1 Introduction

Firms must disclose cyber-attacks that materially damage their businesses (Securities and Exchange Commission 2011, 2018). However, because investors cannot discover most cyber-attacks independently, and because managers often have incentives to withhold negative unobservable information from investors, firms may underreport cyber-attacks. In this study, we estimate the extent to which publicly traded firms withhold information on cyber-attacks. Specifically, we identify cyber-attacks that firms disclosed and attacks that were withheld and later independently discovered. We then use the differential market reaction to these attacks to estimate the extent of underreporting.

Reviewing data on cyber-attacks between 2010 and 2015 suggests many disclosures on the attacks are made after investors discover them. Data breaches are revealed to the market, for example, by customers whose information is stolen or by the hackers themselves.Footnote 1 In addition, the number of cyber-attacks public companies disclosed, about 300 during that period, seems low in comparison to the thousands reported by independent sources.Footnote 2

The extent of information withholding is unobservable, and we are aware only of data breaches that are eventually revealed either by the attacked firms or sources outside the firm. We estimate the extent of withholding from the market reaction to revealed attacks, where market reaction approximates the damage caused by cyber-attacks. We find that, in cases where firms immediately disclosed the cyber-attack, their equity values declined by 0.33%, on average, in the three days after disclosure and by 0.72% in the month after disclosure. In comparison, the decline in market values was much larger in cases where firms did not disclose the attack and parties outside the firm later discovered it: 1.47% in the three days after the discovery of the attack, and 3.56% in the month afterward. These findings suggest firms withhold more severe cyber-attacks from investors. From the differential market reaction to disclosed and withheld attacks, we estimate that managers disclose cyber-attacks when investors already believe that, with a 40% chance, an attack has occurred; when uncertainty about the existence of a cyber-attack is higher, managers withhold the information.

Using alternative estimates of damage caused by cyber-attacks, we also find that information about more severe attacks is withheld. Specifically, we use damage estimates released by the attacked firms and an objective index that measures the severity of cyber-attacks, based on type of data breached, the number of records stolen, and the source of the breach. Both damage estimates show that firms withhold information about more severe attacks, whereas milder attacks are more likely to be disclosed by the firm.

In support of the relation between chances of discovery and withholding, we find withholding firms have less analyst coverage, weaker corporate governance, and lower litigation risk than disclosing firms. Investors follow more closely firms with greater analyst coverage, and the chance of discovery in these firms is higher. In addition, firms with stronger governance are less likely to conceal negative news from their investors. Specifically, firms with less entrenched management (Bebchuk et al. 2009) and fewer material weaknesses reported following Section 404 of the Sarbanes-Oxley Act are more likely to disclose information on cyber-attacks. Using membership in the high-tech industry as a proxy for litigation risk, we find disclosing firms are more likely than withholding firms to be in high-tech industries. High litigation risk increases the expected loss from withholding information, increasing the attractiveness of disclosure (e.g., Skinner 1994, 1997).

We contribute to the literature by using disclosure theory to explain the market effects of cyber-attacks. Studies that examine the stock price reaction to cyber-attacks find mixed results. For instance, Cavusoglu et al. (2004) find data breaches have a statistically significant negative effect on stock prices. By contrast, Campbell et al. (2003) and Kannan et al. (2007) find the market effect of breaches is generally insignificant.Footnote 3 Gordon et al. (2011) report a decrease in the effect of breaches on stock prices over time. They conjecture that, with increased media reporting of data breaches without apparent devastating effects on targeted corporations, investors lowered their assessment of the costs of data breaches. Kvochko and Pant (2015) review recent cases in which large data breaches had a small impact on stock prices.Footnote 4 Consistent with the latter studies, we find the negative reaction to most cyber-attacks in our sample (2010–2015) is quite small. However, unlike prior researchers, we distinguish between cyber-attacks that were voluntarily disclosed and those that were withheld from investors and later independently discovered, and we find that, in the latter cases, the market reaction is negative and significant. These results suggest cyber-attacks that are unknown to investors are more likely to be severe and that the market reaction reported elsewhere understates the damage cyber-attacks cause.

We also contribute to the literature that examines the different timing of good- and bad-news disclosures. For example, Kasznik and Lev (1995) examine whether firms warn investors of upcoming negative earnings surprises. Amir and Ziv (1997) find firms delay the adoption of new accounting standards with negative financial effects. Chambers and Penman (1984) find late earnings announcements contain, on average, worse news than early announcements. Kothari et al. (2009) find the magnitude of negative stock price reaction to bad news is greater than the magnitude of positive stock price reaction to good news and infer from their evidence that managers accumulate and withhold bad news up to a certain threshold but leak and immediately reveal good news.Footnote 5 In the case of cyber-attacks, however, withheld information will likely never be revealed to investors. In addition, for cyber-attacks that are eventually revealed, the data indicate when the firm learned of the attack and therefore whether information withholding occurred. This setting and data enable us to distinguish between cases of disclosing and withholding and show that, consistent with theory, managers withhold more negative information and voluntarily disclose less severe attacks. This setting also allows us to examine the different market reactions to withholding and disclosure and to estimate when withholding information is worthwhile for managers. Using market reactions to withheld and disclosed attacks, we show that managers disclose cyber-attacks only when the likelihood that investors believe an attack is imminent is high.

2 Hypothesis development

When investors know managers possess and withhold negative information, they will reduce share price to reflect the worst possible news, which, in turn, will drive managers to make full disclosure (Grossman and Hart 1980; Grossman 1981). However, when investors are uncertain about whether managers possess negative information, a partial disclosure equilibrium will emerge where some firms find it beneficial to withhold bad news (Dye 1985; Jung and Kwon 1988).

Cyber-attacks are often unobservable to the public when they occur, and thus managers can withhold information about attacks from investors without being discovered. Without disclosure, investors will reduce stock prices only by the expected value of the bad news withheld, which in the case of cyber-attacks equals the probability that an attack occurred (and the manager is withholding the information) times the average damage. Because the number of attacks discovered by investors is small, investors usually do not have a reason to suspect that, in the absence of disclosure, the likelihood a breach occurred is high.Footnote 6 Therefore the expected loss from not disclosing is low, and withholding is an attractive option for managers.Footnote 7

To develop our main hypothesis—firms will withhold information on the more severe cyber-attacks and voluntarily disclose the milder ones—we use a setting similar to that used by Dye (1985).Footnote 8 Assume a cyber-attack on the firm with a probability p and a loss x. Only the manager learns of the attack and the damage, x, whereas investors know the ex-ante distribution of the damage, \( \overset{\sim }{x} \).

