Study reveals when one company discloses an attack, its peers are seen as less attractive unless they do one thing
Cyber attacks and data breaches are among the most toxic things that can happen to a company today.
When an attack occurs, consumers and investors are understandably wary of the affected company but a new study also reveals that others in the same field are also impacted.
North Carolina State University researchers confirmed a ‘contagion effect’ that makes companies in the industry where a cybersecurity incident is reported less attractive to investors.
"Previous studies have found evidence of this 'contagion effect' in the wake of cybersecurity breaches," says Robin Pennington, co-author of a paper on the work and an associate professor of accounting in North Carolina State University's Poole College of Management. "However, to our knowledge, ours is the first to test the issue experimentally.
But along with confirming the contagion effect, the study also found that companies can limit the effect by being open about their cybersecurity risk management.
The experiment among non-professional investors saw participants given information about a fictitious company with some told about its cybersecurity risk management and some not.
They were asked to assess the company’s attractiveness and whether they would be likely to buy its stock.
Participants were then told a company in the same industry has suffered a cyber incident and asked again to rate the attractiveness of the first company and some were shown a press release that again referenced its cybersecurity risk management.
Researchers found that those investors who had been given information about cybersecurity risk management before and after the industry peer’s cyber incident were more likely to consider it attractive, although this was reduced.
The study also considered the ‘competition effect’, where investors believe that a cyber incident at one company will boost the investment attractiveness of competitors.
"We did see evidence of the competition effect with some investors in our study, but on average the contagion effect overwhelmed the competition effect," Pennington said.
The study concludes that companies would gain in terms of investment, where they voluntarily disclose cybersecurity risk management.
This week the Investment Funds Institute of Canada (IFIC) updated its Cybersecurity Guide for Canadian investment firms.
Research from @ncstatepoolemgt shows that companies that are open about their #cybersecurity risk management fare significantly better than peers that don't disclose their cybersecurity efforts. https://t.co/vRB8AaYPjq #CyberAware #ThinkAndDo pic.twitter.com/rVbwPyEWbN— NC State University (@NCState) October 29, 2019