Financial market reaction to cyberattacks

: Drawing upon an extensive dataset comprising 3,680 cyberattacks on firms listed in 5 stock markets, our main objective is to ascertain the financial market reaction based on a hybrid valuation inspired by the event study methodology and a counterfactual analysis. Analyses concern three dates that are specific to cyberattacks: 1) the accident date; 2) the first notice date; and 3) the original loss start date. Results indicate that there is a negative abnormal return for the NASDAQ after the accident date. The reactions of the NASDAQ and NYSE are similar, and negative for the first notice date but positive after the original loss start date. In the European context, cumulative abnormal returns are negative for French and German companies after the first notice date.

Financial market reaction to cyberattacks Niaz Kammoun 1 , Ahmed Bounfour 1 *, Altay Özaygen 1 and Rokhaya Dieye 1 Abstract: Drawing upon an extensive dataset comprising 3,680 cyberattacks on firms listed in 5 stock markets, our main objective is to ascertain the financial market reaction based on a hybrid valuation inspired by the event study methodology and a counterfactual analysis. Analyses concern three dates that are specific to cyberattacks: 1) the accident date; 2) the first notice date; and 3) the original loss start date. Results indicate that there is a negative abnormal return for the NASDAQ after the accident date. The reactions of the NASDAQ and NYSE are similar, and negative for the first notice date but positive after the original loss start date. In the European context, cumulative abnormal returns are negative for French and German companies after the first notice date.
Ahmed Bounfour ABOUT THE AUTHORS Niaz Kammoun is a researcher and assistant professor in management science. His research spans several fields; innovation, intangibles management and their valuation and employees' participation and company based savings covers. He was postdoctoral researcher at Université Paris-Sud, where he contributed to the impact of cyberattacks on listed firms.
Ahmed Bounfour is Professor at the Université Paris-Sud, Université Paris-Saclay and Holder of the European Chair on Intangibles (www.chaironintellectualcapital.u-psud.fr). His research focus principally on the assessment of firms' intangible value as well on the definition of policies targeting intangibles and digital transformation.
Altay Özaygen, is postdoctoral researcher at Université Paris-Sud, Université Paris-Saclay. He completed his PhD in management in 2014. His research interests are economics of information security, intellectual property rights, open innovation, patent analysis and software industry. Before his PhD, Altay worked as a programmer and Unix system administrator for nearly 10 years.
Rokhaya Dieye holds a PhD in economics and has expertise in econometrics, network economics, and impact evaluation methods. Prior to joining Deloitte Economic Advisory in 2018, Rokhaya worked as a postdoctoral researcher at the Grenoble Applied Economics Laboratory (GAEL) and Université Paris-Sud, Université Paris-Saclay, where she contributed to the macroeconomics of cyberattacks.

PUBLIC INTEREST STATEMENT
In this study, we measured the financial market reaction after a cyber-attack. We used an extensive dataset comprising 3,680 cyberattacks on firms listed in 5 different stock markets worldwide. Our approach is based on a hybrid valuation inspired by the event study methodology and a counterfactual analysis. The event study methodology attempts to measure the informative relevance of an event and analyze the response of stock prices following the release of new information. Finance theory suggests that the even study analysis helps to measure the value of a firm following the impact of a specific event, a release of new information. It is expected that the market provides a negative return after a data breach. However, this study shows different abnormal returns for various event dates related to data breaches for different markets. This research deepens our understanding of the market reaction to a data breach for a large, wide-ranging sample of markets.