Managers will withhold information on the damage, x, when the loss from disclosing (equal to x) is higher than the expected loss from withholding. Because investors know the ex-ante distribution of the damage, \( \overset{\sim }{x} \), and the probability of cyber-attacks in the case of no disclosure, they can estimate the probability that the decision not to disclose is due to withholding, prob(withholding), and the expected loss in the case of no disclosure, which is \( prob(withholding)E\left(\overset{\sim }{x}| withholding\right) \). Managers are aware that, in the absence of disclosure, investors will adjust stock prices down by this expected loss. Then, when managers observe the actual damage from a cyber-attack, x, they will decide to withhold the information in case \( x< prob(withholding)E\left(\overset{\sim }{x}| withholding\right) \).

Dye (1985) shows that, in such a setting, a disclosure threshold, \( \underset{\_}{x} \), exists above which managers will disclose information, which equals \( prob(withholding)E\left(\overset{\sim }{x}|\overset{\sim }{x}<\underset{\_}{x}\right)=\underset{\_}{x} \). The disclosure threshold, \( \underset{\_}{x} \), equals the probability, prob(withholding), that the manager has news and withholds it times the expected value of the news withheld. Managers withhold bad news if the damage from the attack is worse (i.e. lower) than \( \underset{\_}{x} \). It follows that managers will withhold information on the more severe cyber-attacks—those that will cause a loss in stock prices below the disclosure threshold, \( \underset{\_}{x} \).Footnote 9 Because the expected value of the bad news withheld, \( E\left(\overset{\sim }{x}|\overset{\sim }{x}<\underset{\_}{x}\right) \), is negative, when investors believe the probability of managers holding negative information, prob(withholding), is higher, the disclosure threshold, \( \underset{\_}{x} \), will be lower and managers will disclose more negative news.Footnote 10 Using market reactions, we empirically estimate the probability of withholding, prob(withholding), at which managers choose to withhold information about a cyber-attack.

The probability of withholding equals \( \frac{\underset{\_}{x}}{E\left(\overset{\sim }{x}|\overset{\sim }{x}<\underset{\_}{x}\right)} \). To estimate this probability, we need empirical proxies for the disclosure threshold, \( \underset{\_}{x} \), and the expected value of bad news withheld, \( E\left(\overset{\sim }{x}|\overset{\sim }{x}<\underset{\_}{x}\right) \). We use the average stock returns in the withholding cases that are discovered by investors as a proxy for the expected value of bad news withheld, \( E\left(\overset{\sim }{x}|\overset{\sim }{x}<\underset{\_}{x}\right) \).Footnote 11 We assume the average damage of the discovered attacks represents the damage in withheld cases. To estimate the disclosure threshold, \( \underset{\_}{x} \), we use the average return reaction in the cases in which managers disclosed the cyber-attack. However, managers disclose losses whenever they are low enough (above the threshold), and we observe the average loss. To estimate the threshold loss, we assume, as Dye (1985) does, the loss is uniformly distributed on the interval [\( \underset{\_}{x} \),0], where the threshold \( \underset{\_}{x} \) is a negative number.Footnote 12 The expected loss disclosed is hence \( \frac{\underset{\_}{x}}{2} \). It follows that the probability that managers are withholding bad news on cyber-attacks is

$$ prob(withholding)=\frac{2\ast Return\ reaction\ to\ immidiate\ disclosure}{Return\ reaction\ to\ discovery\ of\ withholding} $$
(1)

As we show below, the average market reaction is, for example, −0.72% in the month following an immediate disclosure of the breach by firms and − 3.56% when the breach was not disclosed but investors later discovered it. These estimates imply managers disclose cyber-attacks when investors already believe that, with a probability of 40%, an attack has occurred.

3 Data

We combine two data sources that report details on cyber-attacks. Our first data source is the AuditAnalytics cyber-attacks database, which documents 186 incidents between 2010 and 2015. For 162 of these incidents, we obtain stock returns from the Center for Research in Security Prices (CRSP). The second data source is the VCDB VERIS community database, which contains thousands of documented incidents, of which only a small fraction relates to public companies. A description of the VCDB VERIS database is available, for example, in the Verizon (2015) Data Breach Investigations Report. According to the report, the database includes information on data breaches collected by Verizon during its “paid external forensic investigation” services and by 70 other cyber-security companies and organizations. We match company names in VCDB with those of US publicly traded company names in CRSP using fuzzy-matching, and then manually verify the results.Footnote 13 We identify 158 additional data breaches of public firms between 2010 and 2015 that are not included in the AuditAnalytics database. We then validate the information in each entry of the combined dataset (e.g. the accuracy of disclosure dates) through the reference links that are provided in the dataset, as well as through searches in news sources and company filings.

The identity of most firms on the database is unknown. The anonymity of breaches balances the need of VCDB VERIS users for relevant data with the privacy of firms. Most private firms do not share information on their operations with third parties, and many of the anonymous records are likely of private firms. Public firms will also be reluctant to reveal negative information to competitors and investors, so a large number of anonymous breaches in the database can therefore contain records of public firms.

Finally, for the purpose of using the same sample throughout the analysis, we exclude firms that are missing data on material weakness following Section 404 of the Sarbanes-Oxley Act of 2002 and data necessary for calculating Bebchuk et al.’s (2009) index—see details below.Footnote 14 Combining our data sources, we obtain data for 276 incidents involving 156 publicly traded companies between 2010 and 2015, of which 58 firms had more than one cyber-attack.

For descriptive purposes, we classify cyber-attacks into three categories following Gordon et al. (2011). The first category—availability—includes breaches that stop the business from making its services available to customers (also known as denial of service). We include in this category cases in which the breach can jeopardize availability, for example, cases in which hackers gain access and can disrupt main systems or steal intellectual property. The second category—confidentiality—are breaches that allow unauthorized users access to confidential information, such as bank account credentials, credit card data, medical records, insurance history, usernames, or passwords. The third category—integrity—includes breaches that compromise the reliability of a database or a website. We classify all breaches in the sample into one of the three categories, except for four breaches for which the information is not available in the data and the attack type is unknown. Table 1 summarizes information on our sample by year and attack type.

