What the hack? : an empirical analysis of the stock market reactions to hacking announcements
Abstract
To raise awareness of the financial consequences for companies that do not safeguard
personal data, this thesis investigates the stock market reaction following hacks.
Furthermore, it investigates the role consumers and regulatory agencies play in inflicting
financial consequences on companies that are hacked. While previous studies have focused
on data breaches in general, this thesis focuses on hacks, because hacking is the most
dominant form of data breaches and is increasing in frequency. The thesis contributes
to existing literature by examining 42 of the world’s largest hacks announced between
2007 and 2020. The research questions are answered by using event study methodology as
described by MacKinlay (1997).
We find an average negative stock market reaction of 1.7% on the first trading day following
the announcement of the hacks. Moreover, we find that the stock prices do not fully
recover within the following ten days, indicating that shareholder value is at risk. When
investigating the role of consumers, we find that when many client’s records are exposed
in the hack, the stock market reaction is stronger. This may be because investors expect
that the consumers will use their market power to punish the companies that have been
hacked, and that this will decrease the net value of the company. More surprisingly, we
find no statistically significant impact when the data exposed in the hack is sensitive to
the customers. Finally, we explore the stock market reaction to hacks prior to and after
the implementation of the GDPR in 2018, with a subsample of 33 events. The GDPR
has raised the maximum fines for companies that are hacked, however, we do not find
evidence of stronger stock market reactions after it was put into effect in our data sample.
Our findings suggest that IT managers and top executives should be concerned with
protecting the personal data that the company stores, because there exists a trade-off
between investing in cyber security and carrying the costs of being hacked.
Keywords – Hack, Data breaches, Cyber security, Regulatory agencies, IT managers,
GDPR, Event study, Consumers