Information security breaches and IT security investments: Impacts on competitors

Abstract

In current business climate, a firm’s information systems security is no longer independent from the industry’s broader security environment. A question arises, then, whether stock market values reflect the interdependence of security breaches and investments. In this paper, we used the event study methodology to investigate how a firm’s security breaches and IT security investments influence its competitors. We collected and reviewed 118 information security breaches and 98 IT security investment announcements from 2010 to 2017. We found substantial evidence supporting our hypothesis that information security breaches do, indeed, have a competition effect: when one firm is breached, its competitors have opportunities to absorb market power. For the IT security investment announcements, however, we observed the positive externalities, or contagion effect, in play: market investors feel that the security investments made by one firm increase the security level of the entire network, and hence, competitors also get benefits. Additionally, we found that the competition effect was higher when the breaches occurred after the preceding security investments than when there were no preceding investments before the breaches.

Introduction

Presently, a firm’s information system security is no longer independent from the security environment of the industry as a whole. According to a Ponemon Institute [1] study, US firms reported the highest average cost per information security breach at $15 million. Furthermore, cyberattacks become costlier the longer they remain undetected and unaddressed. Ponemon reported an average of 46 days, at a cost of $21,155 per day, to detect and resolve a cyberattack. Failure to implement or maintain information security mechanisms can influence a business’ bottom line owing to lost customer confidence and brand switching.

Recent high-profile information security breaches have also raised concerns for the Securities and Exchange Commission (SEC) and the Public Company Accounting Oversight Board (PCAOB), thus leading them to consider whether firms should be required to disclose potential threats and the consequences of information security breaches, such as reputation loss or even the continuity of business operations.¹ Such operational uncertainties and/or concerns about continuity increase the firm’s risks and generate negative market consequences.

In 2013, Target was the victim of a severe information security breach involving the release of millions of customers’ credit and debit card numbers, making them vulnerable to theft. With customer information compromised, Target paid $10 million in a settlement resulting from a class-action lawsuit. As a result of the Target data breach, the retailer had to pay an additional $162 million to update its information security and to get the firm back on track. In fact, Target lost an estimated 2–10% in market share, and its profits plummeted following the data breach: sales dropped by 5.3% in the fourth quarter of 2013 when the breach occurred, and its profits fell by 46%. Profits continued to fall in early 2014 owing to continuing customer reluctance to shop at Target.²

The wide-ranging impacts of information security breaches on the breached firms are clear. What, then, are the impacts on their competitors? Do they benefit from the breached firm’s sufferings? If Target’s once loyal customers begin making purchases from its competitors such as Amazon and Walmart, then one might expect that Target’s security breach would affect the competitors positively. The story, however, might not be that simple. Customers may start to distrust shopping malls in general, suspecting that other firms would have similar security problems. An interconnected Internet also makes the issue more complicated. It is well known that the LinkedIn security breach in 2012 allowed Mark Zuckerberg’s Facebook account to be hacked in 2016 because, like many Internet users, he had been using the same password for different accounts.³ This incident offers a simple example to show how one firm’s security breach might be bad news for other firms as well.

Aware of this type of security threat from an interconnected network, firms are trying to find ways to minimize the potential negative side effects from a competitor’s security breach. For example, after the Target breach, Karenann Terrell, Walmart’s CIO, emphasized the need for continuous testing and enhanced security of networks because “single points of failure anywhere can have really drastic effects, and the ability for an attack to go undetected for a period of time just exponentially increases the damage that can occur.”⁴

Approximately 6 months after Target’s massive data breach became public, Gartner’s (2015) survey indicated that worldwide spending on information security reached an estimated $71.1 billion in 2014, a 7.9% increase over 2013. In 2015, total information security spending continued to grow a further 8.2%, reaching $76.9 billion. Firms are becoming increasingly aware of the need to invest in sound security systems capable of securing valuable firm data. For example, Home Depot is spending billions of dollars to upgrade its registers to accept chip-enabled cards⁵, whereas in the post attack at Sony, Sony hired the independent security contractor FireEye to assess the damage and help clean up its systems.⁶ Anecdotal evidence suggests that many other competitors have also been affected and motivated to action by recent information security breach incidents, leading to an overall increase in IT security investments. With today’s interwoven networks, however, more information security investments do not necessarily guarantee better security.

Our research takes up this question of the impact on competitors of an individual firm’s efforts to ensure information security in an environment of interwoven networks. We examined the following research questions: Are the security risks of a firm affected by competitors’ security-related activities (or events)? If so, would this interdependence of security events be captured in market value? To answer these questions, we used the event study methodology to investigate how security breaches and IT security investment announcements influence other competitors. We further examined firm-level characteristics such as industry and size effects that might have contributed to the security breach and IT security investments. We also compared the effect on competitors based on the timing of the breaches and security investments.

Our paper contributes to the literature in several ways. First, this study extends the literature on the economic consequences of security breach announcements or IT security investment announcements [[2], [3], [4], [5], [6]] by looking at the impact on the competitors. As firms compete with their industry peers in the same product market, they serve as benchmarks for each other in their relative performance evaluation and are exposed to similar technology shocks. Hence, investors are likely to pay attention to both a firm and its competitors. However, prior research papers mostly focused on the direct effects of security-related announcements or on their suppliers only [2,3,[7], [8], [9]].

Hinz et al. [10] were the first study to see the impact on the competitors using an event study method. In this sense, our work is in line with their study. However, Hinz et al. [10] paid attention mostly to the information transfer effect on the competitors without looking at the negative or positive externalities. Moreover, their work was limited to the small number of data theft announcements and the target category was the electronic industry only. Thus, comparison by industry type was not possible. In contrast, our work includes other types of security breaches as well as IT security investment announcements. Therefore, our study provides more generalizable results regarding security issues on competitors. To the best of our knowledge, this is the first comprehensive study that attempts to examine the market reactions not only of firms announcing security issues, but also of their competitors as well.

Second, our study extends the growing literature on information security risk management [11,12] by analyzing IT security investments in pre- and post-security breach incidents. After several high-profile breaches (e.g., Target, Yahoo!, Sony, etc.), the importance of IT security investments has been recognized more by managers. Consistent with this notion, we further investigated how IT security investment decisions by breached firms and competitors affect market value. In doing so, our study enables managers to make better decisions by providing a richer understanding of the impact of security breaches and investments.