Table 1 Sample selection
Full size table

4 Results

4.1 Univariate analysis

We classify sample firms into three groups according to their disclosure policy. We classify an incident as “disclosing” if the firm disclosed the cyber-attack before an outside party discovered it or concurrently with a discovery of the incident by outsiders (143 cases, 51.8%). We classify an incident as “withholding” if the firm had not disclosed the cyber-attack for at least two days after it learned of its occurrence and a party outside the firm consequently discovered the attack (47 cases, 17.0%).Footnote 15 Disclosing the information shortly after the breach does not amount to withholding. Firms may have legitimate reasons to delay disclosure of a breach. For example, fixing security vulnerabilities is the reason that Sony PlayStation Network used to explain its short delay in disclosing a breach of 77 million of its user accounts on April 2011.Footnote 16 Indeed, firms may need a few days to reasonably assess the attack and repair it. However, as the withholding time increases, fixing security vulnerabilities becomes a less plausible explanation. For example, Target experienced a data breach involving 40 million of its customers’ credit and debit cards in November 2013. Only three weeks later, after third parties discovered the breach, Target disclosed it to shareholders, saying “Target is partnering with a leading third-party forensics firm to conduct a thorough investigation of the incident,” but not directly stating that fixing vulnerabilities is the reason for the withholding.Footnote 17 The reasons companies provide for withholding information are often not verifiable and usually driven by litigation concerns (White 2014). We therefore use an objective criterion to determine withholding—if the firm was aware of the breach and did not disclose it until its discovery by third parties, we define the breach as withheld. When we alternatively define withholding as a case in which the firm did not disclose the breach for at least 14, 21, or 30 days after it learned of the attack and then investors discovered the attack only from third parties, we find similar results under all alternative definitions.Footnote 18 The Securities and Exchange Commission requires firms to disclose material negative events to investors, and nondisclosure of a material cyber-attack is not a legitimate choice for firms (e.g., White 2014).Footnote 19 Firms are not required to disclose attacks with immaterial effects. In 86 cases, we find that, after discovery of the breach, the firm clarified it was immaterial.Footnote 20 Hence we classify these 86 cases (31.2%) as “immaterial.”

According to our hypothesis, withholding information is more likely when the damage of the cyber-attack is larger. We use three measures of the cost of the cyber-attack. Damage is an estimate, made by the attacked firm, of the damage the cyber-attack caused, divided by the market value of equity at the beginning of year. We obtained 38 such damage estimates provided by the attacked firms in their financial statements after the attack. The second variable, severity, is an index taking values from 0 to 10, depending on the severity of the cyber-attack (0 = low damage and 10 = very high damage). Gemalto (an international digital security company) created the index to measure the severity of cyber-attacks. It rates the severity of data breaches based on the type of data breached, the number of records stolen, the source of the breach, and whether the hackers used the stolen data. We calculated the index for the entire sample. Severity and damage are highly correlated (Pearson correlation of 0.49).

The third measure is the market reaction to the cyber-attack, Ret(−1,3), which is the cumulative risk-adjusted returns from one trading day before until three trading days after the date a cyber-attack became known to investors. The market reaction should reflect the damage the firm incurs from the attack. However, the market reaction may also reflect the negative reputation the firm incurs from withholding information. In the multivariate analysis below, we control for this endogeneity and show our results are robust.

We adjust stock returns for risk using the value-weighted market return reported by CRSP (VWRETD). Specifically, we compute the difference between the buy-and-hold returns of the stock and the buy-and-hold-returns of the value-weighted market portfolio.Footnote 21 We use this relatively simple risk adjustment because we can apply it to all the cases in our sample, thus maximizing sample size.Footnote 22

Consistent with our hypothesis, Panel A of Table 2 shows the average severity of attacks in the withholding cases, 4.92, is larger than in the disclosing cases, 4.32, at the 0.09 level. The decrease in stock price at the discovery of withholding cases, −1.47%, is also larger than in disclosing cases, −0.33%, at the 0.04 level.Footnote 23 We find that damage in the withholding cases, which is 1.81% of the market value of equity, is larger than in the disclosing cases, 0.62% of market value of equity. However, we only have 13 withholding cases and 19 disclosing cases. Although the damage in the withholding cases is about three times larger than in the disclosing cases, on average, the difference is significant only at the 0.11 level. Overall, the results using the alternative measures of attack severity support the hypothesis that firms withhold information on larger attacks and voluntarily disclose smaller attacks. Panel B of Table 2 compares disclosing to immaterial cases. The results show the three alternative measures of attack severity (severity, Ret(−1,3), and damage) are larger in disclosing than immaterial cases. This result is not surprising because immaterial attacks, by their nature, are small.

Table 2 Univariate analysis
Full size table

Next, we compare the characteristics of withholding and disclosing firms. Firms are more likely to disclose cyber-attacks when the likelihood of outside parties discovering the breach is larger. As a measure of outside monitoring by investors, we use the number of analysts following the firm. Firms with greater analyst coverage are followed more closely by investors and thus more likely to disclose negative information, such as data breaches. We measure analyst coverage (analysts) as the number of analysts on I/B/E/S during the year. As Panel A shows, firms that disclosed cyber-attacks are followed by 14.11 analysts, on average, whereas withholding firms are followed by 9.86 analysts, on average, and the difference is statistically significant at the 0.02 level. Panel B of Table 2 shows the average number of analysts following firms with immaterial cyber-attacks was 18.57, which is larger than the number of analysts following disclosing firms, at the 0.01 level. These results suggest withholding firms are followed by fewer analysts, which is consistent with less monitoring by investors and hence the lower probability of independent discovery.

