By Joshua Afshani, University of Michigan, Ross School of Business.
Cyberterrorism has come to be one of the most threatening forms of terrorism in 2019. In the face of the negative implications cyberattacks can have on affected firms and consumers, this article focuses on the flip side of the coin: I hypothesize that cyberattacks can produce abnormal positive returns for the stock prices of insurance and security companies. Heretofore practically ignored by most businesses, companies that specialize in insurance and security dealing with cyberterrorism are experiencing increased positive interest and attention. I conducted an event study analysis to investigate how the stock prices of insurance and security companies changed one day and one week after major cyberattacks on large firms. Such cyberattacks investigated range from the 2013 Yahoo attack to the globally destructive Petya Ransomware attack. Using the P-value as a measure of significance, I found that, on average, the companies realized a consistent, positive abnormal return in 11 of the 15 events one day after an attack. This evidence supported my hypothesis as investors understand that increased cyber activity results in increased cyber-awareness. Both insurance and security companies will likely increase premiums and experience higher quarterly revenues. Moreover, it was found that security companies experienced more positive, abnormal returns than insurance companies, as consumers gravitate towards security in hopes of greater protection.
Keywords: cyberterrorism, cyber awareness, cybersecurity, stock market, empirical analysis, abnormal returns, P-value.
Cyber-attacks are becoming one of the most threatening forms of terrorism possible. An estimated 556 million people fall victim to cybercrime annually or 12 people every second . No longer are companies worried about their data being stolen physically. In this new age of the internet, companies (and everyday consumers) are now worried about their software being compromised by hackers offline. In the past decade, hackers from around the world have managed to break into the security systems of the government, hospitals, schools, and even the world's largest companies such as Yahoo, Amazon, and Microsoft. Even with the highest-leveled security systems available, companies are at risk of interrupted online service and stolen confidential information. These attacks have severe implications on the stock prices of these companies. Many researchers have found that the average loss by an affected firm is about 2% . These losses are catastrophic and can lead to "damage and destruction of data, stolen money, lost productivity, theft of intellectual property, theft of personal and financial data, embezzlement, fraud, post-attack disruption to the normal course of business, forensic investigation, restoration and deletion of hacked data and systems, and reputational harm" . Cybersecurity Ventures predicts cybercrime will cost the world in excess of $6 trillion annually by 2021 . This could mean a 100% increase from the 3 trillion dollars in cost which occurred in 2015. Companies can lose millions from lost revenue and worker productivity, but the most threatening losses can be from the intangible costs a firm suffers with its reputation and brand. Building trust with consumers is a priority many companies rank highly. Also, direct losses can involve the loss of information that are stolen during an attack. These intangible costs are exactly why firms have underestimated the costs of security breaches in the past . There is no return on investment that can be calculated. Firms must simply acquire top level security if they do not want to suffer the consequences later. Before, security was an issue that companies addressed after the fact. But now, security is something executives have to build on from the start because of the effect it has had on other companies .
These losses can even be life threatening. In February 2016, a California hospital was forced to pay a ransom of $17,000 in Bitcoin to retrieve stolen patient records after a hacker compromised their security system . The 2016: Current State of Cybercrime Survey by RSA stated that "due to the sensitivity, level of accessibility required for patient care, and ultimately, the potential to directly threaten human life, health care systems will be particularly impacted by ransomware" .
Afshani, Joshua, Cyberterrorism and its Dramatic Impact on Insurance and Security Firms (August 21, 2019). Available at SSRN: https://ssrn.com/abstract=3472785