Market Discipline In The Corporate’s Cybersecurity Governance: Monitoring And Influencing

Cybersecurity incidents have always been the focus of attention.Not only foreign companies such as Facebook,Yahoo and Equifax,but also Chinese companies 58.Com Inc and Trip.com Group have experienced user data breach.The losses caused by cybersecurity incidents are amazing.According to the annual data breach cost research reports of IBM Ponemon Institute,the average costs caused by each data breach record from 2017 to 2020 were 3.62 million,3.86 million,3.92 million and 3.86 million dollars respectively.From the research on patents,with a large number of innovations,cybersecurity is one of the most valuable financial technology innovation.According to the existing literature,we define cybersecurity incident as an event that attacking,destroying,changing,leakage or illegally using of the entire cyber system and the data in the system due to accidental or malicious reasons which cause the abnormal operation of the network,or affects the integrity,confidentiality and availability of network data,so that the data is leaked,stolen and tampered.According to the above definition,the cybersecurity incidents studied in this thesis are data breaches or network paralysis(denial of service)incidents caused by hackers who attacked system security vulnerabilities,planted or spread malware and computer viruses.Based on the specific definition,this thesis hopes to explore that whether the disclosure of cybersecurity incidents will have an impact on the market value of the target companies? Does the impact has spillover effect? Whether companies within the industry will reduce the impact of cybersecurity incidents through the change of corporate behaviors.We mainly study the market discipline for cybersecurity incidents.Market discipline are mainly reflected in two aspects: monitoring and influencing.Therefore,we first discuss the monitoring in market discipline after the disclosure of cybersecurity incidents.Specifically,whether investors will capture the information of cybersecurity incident among the many complex market information,which can be quickly reflected the evaluation of enterprise operation status on the market value of companies.Then,this thesis further explores the influencing in market discipline after the disclosure of cybersecurity incidents.Specifically,due to the change of market value,whether and how public companies will implement cybersecurity governance to alleviate the adverse impact of cybersecurity incidents on enterprises.The significances of this study are as follows: firstly,it enriches the heterogeneous research content of the impact of cybersecurity incidents on firm market value.The existing literature about the heterogeneity of market response mainly focuses on the differences in industries and company characteristics.This thesis discusses whether there are significant differences in market response from new perspectives,such as occurrence frequency,information type and headquarter.Secondly,the results of this thesis provide a practical reference for the types of information that companies should focus on and protect.The type of data disclosure with strong market response should be the data that company need to protect.Third,it provides a reference for companies and policy makers to manage cybersecurity effectively.This thesis investigates the impact of cybersecurity incidents on the behaviors of target firms and their peers through the market monitoring.The conclusions can provide references for the cybersecurity governance of companies and policy makers.Main contributions of the thesis are as follows: first,in terms of research content,this thesis discusses the market response and corporate behaviors of target firms and their peers following the disclosure of cybersecurity incidents.Compared with the existing literatures,they mainly focuses on the target firms,this thesis further brings the peer firms into the research content,and explores the market response and changes of corporate behaviors of the target firms and their peers.Second,from the perspective of application of methodology,based on the text analysis,this thesis investigate the response of target firms and peer firms following the disclosure of cybersecurity incidents.The existing literature conducts corresponding research based on the corporate’s financial or operation data in the form of case study or questionnaire.This thesis uses text analysis methodology to extract information from text and analyze corporate behaviors.Thirdly,from the perspective of sample selection,this thesis takes the earning conference call texts as the sample,and puts forward a new perspective for reference in sample selection for the analysis of cybersecurity related studies.Fourth,in terms of research index measurement,this thesis takes the number of cybersecurity keywords in quarterly meetings as the measurement of cybersecurity relevant information disclosure,so as to reflect the response strategies of companies.This thesis attempts to explore the following important issues: first,from the analysis of target firms,whether market supervision will be effective for cybersecurity incidents? Second,from the analysis of peer firms,whether the impact of the