Firms with stronger corporate governance are less likely to withhold negative news from their investors, because stronger governance is associated with stronger fiduciary responsibility. We use the number of material weaknesses the firms reported under Section 404 of the Sarbanes-Oxley Act of 2002 in the five years preceding the breach (SOX404) as a measure of governance strength. Section 404 requires all publicly traded companies to establish internal controls and procedures for financial reporting, and its purpose is to reduce the possibility of corporate fraud. Reports of material weaknesses occur when deficiencies in controls create a reasonable possibility of misstatements in the firm’s financial statements (Ge and McVay 2005). Although a material-weakness report does not mean a material misstatement has occurred, it means internal controls may not be strong enough to detect or prevent a material misstatement on a timely basis. However, the existence of material weaknesses in controls increases the likelihood that firms withhold information on losses associated with cyber-attacks. Data on material weaknesses are available on the AuditAnalytics database.

As Panel A of Table 2 shows, withholding firms had more material weaknesses than disclosing firms in the years prior to the withholding. The average of SOX404 is 0.66 and 0.08 for withholding and disclosing firms, respectively, and the difference is statistically significant at the 0.01 level. We do not find any difference between the average SOX404 of disclosing firms and that of firms that experienced immaterial cyber-attacks (Panel B of Table 2).

We also use Bebchuk et al.’s (2009) entrenchment index as a governance metric. Larger index values suggest weaker corporate governance. As Panel A of Table 2 shows, disclosing firms have lower entrenchment-index values (average 1.36) than withholding firms (average 1.77), and the difference is significant at the 0.02 level. According to Panel B, the entrenchment index of disclosing firms is higher than that of firms with immaterial damage (average 1.36 vs. 1.15, respectively, significant at the 0.09 level). According to Bebchuk et al.’s (2009) entrenchment index, firms that disclose information on cyber-attacks have stronger corporate governance than firms that withhold information on cyber-attacks.

We expect that firms with higher litigation risk will disclose information on cyber-attacks (Skinner 1994). Similar to Kasznik and Lev (1995), we use membership in high-tech industries as a proxy for high litigation risk. We use a high-tech indicator that equals 1 for firms in drugs (SIC codes 2833–2836), R&D services (8731–8734), programming (7371–7379), computers (3570–3577), and electronics (3600–3674) and 0 otherwise. As Panel A of Table 2 shows, 22% of disclosing firms are in these high-tech industries, whereas only 9% of withholding firms are in the high-tech sectors (difference is statistically significant at the 0.02 level). As Panel B shows, the percentage of firms with immaterial cyber-attacks that are in the high-tech sectors (26%) is similar to the percentage of high-tech firms in the disclosing subsample. In the context of our research, high-tech firms may also have greater technical capability to quickly discover and remedy cyber-attacks. Thus technical capability, not litigation risk, could be the reason they are more likely to disclose.

Table 2 also presents the profitability (ROA) in the year before the attack, measured as net income, divided by total assets. Firms may time the disclosure of negative information based on their overall profitability. For instance, firms withhold the negative news in good years, and clean the slate and disclose the negative information in periods with weaker profitability (Levitt 1998). As the table shows, disclosing and withholding firms report similar ROAs, and the differences between the groups are not statistically significant. Therefore differences in profitability do not explain the decision of firms to disclose or withhold information on cyber-attacks.

Finally, we examine whether the three subsamples differ from each other in terms of firm size, measured as the market value of equity at the beginning of the year (MV). In line with the findings on the number of analysts, we find disclosing firms have larger market values than withholding firms; larger firms are often followed by more analysts. In addition, firms with immaterial cyber-attacks have larger market values than disclosing firms, as discussed above.

4.2 Multivariate analysis

Table 3 provides the results for testing whether firms with more severe cyber-attacks are more likely to withhold than disclose the attack. We use a multivariate logistic regression of the following form:

$$ {Disclosing}_{it}=a+{b}_1 Severity\ {of\ Attack}_{it}+ controls+{\varepsilon}_{it} $$
(2)
Table 3 Multivariate analysis
Full size table

The dependent variable—disclosing—equals 1 for disclosing cases and 0 for withholding cases. We estimate the model with the three alternative proxies for attack severity defined above (severity, Ret(−1,3), and damage). Control variables are the firm characteristics described in Table 2 and year fixed effects.

As Panel A of Table 3 shows, and consistent with our hypothesis, the severity of the attacks that are withheld is larger than the severity of those that are immediately disclosed. This result holds for the three severity measures.Footnote 24 Specifically, the coefficient on severity (model 1) is −0.055 (p-value = 0.09), and the coefficient on damage (model 3) is −0.805 (p-value = 0.07). Disclosing is also associated with lower stock price decreases upon discovery of the attack—the coefficient on Ret(−1,3) is 0.088 (p-value = 0.03). The larger price decreases associated with withholding reflect both the greater severity of withheld attacks and the negative reputation caused by withholding—we analyze this issue further below.

An examination of the control variables reveals that poor corporate-governance metrics—higher SOX404 and entrenchment—are associated with less disclosing and more withholding of information on cyber-attacks, with significance levels of 0.02 and 0.12, respectively, in Model 1. This result is consistent with the claim that stronger corporate governance leads to more timely disclosure of negative information. Finally, membership in high-tech industries, which serves as a proxy for higher litigation risk, is positively associated with disclosure (p-value = 0.03 in Model 1).

In Panel B of Table 3, we compare disclosing cases with cases with immaterial cyber-attacks. As expected, we find the severity index is higher for disclosing than for immaterial cases (at the 0.01 level, Model 1). However, damage and Ret(−1,3) of disclosing cases are not significantly different from those of immaterial cases (Models 2 and 3). This last finding suggests the overall damage caused by disclosed attacks is not materially higher from the severity of attacks classified as immaterial attacks and thus supports the claim that the firms disclose, on average, smaller cyber-attacks. We also find that larger firms are more likely to experience an immaterial cyber-attack (at the 0.01 level).

Overall, the results in Table support our hypothesis that the severity of withheld cyber-attacks is larger than the severity of disclosed cyber-attacks. Additionally, stronger governance and higher litigation risk are associated with more disclosure and less withholding of information on cyber-attacks.

4.3 Market reaction to cyber-attacks

In efficient markets, the return reaction to a cyber-attack should reflect the damage to the firm from the attack but, in cases of withholding, also the negative reputation associated with withholding information; investors may conclude, from firms withholding information on a cyber-attack, that management is not completely forthcoming about other potential problems. We first perform a univariate analysis of the return reaction (Table 4), and then in a multivariate analysis, we disentangle the direct effect of the attack and the reputation effect.