Introduction
Recent decades have seen the advent of the knowledge society, and the contribution of intellectual assets to value creation has become evident, due to the rapid development and widespread deployment of information technologies (Yayla & Hu, 2011). Increasing internet connectivity has created a dynamic platform for communication, collaboration and promoting innovation. However, our increasing dependency on internet-based platforms and services has significantly increased the exposure of individual users and corporations to criminal activities. In this context, information security and privacy are key issues for organizations (Luftman, Kempaiah, & Nash, 2008). From the financial angle, the average cost of data breaches and security incidents continues to increase. It was estimated at an average of US $350,000 for a single event in 2008 (Richardson & Director, 2008). Similarly, according to the 2018 Data Breach Study prepared by the Ponemon Institute for IBM, the total cost of a data breach to a company is staggering-with an estimated average of $3.86 million (+6.4% compared to 2017). The loss of 1% of customers due to a data breach incurs a total average cost of $2.8 million, rising to $6 million if 4% of customers are lost (Ponemon, 2018). These figures show that a data breach can have devastating effects, by damaging a firm's reputation and potentially paving the way for lawsuits from either shareholders or customers (Hasan & Yurcik, 2006). In the context of the United States, the Federal Trade Commission can fine a firm that it finds is responsible for a breach, or can recommend an expensive overhaul of processes to prevent future incidents. In the case of ChoicePoint, the company was forced to pay penalties of $15 million (Federal Trade Commission, 2006) following a privacy debacle.
From a different angle, Campbell, Gordon, Loeb, and Zhou (2003) identified a highly significant correlation between privacy and trust. Thus, a privacy incident can damage a relationship with a customer or partner that is built on trust. Economically, this can be measured in terms of the ramifications for the company's market share (Rhee & Haunschild, 2006). Moreover, the stock market can be very harsh with firms that it considers have been irresponsible (Acquisti, Friedman, & Telang, 2006). This was the case for ChoicePoint, whose share valuation decreased from $46.01 to $37.64 during the 2 weeks that followed the incident in 2005. Beyond the immediate costs, a privacy incident can have long term, indirect consequences. Consumers who retain a negative impression of companies that have been found to be negligent will alter their consumption patterns. This observation was underlined by Berezina, Cobanoglu, Miller, and Kwansa (2012), who demonstrated that data breaches negatively impact consumer perceptions, even in non-online companies, such as hotels. Moreover, firms can face higher insurance premia following a breach, and future business partners can be less inclined to trust them. Given these risks, most companies seek to secure their networks and protect sensitive customer information databases (Bianchi & Tosun, 2018). However, those that fail to take adequate measures can face the loss of customer data.
Although growing rapidly, the literature on the financial impacts of security breaches is rather sparse (Bianchi & Tosun, 2018). Smith, Milberg, and Burke (1996) identified four datarelated dimensions of privacy concerns: collection, errors, secondary use, and unauthorized access. Although their findings have remained robust (Stewart & Segars, 2002), Moor (1997) suggested that several privacy theories could be combined into the concept of "control/restricted access", indicating the situation where an individual expects to be able to control the flow of their personal information, and restrict access where appropriate. In practice, the proper treatment of consumer information is a part of an 'implied social contract' with the customer (Milne & Gordon, 1993). In this sense, a promise of the fair use of information can override a clear consumer aversion to sharing information (Culnan, 1999). Consequently, a violation of this promise is considered as a breach of the conceptualization of control/restricted access.
Our study is a step towards remedying the dearth of research on the question of financial market sensitivity to data breaches. The rest of the paper is organized as follows: Sections 2 describe the data and introduce our methodology. Section 3 presents the empirical findings, including the summary statistics. Section 4 discusses these results and presents some conclusions.

Data and methodology
We use the Advisen database. This database reports cybersecurity incidents that are made public and provides a range of information related to the target. The initial search identified 13,227 cyberattacks on 2,841 targets. However, 8,961 were removed as there was no matching financial data available in the Compustat (North America and Global) database. The final dataset therefore contained details of 4,266 cybersecurity incidents, related to 2,200 listed companies distributed across various financial markets. In our study, we consider major financial market response to 3,680 information on cybersecurity data breach incidents. Table 1 provides the distribution of the sample analyzed according to the stock markets. Table 2 summarizes the main date-related statistics concerning the event, which are analyzed in this study. Unsurprisingly, 95.6% of cases relate to companies in the United States (either listed in NASDAQ or the New York Stock Exchange). This is due to data breach notification laws that were first introduced in California in 2002 (California S.B. 1386 bill) before expanding to other states. Despite this dominance, we extend our empirical study to a few European countries (France, Germany and the United Kingdom).
Tables 2 and 3 report detailed date-related statistics for our five markets analyzed. Like Table 2, Figure 1 is based on the accident date and shows the yearly distribution of cyberattacks on firms listed in top five stock markets for the period 1984-2017. Table 4 shows the distribution of cyberattacks across economic sectors, and Figure 2 shows the annual change.

