Firms pay CEOs more, shareholders less in wake of data breach, analysis reveals

Companies gave CEOs a pay rise while cutting dividend payments and research and development investment in the wake of a data breach, analysis by researchers atWarwickBusiness School has revealed.

Scrutinising 41 publicly listed US companies that had suffered from data breaches (reported in the media), the researchers discovered affected business tended to increase pay to top brass in the five years that followed. Affected companies were also no more likely to fire their chief executive.

By comparison, the average CEO pay at firms that were not targeted by hackers fell by more than $2 million per year over the period studied (2004 to 2016).

“Firms that suffer a databreachdo not typically respond by firing the management, but by investing more in the existing CEO. At first sight, these results may look puzzling,” said Dr Daniele Bianchi, assistant professor of finance atWarwick.

“However they are consistent with the idea that the average response is to invest more in the management to address possible structural flaws, as well as maintaining the integrity of the firm in response to the reputational damage it has suffered,” she added.

The research, detailed inyet-to-be-published paperCyber Attacks and Stock Market Activity, also found that “affected firms tend to pay less dividends and invest less in RD” after suffering a breach.

“Incidents of securitybreachesthat reveal sensitive and confidential information can lead to litigation and government sanctions, but also to a loss of competitive edge against competitors through a reduction of resources dedicated to RD, dividend payments, or investments more generally,” said co-author Dr Onur Tosun.

The researchers’ analysis found reports of breaches – be they the result of stolen hardware, insider attacks, poor security or hacking – did lead to a stock market “shock” as investors rushed to sell their shares.

“The main results show that daily excess returns drop, trading volume increases, and liquidity deteriorate upon the public disclosure of first-time corporate hacking events. The evidence suggests that trading volume increases due to selling pressure,” the researchers write.

The shock selling, however, “fails to incorporate the actual effect of security breaches on firms’ profitability and cash-flows” the researchers added.

Typically the shock “vanished after just two days”.

The paper points to the example of Sony Pictures, andthe 2014 hackon the company which resulted in a massive amount of the company’s internal documents and data being dumped on the Internet and a large number of its computers having their files wiped.

Shares plunged more than 10 per centimmediately after the attack, buta year laterwere up nearly 25 per cent.

“Interestingly, the empirical results show that the impact of security breaches is much weaker in the longer-term, which somewhat contradicts the conventional wisdom that hacking events have some sticky influence on companies’ reputation and growth prospects,” the researchers write.

Cyber incidents are not without cost to affected companies, of course.The potential direct economic loss of cybersecurity incidents – defined as tangible losses in revenue, decreased profitability and fines, lawsuits and remediation – on Australian businesses is AU$29 billion per year,according toa Microsoft commissioned report by Frost Sullivan.

IBM’sCost of a Data Breachstudy for 2018reports the global average cost of a data breach is up 6.4 per cent over the previous year to US$3.86 million. The average cost for each lost or stolen record containing sensitiveinformation also increased by 4.8 per centyear over year to $148, according to the study.