Table 4 Market reaction to cyber-attack disclosures
Full size table

Table 4 presents the cumulative risk-adjusted returns surrounding the date investors learned about the cyber-attack. In the main tests, we adjust the returns for risk using the value-weighted market return reported by CRSP (variable VWRETD). We present return reaction for two return windows: (i) a short window from one trading day prior to the disclosure until three trading days after the disclosure, denoted as Ret(−1,3), and (ii) a long window from one trading day prior to the disclosure until 30 trading days after the disclosure, denoted Ret(−1,30).

Focusing on the short window, we find the average market reaction to disclosing is −0.33% but not statistically different from zero. This result suggests data breaches that firms disclosed did not have a significant marginal effect on the stock value. These findings coincide with negative and insignificant stock returns that other studies find around data breaches (e.g., Campbell et al. 2003; Kannan et al. 2007). By contrast, we find the average market reaction to the 47 cases in which firms withheld information on cyber-attacks is −1.47% (significant at the 0.01 level); that is, stock value decreased 1.47% from one day prior to disclosure until three days after investors independently discovered the breach. In addition, in cases of immaterial cyber-attacks (86 cases), we find the average market reaction is 0.27% but not statistically different from zero.

Within 30 days of the discovery date, stock prices continued to decline for withholding firms. Specifically, returns 30 trading days after discovery were, on average, −3.56% (significant at the 0.01 level). This result suggests investors take a few days to understand the firm withheld material negative information and to fully respond to the information.

These results support the hypothesis that news on withheld cyber-attacks is more negative than news on disclosed cyber-attacks. Consistent with prior studies, cyber-attacks, in general, have a low negative effect on the market value of equity; however, we find that, in cases where firms withheld information and investors eventually revealed the breach, the market reaction was negative and significant. The findings are consistent with our hypothesis that firms withhold negative information below a certain threshold, disclose information on less severe cyber-attacks, and keep from investors more severe cyber-attacks that may significantly affect stock prices.

Figure 1 presents the cumulative risk-adjusted returns from one trading day prior to the discovery date until 60 days after the discovery date for withholding, disclosing, and immaterial cyber-attack cases. The results show a clear pattern: the stock price decrease in the withholding cases is larger than in cases in which firms immediately disclose the breach to investors. The negative reaction to withholding information is not temporary; it persists long after the discovery of the cyber-attack. In comparison, cumulative returns of the disclosing portfolio stay insignificantly different from zero over the 60 trading days. Returns in longer windows may be driven not only by the cyber-attack but also by other events, and the power of the test will therefore be lower, especially in small samples like ours.

Fig. 1
figure 1

The figure presents the stock market reaction to withholding and disclosing information on cyber-attacks. “Withholding” are cases in which the firm did not disclose the cyber-attack for at least two days after it learned of its occurrence and a party outside the firm consequently discovered the attack. “Disclosing” are cases in which the firm disclosed the cyber-attack no later than its discovery by investors. We also present market reaction for cases with immaterial damage (“immaterial”); in these cases, an outsider discovered the attack, but the firm declared that the attack caused no material damage. The cumulative risk-adjusted returns from one trading day prior to the discovery date until 60 days after the discovery date is calculated in each case, and the figure presents the mean returns for stocks in each of the three portfolios. The sample includes 276 cyber-attacks between 2010 and 2015

Full size image

If firms announce earnings during the 30 days after the discovery of the cyber-attack, the earnings announcements and not the cyber-attack could affect market reaction. We therefore exclude from the return calculation the three days around the announcement, from a day before to a day after the quarterly earnings announcement.Footnote 25 We find similar results to those presented in Table 4. We also get similar results when we exclude in the same manner seasoned equity offerings and dividend distributions, for which we get data from CRSP.

4.4 Implied probability of withholding

We estimate the implied probability of cyber-attack withholding using Eq. (1) and the market reaction to disclosing and withholding information on cyber-attacks. Panel B of Table 4 shows the results. Based on the return reaction in the three days after the discovery date, Ret(−1,3), we estimate the probability of withholding to be about 45%, which is twice the return reaction of −0.33% in disclosing cases, divided by the return reaction of −1.47% in withholding cases. If these return reactions indeed capture the damage caused by the cyber-attack, managers will disclose the cyber-attack only when investors believe the probability that managers hold negative information is higher than 45%.

When we use a long return window after the discovery date, we get similar estimates of the probability of withholding. As Panel B shows, cost estimates based on the 30-day return window suggest the probability of withholding is 40%. That is, only when the chance that investors already know of the cyber-attack is at least 40% do firms choose to disclose the information.

As discussed in section 2 above, our measure of the implied probability of withholding assumes the damage is uniformly distributed and therefore the disclosure threshold in disclosure cases is estimated to be twice the average returns. The distribution of loss may be different, but in any case, the disclosure threshold will not be higher than the actual returns in the disclosing cases. Therefore, at the minimum, the implied probability of withholding is 20%, according to the 30-day window. Our estimate of the loss in withholding cases may be also biased. We assume the average returns in the withholding cases that are discovered represent the damage. However, empirically, the decrease in price upon discovery may be larger than the damage, because of negative reputation effects and litigation risk that can be associated with withholding, in which case, our withholding-probability estimates are downward biased. Another assumption we make is that the return reaction to the cyber-attack starts on the discovery date. To validate this assumption, we check and find that the cumulative risk-adjusted returns between day −10 and day −2 before the discovery date is 1.00%. If investors had started suspecting managers were withholding negative information, prices would have declined before the discovery date.

To estimate the statistical significance of the withholding-probability estimates and specifically that the withholding probability triggering disclosure is higher than zero, we assume it is a proportion that is distributed between 0 and 1 for a sample 143 observations. We find the withholding-probability estimates are greater than zero at least at the 0.01 level. Results are similar when we use bootstrapping (e.g., Chernick 2007) and use 100 random samples with replacement from the original sample of return reactions to estimate the standard deviation.

4.5 Effect of withholding on returns

Next, we examine whether the results in Table 4 reflect the market reaction to the withholding decision after controlling for the damage caused by the cyber-attack. Market reaction is driven by direct damage the cyber-attack causes, but may also reflect the negative reputation associated with withholding. We use a multivariate regression to control for the direct damage caused by the attack and test the additional reputation effects of withholding.

