliance on trade secrets

To measure firms’ exposure to cybersecurity risk, we use textual analysis to scan 10-K filings for commonly used cybersecurity terms developed by the National Initiative for Cybersecurity Careers and Studies (NICCS), and all the phrases included in Gordon et al. (2010). The immediate interpretation of this proxy is straightforward: Higher values of this metric identify firms disclosing more cyber-related information in their 10-K filings. By conducting both qualitative and quantitative analyses, we document that a 10-K-based measure of cybersecurity risk successfully predicts data breaches and is characterized by economically reasonable time-series and cross-industry distributions.

The availability of a valid proxy for firms’ ex-ante exposure to cybersecurity risk allows us to document that, while firms’ investments in R&D are unrelated to cybersecurity risk, their innovation strategies are heavily affected by the existence and extent of these threats. In particular, we show that managers react by adjusting their innovation policies to protect their intangible capital with patents and similar mechanisms to hedge against the risk of a data breach.

These results suggest that the existing regulatory framework is sufficient protection against intellectual property theft having their intangible capital stolen by domestic or international rivals. Yet we also document that the rise of cybersecurity risk causes firms to file for simpler patents to accelerate their innovation cycle (Popp, Juhl, and Johnson (2004)), ultimately achieving lower R&D-investment returns (Knott (2008)). Indeed, by “over-patenting,” managers disseminate material information about their current innovation activities, reducing the cost for low-innovation firms to follow the industry leaders’ growth strategy (Johnson and Popp (2001)). Regulators’ concerns about the potential negative effects of cybersecurity threats are thus at least partially justified, as our results suggest that existing trade-secret protection laws might be ineffective – or insufficient – to sustain the profitability of R&D investments.

All in all, we document that firms react to changes in their ex-ante exposure to cybersecurity risk, and we show for the first time that the digitalization of the U.S. economy is changing how firms innovate. As cybersecurity risk increases, a firm’s ability to keep trade secrets secret declines. Consequently, firms’ reliance on patents significantly increases, causing both greater information dissemination and reduced incentives to be innovative market leaders, as free-riding issues become significantly more pronounced in a transparent environment.

This post comes to us from Professor Gabriele Lattanzio at Southern Methodist University and Yue Ma, a PhD candidate at the University of Oklahoma. It is based on their recent paper, “Corporate Innovation in the Cyber Age,” available here.