Propensity score matching
Our methodology closely follows the methods developed in the literature (Rosenbaum & Rubin, 1983). First, we construct counterfactuals, as we need to know what would have      happened if the firm was not attacked. As this information is not available, we construct counterfactual enterprises at the sector level, with the help of propensity score matching (Dehejia & Wahba, 2002).
Specifically, we match each attacked firm with another with similar, observable characteristics (X), and use the latter as a counterfactual. In order to avoid heterogeneity amongst our panels, the matching characteristic vector (X) consists of the geographical implementation of the company, the financial market in which a company is listed, the industry sector, the size of the company (number of employees), and the reference year and firm's S&P sector index. Propensity score matching needs to respect two major hypotheses: the CIA (Conditional Independence Assumption) and common support assumptions. The CIA states the following: where Y A and Y N respectively, for the outcomes of the attacked and not-attacked firms. D is the treatment indicator such that D = 1 if the firm is attacked, 0 otherwise. In other words, conditional on X, the assignment of firms to the treatment group (cyber-attacked) is random. The common support assumption states that for each value of X, there is a positive probability of being both treated and untreated, such that: Various algorithms are available for propensity score matching, including Mahalanobis matching, kernel matching, nearest neighbor matching, etc. In this study, we opted for the nearest neighbor algorithm, which resulted in two panels: Panel A, attacked firms (the treatment group); and Panel B, not-attacked firms (the control group). The Average Treatment Effect (ATT) or impact of cyberattacks on intangibles is given by the following formula: where Y iA is the intangible capital of firm i that is attacked (panel A), Y iN is the intangible capital value of firm i that is not attacked (panel B), and D i is a dummy variable equal to 1 if firm i is attacked, 0 otherwise. Our dataset of perfectly matched pairs consisted of more than 800 firms within our final database. The result of our comparison of attacked and not-attacked firms' results are given in Figure 3. The matching method performed well and resulted in two panels of attacked and not-attacked firms.

Event study methodology
The effect of an economic event on a firm's value is a recurring theme in economics and management sciences. Finance theory suggests referring to financial market data in order to measure the impact of a specific event on the value of a firm based on the event study methodology. This has become a classic approach in finance following the pioneering work of Ball and Brown (1968) and Fama, Richardroll, Jensen, and Roll (1969). The methodology attempts to measure the informative relevance of an event and analyze the response of stock prices following the release of new information. In this perspective, as in signal theory, favorable (unfavorable) information generates an increase (decrease) in prices and therefore positive (negative) abnormal returns. Furthermore, the magnitude of the variation is positively and highly correlated to the kind of information disclosed by the event. Since the work of Dolley (1933), which investigated the effect of stock splits on stock prices, the methodology has been adopted in many different fields: accounting and finance (Binder, 1998;MacKinlay, 1997), Management (Lambertides 2009) Marketing (Mase, 2009), information systems Roztocki and Weistroffer (2009). Our approach is consistent with earlier event study analyses, and is based on the following equations: for all y j . Where: y i : Information likely to affect the valuation of stock i during the event period.
R i : Stock's return i during the event period.
Defined as the difference between observed and theoretical profitability, the abnormal return is the crucial measure. In fact, security performance and/or profitability may only be considered as 'abnormal' relative to a defined benchmark or a theoretical model of an ex-ante expected return. Therefore, the choice of model that is adopted to run event studies has been widely discussed (Bhushan, 1994). Developed in the early 1960s by Sharpe (1964); Treynor (1961); Lintner (1965Lintner ( , 1975; Mossin (1966), the strength of the Capital Asset Pricing Model (CAPM) is that it is able to predict profound implications for asset pricing and investor behavior. Our review of the literature on event study models revealed a tendency to favor the CAPM, as performance is comparable to regression-based models, including the market model.
The estimation period refers to the window that begins before the analyzed event, during which researchers predict a return to normal. The length of this period plays a crucial role in event studies, since it may affect estimated parameters and therefore the power of statistical tests. However, there is no specific rule related to its length, and no consensus has emerged from existing empirical and theoretical research. However, a period of between 5 and 8 months is often used for daily studies, and between 20 and 60 months for monthly studies, to avoid estimation bias (Gajewski & Ginglinger, 2002;Hachette, 1991).
Although the length of the window varies (Peterson, 1989), researchers tend to try to shorten it, in order to ensure that measured effects are, in fact, due to the analyzed event. In this study, we follow Ahern (2009) and Andrade, Mitchell, and Stafford (2001), and opt for a five-day window, which seems to be long enough to reflect the information available until the publication of new events. Moreover, and in order to control for potential leakage of information prior to the announcement, we include the day that precedes the reporting of an event. Consequently, we define [−1, 3] as our event window. Furthermore, we opt for the CAPM with data for a 120-trading day estimation period that ends fifteen (15) days before the event date, to prevent potential contamination by the event (King, 2011).