We use the direct-damage estimates disclosed by the attacked firms. In our sample, we find that 38 firms reported the dollar value of the damage caused by the cyber-attack in a press release or in subsequent financial statements. To control for the effect of the damage on the return reaction to the cyber-attacks, we use the following OLS regression:

$$ Ret{\left(-1,3\right)}_{it}={\beta}_0+{\beta}_1{Disclosing}_{it}+{\beta}_2{Withholding}_{it}+{\beta}_3{Damage}_{it}+{\varepsilon}_{it} $$
(3)

Ret(−1,3) is the cumulative risk-adjusted returns from one day prior to discovery until three days after discovery, disclosing is an indicator variable that equals 1 for disclosing cases, withholding is an indicator variable that equals 1 for withholding cases, and damage is the damage estimate provided by the firm, divided by the market value at the beginning of year. A negative slope coefficient on withholding will suggest negative reputation is associated with withholding information from investors.

Table 5 presents the results from estimating Eq. (3). We find that, after controlling for damage, the return reaction to withholding is negative and significant upon the discovery of the attack. In model 2, the coefficient on withholding is −2.325 (significant at the 0.08 level), suggesting withholding is associated with a decrease of 2.325% beyond the direct damage caused by the cyber-attack. The coefficient on damage is −0.378 (significant at the 0.01 level), suggesting that, within three trading days, investors do not fully react to the direct damage caused by the attack. When extending the return window to 30 days after the discovery (model 4), the coefficient on damage is closer to −1 (−1.186, with p-value <.01). A coefficient of around −1 on damage suggests investors consider the damage estimate as accurate. The results suggest equity values of withholding firms decreased beyond the damage estimates provided by their managers after the attack. In addition, a decrease in value may relate to the decision to withhold information. If investors eventually learn of the cyber-attack from other sources, they are likely to update their beliefs on the integrity and quality of management. Whether managers withheld information or just failed to monitor their information systems and identify the attack, investors will take the lack of timely disclosure as a negative signal. Furthermore, firms that withhold bad news may face litigation once it is discovered (Skinner 1994, 1997; Kasznik and Lev 1995), which will also negatively affect equity value.

Table 5 Market reaction after controlling for damage reported by firms
Full size table

Because the regression results suggest that decrease in equity values upon discovery of withholding is partly driven by the negative reputation effects associated with withholding, the withholding-probability estimates based on returns will be downward biased. For example, when we use the dollar-damage figures that are reported by firms (see Table 2), instead of the market reaction to calculate the probability of withholding, we get that, following Eq. (1), the probability of withholding is 69% (2*0.624/1.812).

Next, we examine the sensitivity of our results to the inclusion of the firm-characteristic variables introduced in Table 2. The purpose of this analysis is to alleviate concerns that firm characteristics make certain firms more vulnerable to cyber-attacks and hence more likely to be included in the sample. We use the following regression model:

$$ {\displaystyle \begin{array}{l} Ret{\left(-1,3\right)}_{it}={\delta}_0+{\delta}_1{Disclosing}_{it}+{\delta}_2{Withholding}_{it}+{\delta}_3{Severity}_{it}+{\delta}_4{Analysts}_{it}\\ {}\kern1.00em +{\delta}_5{HiTech}_{it}+{\delta}_6 SOX{404}_{it}+{\delta}_7{Entrenchment}_{it}+{\delta}_8{ROA}_{it}+{\delta}_9{LogMV}_{it}+{\varepsilon}_{it}\end{array}} $$
(4)

The results in Table 6 show a negative coefficient on withholding (−1.695, p-value less than 0.01), suggesting returns decreased by 1.695%. The coefficient on disclosing is also negative (−0.503) but not statistically significant from zero, indicating the returns in the disclosing cases are not different than in the immaterial-damage cases. In addition, the coefficient on withholding is lower than the coefficient on disclosing at the 0.01 level. The probability of withholding based on these regression estimates is 45% for the Ret(−1,3) window, which is comparable to the univariate-based results presented in Table 4.

Table 6 Market reaction after controlling for firm characteristics
Full size table

The coefficient on severity is also negative, as expected, and statistically significant at the 0.09 level. Severity proxies for the damage, and the low significance of the coefficient relative to the coefficient on the actual-damage variable used in Table 5 may be attributed to the noisy nature of this proxy.

We also compute the probability of withholding for different attack severities using the results in Table 6. According to the regression in Table 6, disclosed cyber-attacks decrease share price by 0.503%, on average, whereas withheld attacks decrease share prices by 1.693%. Moreover, an increase of one unit in severity decreases prices by an additional 0.118% (for the severity scale that goes from 1 to 10). These results suggest, for example, that the return reaction to the most severe attacks, severity = 10, that are disclosed is −1.683% (= − 0.503-10*0.118) and, for those withheld, −3.376% (= − 0.503-1.693-10*0.118).

Based on these estimates, the probability of withholding, \( prob(withholding)=\frac{2\ast Return\ reaction\ to\ Disclosing}{Return\ reaction\ to\ Withholding}, \) is 99.7% for the most severe attacks (severity = 10) and 53.7% for the least severe (severity = 1).

4.6 Sensitivity analyses

First, we control for the effect of self-selection. The decision to disclose or withhold may be driven by unobservable factors unrelated to the severity of the attack, thus inserting bias into the results reported above, because the withholding/disclosing decision is not an exogenous variable. To deal with this problem, we use an instrumental variable approach.

We use the state of incorporation as an instrumental variable. Some US states require firms to disclose attacks, regardless of their severity. For example, California firms must notify customers or individuals whose private information was breached, and if the number of individuals affected is greater than 500, the company must also notify the Attorney General of California (Cal. Civ. Code § 1798.82). Therefore incorporation in California is expected to affect the decision to disclose but not the damage; that is, incorporation in California will not bring about more severe attacks on firms. This fact allows us to use the state of incorporation as a valid instrument in our analysis.