disclosure of cybersecurity incidents will have spillover effect? Third,because of the influence of market supervision and spillover effect,what information disclosure strategies will be adopted by target firms and their peers.Fourth,because of the influence of market supervision and spillover effect,what investment strategies will be adopted by target firms and their peers.Specifically,for the first question,firstly,through the collection of news texts from2013 to 2018 combining with the cybersecurity cases available in the privacy rights clearing house(PRC)database,this thesis construct a sample of cybersecurity incidents occurred in domestic and foreign public companies,with a total of 117 cases as a basic sample of this study.Then,we match the case information of cybersecurity incident with the security code,company name and Standard Industrial Classification code of public company.The data of companies listed in the United States are from CRSP database and companies listed in China are from CSMAR database.Then,this study uses the event study methodology to calculate the excess returns of target firms in different windows,which is an index to reflect the change of company market value.For the second question,this study matches all peer firms with the first four digits of SIC codes of target firms,collects their stock prices and calculates the cumulative excess return to analyze the spillover effect of cybersecurity incident disclosure.Stock prices are from CRSP database.For the third question,this thesis collects the texts of earning conference call of public companies in the United States,and takes the number of cybersecurity related keywords in the conference text as the measurement of corporate cybersecurity information disclosure to analyze the information disclosure strategies of target firms and their peers after the incidents.For the fourth question,this thesis takes the M & A transactions aiming at computer service companies as the research samples,which are collected from Thomson Reuters database,to discuss the change of M & A transactions caused by cybersecurity incident,and tries to analyze the investment strategies of companies.As for the construction of research hypothesis,this thesis first put forward the hypothesis of negative effects of cybersecurity incidents through the explanation of Gordon model based on the efficient market hypothesis.Then,aiming at the spillover effect hypothesis caused by cybersecurity incident,this thesis quotes the theory of contagion effect and competitive effect.Aiming at the hypothesis of corporate behavior,this thesis attempts to explain it through the theory of loss aversion and organizational account.According to the empirical results,this thesis draws several conclusions.First,on the whole,the disclosure of cybersecurity incidents has a significant negative impact on the market value of target firms,and the impact has obvious heterogeneity in industry sector,country of headquarter,data type and incident frequency.Second,the negative impact of cybersecurity incident disclosure has a significant contagion effect in the service industry,finance,insurance and real estate industry.Third,the occurrence of cybersecurity incidents will significantly increase the disclosure of cybersecurity related information by the target firm.On the contrary,peers tend to reduce the disclosure of cybersecurity related information following the cybersecurity incidents.And there is obvious industry heterogeneity in the persistence and degree of impact.Fourth,the more frequent cybersecurity incidents occurred in the target firms,it will promote its M & A transactions aiming at computer service enterprises.The more frequent the cybersecurity incidents occurred within the industry,peer firms may directly purchase advanced cybersecurity technologies and services through cooperation with third parties(computer service companies)to alleviate the impact of incidents.Thus,the market value of the computer service companies as the acquiree increases and the M & A transactions decreases.Based on the conclusions,this thesis also summarizes some suggestions and enlightenments.First,public companies,especially retail and wholesale,service,transportation and public service companies,should focus on cybersecurity incidents.Chinese companies should pay attention to strengthening the protection of user and customer information especially financial information.For companies that have experienced data breaches,they should pay more attention to data security,regularly check whether there are security vulnerabilities,and repair the discovered vulnerabilities in time.Second,when cybersecurity incidents occurred in finance,insurance,real estate and service sectors,peers need to pay attention to the impact of contagion effect.Third,because peer firms tend to reduce the cybersecurity disclosure following the cybersecurity incidents,for all public companies,it is necessary to adopt a mandatory policy of regular disclosure of cybersecurity information.Fourth,the higher the frequency of cybersecurity incidents,the fewer horizontal M & A transactions in the computer service industry,which may exacerbate the waste caused by repeated R & D and resource allocation,and make companies face high R & D costs and risks.