Results
The results presented in this section mainly relate to North American companies and extended to main European stock markets (specifically the French, German and London stock exchanges). Furthermore, we would like to emphasize main difference between the NYSE and NASDAQ markets which may generate an apparent discrepancy in event studies results 1 . In fact, the largest difference between these two markets results from their operational difference. In that sense, the NYSE is an auction market (transactions are typically elaborated between individuals within an auction) however the NASDAQ is a dealer market (dealers or trading technologies ensure an intermediary role between market participants). Meanwhile, the Nasdaq has more companies than the NYSE but has a wider spectrum in terms of the size of companies. In fact, the NYSE incorporate industrial companies characterized by their financial and economic stability and usually investors consider it as secure and less volatile. On the other side, the NASDAQ is typically known through its high-tech companies and is seen as a place for growth-oriented tech stocks.

Accident date
The accident date refers to the beginning of the cyber-attack. During the accident window, American companies were expected to generate a mean return of 0.49% for NASDAQ-listed There are 384 events in total with non-missing returns. Figure 4. Accident date NASDAQ, whole sample containing attacked and nonattacked firms.

Cumulative Abnormal Return: Mean & 95% Confidence Limits
There are 404 events in total with non-missing returns.

Day Relative to Event
Mean -1.96SE Mean Mean + 1.96SE Figure 5. Accident date NYSE, whole sample containing attacked and non-attacked firms.
companies and almost 0.42% for those listed on the NYSE. However, following a cyber-attack, there are cumulative abnormal returns of −0.03% and 0.48% for NASDAQ and NYSE markets, respectively. However, the accident date is prior to the first notice date, the date in which the event is initially reported.
In order to deepen our analysis, we applied the counterfactual analysis methodology to the NASDAQ market. This found that counterfactual (not attacked) firms generated 0.9% cumulative abnormal returns, compared to −0.75% for attacked ones. As a result, cyberattacks created an average deficit of 1.65% in cumulative abnormal returns and 0.86% in average returns during the event window. Figure 4 and 5 show the cumulated average abnormal return for NASDAQ and NYSE respectively for the accident date (further results are reported in Table A2. And A3.).

First notice date
The first notice date is the date on which the event was initially reported, or notice was received. Based on the market model, we expect that investing in our panel would generate a cumulative total return of 0.83% for the NASDAQ, and losses of 0.53% for the NYSE. However, in practice, an investment made on the first notice date of a cyber-attack created returns of 1.37% and 0.125%, respectively. In fact, if the company that was a victim of a cyber-attack was listed on the high-tech NASDAQ market, cumulative abnormal returns were 0.54%. On the other hand, such news is perceived adversely by the NYSE, and manifests in an average loss of 0.17% on both the first notice day and the following day. As a result, an average cumulative loss of 0.65% is generated during the event window. This result is consolidated by the counterfactual analysis, according to which not-attacked firms generate a cumulative total return of almost 1.3%, compared to a cumulative loss of 0.15% for attacked companies. Figure 6 and 7 show the cumulated average abnormal return for NASDAQ and NYSE respectively for the first notice date. Figure A.1 and A.2 show the cumulated average abnormal return for NASDAQ and NYSE respectively for the accident date issued through counterfactual analysis (further results are reported in Table A4., A5., A6. And A7.). xR esults related to the market reactions after a cyberattack found in the literature are mixed. Kannan, Rees, and Sridhar (2007) and Acquisti et al. (2006) show on the long run there is no significant negative impact of data breach. Kannan et al. (2007) show that firms which have reported some data breach during the dotcom era showed a higher negative abnormal return than cases after 9/11. Moreover, Gordon, Loeb, and Zhou (2011) show that there are insignificant results with some positive returns after 9/11 data-breach cases. However, most of the studies found a negative return after data-breach if the analyzed event-window is limited to few days