We identify 25 states, plus the territory of Puerto Rico, that require firms to notify the state attorney general of certain breaches as high-disclosure states. These are: CA, CT, FA, HI, IN, IA, LA, ME, MD, MA, MO, MT, NE, NH, NJ, NY, NC, ND, OK, OR, RI, SC, VT, VA, WA, and PR.Footnote 26 HDState is an indicator variable equal to 1 for these states and 0 for other states of incorporation. We use the following 2SLS estimation:

$$ {Withholding}_{it}=\alpha +\beta {HDState}_{it}+{\varepsilon}_{it} $$
(5a)
$$ Ret{\left(-1,3\right)}_{it}=\alpha +{\beta}_1\overline{Withholding_{it}}+{\beta}_2{Severity}_{it}+ Controls+{\theta}_{it} $$
(5b)

where the variables are similar to those in Eq. (4) above and regressions are estimated with year fixed effects. In the first stage, we estimate (5a) and use the expected value, \( {\overline{Withholding}}_{it} \), in the second stage in estimating (5b).

Of the 51 cyber-attacks against firms incorporated in high-disclosure states, only 11.8% were withheld by the firms versus 19.0% of the attacks against firms incorporated in other states. Estimating Eq. (5a) with year fixed effects, we find the coefficient on HDState is −0.075 and lower than zero at the 0.10 level. This result suggests withholding is less frequent in high-disclosure states. Using the expected value from estimation of Eq. (5a), we estimate (5b) and present the estimation results in Table 7.

Table 7 Controlling for endogeneity
Full size table

Table 7 includes two regressions—OLS and 2SLS. As the table shows, the coefficients on severity are negative and significant in both regressions, suggesting the severity of the attack reduces stock prices. In addition, the coefficients on all the control variables are of similar magnitude and significance levels. The main difference between the two regressions relates to the coefficient on withholding. Specifically, the coefficient on withholding is negative, −1.265 (p-value = 0.02) in the OLS regression, but once 2SLS is used, the coefficient on \( {\overline{Withholding}}_{it} \) is positive, 20.22 (p-value = 0.03). The results in the OLS regression suggest withholding information produces negative reputation effects. However, once the self-selection is removed, we find withholding by itself does not have a negative effect on stock returns.

We also perform the analysis using the longer return window (−1,30) and find that the coefficient on the withholding instrument, \( {\overline{Withholding}}_{it} \), is negative, −11.70 but not statistically significant (p-value of 0.34). Although the sign of the coefficient on withholding instrument is different for the Ret(−1,3) and Ret(−1,30) return windows, the conclusion is similar—after controlling for endogeneity, withholding does not have a negative effect on returns.Footnote 27

Another source of self-selection relates to the assumption that ex-post discovered attacks represent the population of withheld attacks. If not all cyber-attacks are discovered or if those undiscovered attacks differ materially from those included in our sample, our results may be biased. To address this issue, we use a procedure similar to that of Heckman (1979).

To estimate the extent of self-selection in the sample of discovered cyber-attacks, we use data from the Verizon Data Breach Investigations Report. The report includes information on data breaches collected by more than 70 cyber-security companies and organizations. The identity of most firms on the report is unknown. The cyber-security companies collected the data during “paid external forensic investigation” services, and although they contributed data on the breaches to the report, they did not reveal the identity of most of the firms that were attacked. Figures 2 of Verizon’s 2013, 2014, and 2015 Data Breach Investigations Reports provide the total number of data breaches in each industry in each year, respectively, 2013, 2014, to 2015.

To estimate the extent of self-selection in our data, we divide the number of known breaches in the industry during 2013–2015 (which are also part of our database) by the total number of breaches indicated by the reports for the industry during those three years. The result is an estimate of the probability that a cyber-attack will be revealed, conditional on industry membership. For example, about 38% of the attacks in the information industry are known (industry no. 51 according to the two-digit North American Industry Classification System), which is about eight times higher than the average rate of discovery according to the Verizon data. As discussed above, high-tech firms face greater litigation risk and may also have greater technical capability to discover and remedy breaches and therefore are expected to more frequently disclose data breaches. Based on these probabilities of discovery, which in essence are the result of the first stage of the Heckman procedure, we calculate the inverse Mills ratio (IMR), and estimate the following regression with year fixed effects:

$$ Ret{\left(-1,3\right)}_{it}=\alpha +{\beta}_1{Withholding}_{it}+{\beta}_2{Severity}_{it}+ Controls+ IMR+{\theta}_{it} $$
(6)

As the results in Table 8 show, the estimation results of Eq. (6) are similar to those presented in the main analysis. Specifically, we find the coefficients on withholding and severity are negative and significant.

Table 8 Controlling for selection bias
Full size table

In the main tests, we adjust stock returns for risk using the value-weighted market return. We apply this relatively simple risk adjustment to all 276 data breaches in our sample to maximize the sample size. Table 9 presents the results with adjustments for size, book-to-market, and momentum quintile portfolios as in Daniel et al. (1997), applied to 215 breaches, and CRPS size-decile portfolios, applied to 247 breaches. These two alternative risk adjustments yield similar results.

Table 9 Market reaction with alternative risk adjustments
Full size table

Our results are similar when we control for the type of attack. Using Gordon et al.’s (2011), classification we add three indicator variables to Eq. (4)—one for each attack type (availability, integrity, and confidentiality). The main results (not tabulated) are similar to those reported in Table 6. Specifically, the coefficient on withholding is −1.710 (p-value <0.01), and the coefficient on disclosing is −0.483 (p-value = 0.21). Also, none of the attack-type indicators is significantly different from zero at the 0.10 level.Footnote 28 These results suggest the type of attack does not drive the effect of withholding on the market reaction.

We perform additional robustness tests to rule out alternative explanations to our results. First, to rule out the possibility that marketwide effects are driving our results, we perform the analysis using raw returns instead of market-adjusted returns. For example, we may underestimate the cost of the cyber-attack due to information spillover (e.g., a discovery of an attack on one firm may have an effect on other firms), and by subtracting market returns, we underestimate the cost of the cyber-attack. Using raw returns as the dependent variable in Eq. (4) yields similar results (not tabulated for brevity). The coefficient on withholding is −1.708 and significant (p-value of 0.01); the coefficient on disclosing is −0.638 and statistically insignificant (p-value of 0.20). The results indicate marketwide factors do not drive the different effect of disclosing and withholding on market reaction.

