What the hack? : an empirical analysis of the stock market reactions to hacking announcements

Jansen, Embla Kleiv; Stavik, Stine-Mari
Master thesis
Thumbnail
View/Open
URI
https://hdl.handle.net/11250/2735126
Date
2020
Metadata
Show full item record
Collections
Abstract
To raise awareness of the financial consequences for companies that do not safeguard

personal data, this thesis investigates the stock market reaction following hacks.

Furthermore, it investigates the role consumers and regulatory agencies play in inflicting

financial consequences on companies that are hacked. While previous studies have focused

on data breaches in general, this thesis focuses on hacks, because hacking is the most

dominant form of data breaches and is increasing in frequency. The thesis contributes

to existing literature by examining 42 of the world’s largest hacks announced between

2007 and 2020. The research questions are answered by using event study methodology as

described by MacKinlay (1997).

We find an average negative stock market reaction of 1.7% on the first trading day following

the announcement of the hacks. Moreover, we find that the stock prices do not fully

recover within the following ten days, indicating that shareholder value is at risk. When

investigating the role of consumers, we find that when many client’s records are exposed

in the hack, the stock market reaction is stronger. This may be because investors expect

that the consumers will use their market power to punish the companies that have been

hacked, and that this will decrease the net value of the company. More surprisingly, we

find no statistically significant impact when the data exposed in the hack is sensitive to

the customers. Finally, we explore the stock market reaction to hacks prior to and after

the implementation of the GDPR in 2018, with a subsample of 33 events. The GDPR

has raised the maximum fines for companies that are hacked, however, we do not find

evidence of stronger stock market reactions after it was put into effect in our data sample.

Our findings suggest that IT managers and top executives should be concerned with

protecting the personal data that the company stores, because there exists a trade-off

between investing in cyber security and carrying the costs of being hacked.

Keywords – Hack, Data breaches, Cyber security, Regulatory agencies, IT managers,

GDPR, Event study, Consumers