Cumulative Abnormal Return: Mean & 95% Confidence Limits
There are 323 events in total with non-missing returns.

Day RelaƟve to Event
Mean -1.96SE Mean Mean + 1.96SE Figure 6. First notice date NASDAQ, whole sample containing attacked and nonattacked firms.

Original loss start date
The original loss start date represents the date on which a loss due to a cyber-attack begins. For the NASDAQ, despite an average abnormal return of 0.016 on the day of the event, such events generate negative returns amounting to −0.015 the following day and −0.003 the day after. This observation is consolidated by the counterfactual analysis. In fact, the start of the loss is reflected in a fall in average abnormal returns from 0.192 to −0.213. Moreover, we note that average cumulative abnormal returns for not-attacked firms (0.19%) exceed attacked firms (−0.73%). However, NYSE-listed companies seem to be less sensitive to these events. In fact, the original loss start date is consistent with mean cumulative abnormal returns of 0.4% during the event window, and a spread of 0.3% based on the counterfactual analysis. By the end of the loss period, financial markets generate 0.22% and 0.39% average cumulative abnormal returns for the NASDAQ and the NYSE, respectively, during the event window. In the case of changes to the original loss start (end) date due to court proceedings, the loss start (end) date reports the beginning (end) of the period during which damages from cyberattacks were incurred. Empirically, the original loss start date is associated with an average cumulative abnormal return of 1.31% for the NASDAQ and 0.36% for the NYSE. Indeed, the announcement of the loss end date (if different from the original loss end date) generates average cumulative abnormal returns of 0.09% and 0.47%, respectively.

Cyberattacks on European countries (France, Germany, and UK)
Applied to the European context, cyberattacks generate negative cumulative abnormal returns of 0.77% during the event window [0, 3] for British companies. Moreover, average total returns for attacked French firms fall during the event window [0, 3] (from 0.006 to −0.001) and from 0.0001 to −0.006 for German firms. Furthermore, as soon as the cyberattack is reported, average total returns fall to 0.0002 (from 0.00435). This observation is consistent for both French and German companies, where we see cumulative abnormal returns of −0.445% and −0.98%, respectively. In France, the announcement of the original loss period (start and end dates) is associated with two main observations. On the one hand, a decrease in cumulative average abnormal returns of almost 0.37% during the original loss start date window. On the other hand, a decrease of 0.2% in cumulative average abnormal returns for the original loss end date window. However, German and British financial markets do not react immediately to such announcements and the analysis of the original loss start (end) dates reveal positive cumulative abnormal returns of 0.76% (−0.54%) and 0.34% (0.2%). In case of adjustments to loss start or end dates, financial markets consolidate previous results for France, Germany, and the United Kingdom. There are 340 events in total with non-missing returns. Figure 7. First notice date NYSE, whole sample containing attacked and non-attacked firms.