Second, several firms experienced multiple cyber-attacks, and investors may be reacting differently to a first cyber-attack than to a second or third. To control for multiple attacks, we add to Eq. (4) indicator variables for the first attack on firms, an indicator variable for the second attack on firms, and so on. Our results and inferences do not change. The coefficient on withholding is −1.684 and significant (p-value of <.01), and the coefficient on disclosing is −0.535 and statistically insignificant (p-value of 0.21).

Third, Gordon et al. (2011) report a decline in the market reaction to cyber-attacks over time. To examine whether change in market reaction over our sample period drives the results, we estimate Eq. (4) with a time-ordinal variable and without the year fixed effects. The coefficient on this variable is not statistically different from zero (−0.002, p-value = 0.22). Also, the results do not change: the coefficient on withholding is −1.587 (p-value = 0.01), and the coefficient on disclosing is −0.482 (p-value = 0.21). The results of this sensitivity analysis suggest change in market reaction over time does not drive the different effect of disclosing and withholding on market reaction that we report.

In addition, we find that a delay in disclosure by itself is not associated with larger negative market reaction. The average return reaction, Ret(−1,30), for cases disclosed and delayed by at least two weeks (20 cases) is 0.46%, whereas for other disclosed breaches (123 cases) the return reaction is −0.90%; the difference between the two groups is not significant (p-value is 0.55). These findings suggest that delayed disclosures are not associated with larger negative market reaction, as long as the firm itself eventually disclosed the attack.

However, delays are associated with more negative market reaction when third parties discover the attacks. The average return reaction for attacks discovered by third parties more than two weeks after the firm learned of the attacks is −4.83% (30 cases), whereas the reaction is only −1.30% for attacks discovered less than two weeks after the firm (17 cases) and statistically higher at the 0.10 significance level (p-value of 0.09). Longer delays from when the firm learns of the attack and when third parties discover it suggest that the firm intentionally withheld the information. While firms may need some time to examine and react to the attack, as withholding time grows longer, the motivation for withholding information is more likely hiding information from investors.

To validate our results, we test whether the decision to withhold information on cyber-attacks is associated with managers’ incentives to do so. Specifically, we examine whether managers who have a larger equity stake in the firm are more likely to withhold severe cyber-attacks from investors. Using data from ExecuComp, we calculate for each firm the value of the options and stock of the top five executives minus their salaries (stock compensation) in the year prior to their decision to withhold or disclose the cyber-attack.Footnote 29 Of the 190 withholding and disclosing cases described in Table 3 (Panel A, Model 1), we find compensation data in 133 cases. We expect to find more withholding cases when managers have higher equity stakes. When we split the sample on stock compensation each year, we find that 33% of firms with above-median stock compensation (high stock compensation firms) withheld information on cyber-attacks—23 withholding versus 46 disclosing cases—whereas only 23% of firms with below-median stock compensation (low stock compensation firms) withheld information on cyber-attacks—15 withholding versus 49 disclosing cases. Consistent with our prediction, we find that managers withhold more severe attacks. The severity of the attacks withheld by high stock compensation firms (on average, 5.50) is higher than that of disclosed attacks (on average, 4.57) at the 0.10 level. In contrast, the severity of attacks withheld by managers of low stock compensation firms was, on average, 4.31, versus average severity of 4.39 of disclosed attacks. To further test the effect of stock compensation on withholding in a multivariate setting, we estimate the following logistic regression:

$$ {Disclosing}_{it}=\alpha +{b}_1{Comp}_{i,t-1}+{b}_2{Severe}_{it}+{b}_3{Comp}_{i,t-1}\times {Severe}_{it}+ controls+{\varepsilon}_{it} $$
(7)

The dependent variable (disclosing) equals 1 for disclosing cases and 0 for withholding cases. Comp is an indicator variable that equals 1 for firms with above median stock Compensation for the year. Severe is an indicator variable that equals 1 for firms with above median severity of cyber-attack. We include control variables and year fixed-effects as in Table 2. Negative coefficient on the interaction variable Compi, t − 1 × Severityit, b3 < 0, will support our prediction, which suggests managers with compensation incentives will withhold severe cyber-attacks. As Table 10 shows, the coefficient on the interaction variable is negative and significant at the 0.05 level, supporting the prediction.

Table 10 Effect of management compensation
Full size table

Finally, to demonstrate the market reaction to news announcements of withholding and disclosing firms in general does not differ, we estimate Eq. (4) for earnings-announcement days. For each firm attacked in our sample, we include the market reaction to the four quarterly earnings during the year, from one trading day before to one trading day after the announcement. We find the coefficients on the withholding and disclosing dummy variables are not different from zero, suggesting the effect of the cyber-attack and not a general earnings effect drives the different market reaction we record for disclosing and withholding firms.

5 Conclusion

Cyber-attacks are one of the main risks firms must manage. Studies raised doubts on whether cyber-attacks are indeed so harmful. In particular, studies used the market reaction to cyber-attacks to show the loss from cyber-attacks is small and decreasing.

The source of information on cyber-attacks, in most studies, is the firm itself. However, managers may have strong incentives to withhold information on cyber-attacks, especially when the occurrence of the cyber-attack and the damage caused are uncertain. Unlike prior studies, we classify cyber-attacks into two main groups: cyber-attacks the attacked firms disclosed and cyber-attacks that were withheld and later independently discovered by sources outside the firm. We show the market reaction to disclosed attacks is indeed small, but the market reaction to withheld attacks is negative and significant.

Using market reactions to cyber-attacks that were disclosed and cyber-attacks that were withheld and later discovered, we estimate the extent to which firms withhold information on cyber-attacks. We find managers disclose less severe attacks and withhold information from investors on attacks that cause greater damage. The evidence is consistent with the theory that managers will not disclose negative information below a certain threshold when investors are uncertain about whether the firm possesses negative information.

The proportion of the market reaction to withheld and disclosed cyber-attacks also implies managers disclose cyber-attacks only when investors already suspect that, with a 40% chance, an attack has occurred. When the likelihood of independent discovery by external parties is lower, managers withhold the information. Overall, our analyses suggest voluntary disclosure of cyber-attacks is rare. If regulators wish to ensure information on cyber-attacks reaches investors, they should consider imposing stricter mandatory disclosure rules regarding cyber-attacks and clearer materiality thresholds.