Cyber attacks have a lasting impact on the way businesses are run, a study found. Researchers at Warwick Business School found that media reports of a cyber attack led to a stock market “shock” as investors sold their shares, but this only lasted a few days. However, security breaches did have a lasting impact on the way firms were run, as they typically paid lower dividends and invested less in research and development up to five years after the attack.

Yet chief executives were no more likely to be sacked following a data leak. On the contrary, they were more likely to receive an increase in total and incentive pay several years after a security breach. Average CEO pay at firms that were not targeted by hackers fell by more than $2 million a year over the same five year period.

Insurance firm Hiscox today revealed that 55 percent of U.K. firms have faced a cyber attack this year, up from 40 percent last year. Yet U.K. firms spent less on cyber security than firms elsewhere, it found.

Daniele Bianchi, assistant professor of finance at Warwick Business School, said, “Firms that suffer a data breach do not typically respond by firing the management, but by investing more in the existing CEO. At first sight, these results may look puzzling. However, they are consistent with the idea that the average response is to invest more in the management to address possible structural flaws, as well as maintaining the integrity of the firm in response to the reputational damage it has suffered. In the long run, security breaches appear to have a more significant impact on firms’ strategies and policies than their cash flow.”

The latest annual Cost of Data Breach Study for IBM estimates that the average cyber attack in the U.S. cost $7.9 million in 2017. That equates to a record $225 cost for each record compromised.

Dr. Daniele Bianchi and Dr. Onur Tosun, from Warwick Business School, analyzed data breaches at 41 publicly listed companies in the U.S. between 2004 and 2016 for their paper, Cyber Attacks and Stock Market Activity.

They focused solely on breaches reported by the media, including stolen hardware, insider attacks, poor security and hacking. These occurred at large companies, with an average size of $35.4 billion in total assets, consistent with existing evidence that hackers are more likely to choose high profile targets.

The share value and liquidity of a firm dropped significantly on the day a breach was disclosed and the day after, but this reaction vanished after just two days.

For example, shares in Sony Pictures plunged more than 10 percent after hackers Guardians of Peace stole copies of unreleased films, emails and personal information about employees and their families in November 2014.

While operating performance recovered after a cyber attack, these companies tended to invest less in research and development and paid lower dividends over the next five years as they sought to manage the financial risks caused by data breaches.

“Incidents of security breaches that reveal sensitive and confidential information can lead to litigation and government sanctions, but also to a loss of competitive edge against competitors through a reduction of resources dedicated to R&D, dividend payments or investments more generally,” said Onur Tosun, assistant professor of finance at Warwick Business School. “For this reason, companies are often reluctant to reveal information about security breaches due to fear of both short- and long-term market reactions. However, many firms won’t have a choice with tighter regulations demanding that firms report data breaches within 72 hours. Cyber security will therefore become an increasingly important consideration for companies to avoid the damaging fallout once a breach is made public.”

For more information or for a copy of the paper, Cyber Attacks and Stock Market Activity, contact Warren Manger, media relations officer at Warwick Business School, at 024 7657 2512 or warren.manger@wbs.ac.uk.