Results robustness: Fama-French plus momentum model
Applied in event studies, expected return models predict hypothetical returns that are established based on actual (and past) stock returns to deduct abnormal returns. In order to check the robustness of our results, we refer to Fama-French Plus Momentum Model (also known as Carhart's Four Factor Model) within our event analysis. While the CAPM uses one beta (systematic risk) to explain the stock return, Fama and French decided to integrate two additional betas (size and value) in order to improve estimation accuracy. Their model was extended by Carhart through integrating the momentum factor.
Applied to the US market, we notice that a cyberattack generates a loss of 1.196% and 0.434% of cumulative abnormal returns for Nasdaq and NYSE, respectively, during the event windows [−1,3]. Whereas, not attacked firms over-perform by 4,16% and 0.564% for NYSE and NASDAQ, respectively, during accident dates. These results are confirmed within the first notice date of cyberattack. In fact, the Nasdaq overreact to a cyberattack detection by generating a CAR of almost 1.88% while the counterfactual sample is reflecting a negative return of −0.89%. However, we notice an opposite reaction of the NYSE on information release related to first notice date. In fact, involved companies suffer from a decrease of their returns out of 0.766% while non-affected ones generate a cumulative abnormal return of 0.372% which confirm our previous results.

Discussion and concluding remarks
It is expected that the market provides a negative return after a data breach Campbell et al. (2003); Cavusoglu et al. (2004); Yayla and Hu (2011);Pirounias et al. (2014). However, this study shows different abnormal returns for various event dates related to data breaches for different markets. This research deepens our understanding of the market reaction to a data breach for a large, wide-ranging sample of markets.
The literature shows mixed results regarding market reactions after data breach. One of the comparison periods is before and after 9/11. Kannan et al. (2007) show that there is no significant negative impact of data breach on the long run (after 15 days). A negative bias is found after 9/11 event but this is interpreted as cofounding event. Moreover, authors argue that there are different reactions of investors and the dotcom era showed a higher negative abnormal returns. Gordon et al. (2011) show that security breaches occurring over the post-9/11 sub-period have an insignificant effect on the stock returns of firms and there are also other cases which show positive returns after a data breach. Gatzlaff and McCullough (2010) demonstrate that firms with higher market-to-book ratios experience greater negative abnormal returns. Firm size and subsidiary status mitigate the negative effect of a data breach on the firms' stock price. Authors provide a table which shows the number of firms having positive and negative CAR for different event windows. All tested event windows under 60 days show that firms experiencing negative returns outnumber the number of positive returns. Acquisti et al. (2006) show that there is negative mean abnormal return the day of the breach announcement but decreases the following day and the abnormal return become positive on t + 3. Garg, Curtis, and Halper (2003) found that theft of customer data shows positive returns ranging from 0.2% to 1.2% at t, t + 1 and t + 2 periods unlike to the theft of credit card information, DoS and web-site defacement cases found in their sample. Hovav and D'Arcy (2004) show that there is not a negative abnormal return when firms indicate that they went through a virus attack. The same result is obtained when the analysis is carried out for different economic sectors.
There are two explanations that we can provide for the positive return which is observed in the literature. Hovav and D'Arcy (2004) argue that firms are not penalized when involved in events with negative information and a correct communication strategies that are adopted by firms may decrease the negative market reactions. The second argument is financial. It is argued that, the average cost for data breach has become less costly Gordon et al. (2011). According to Romanosky (2016), a typical cyber incident costs less than $200k which is a modest financial impact compared to the increasing rates of breach and legal actions that the public is mostly aware. The average $200k cost represents only 0.4% of firm revenues which is also far less than other types of losses due to frauds, theft or corruption. Moreover, Romanosky (2016) is arguing that firms are adopting an optimal level of cybersecurity as they do with other types of security risk and they are investing limited amount of money on data protection.
Our results are consistent with the literature and the results obtained in this study can provide a guide for both retail and institutional investors, and the growing cyber-insurance industry. Investors should reconsider their asset allocation strategy as a function of the exposure of a firm to the risk of a cyber-threat, and the stock market it is listed on. Moreover, a diverse investment portfolio that includes cybersecurity stocks could be an attractive solution to decrease the risks of a cyber-attack and its negative outcomes. From the viewpoint of the cyber-insurance industry, understanding the impact of a cyber-event on a firm's value in different stock markets could help to refine the risk models used.
Although our results are obtained from a large sample, our work should be deepened to understand the source of the attack and the motivation of cyber-criminals. There is a need for an in-depth analysis of the exposure of firms to a cyber-attack, and the profiling of cybercriminals. We leave this for a future study. Table A1 for a definition of variables used in output tables of our event study analysis.

A. Appendix
A.