LAKEWOOD RANCH, Fla., June 2, 2021 /PRNewswire/ — A recent study published by the American Accounting Association finds that there is a very real cost for companies that can’t protect their customers’ personal information. In addition to any reputational damage, the study finds that banks effectively apply a financial penalty to companies that have experienced data breaches.
At issue are data breaches in which personal data, such as customer financial account information or social security numbers, is either stolen or inadvertently made public.
"We knew that data breaches were important, but wanted to find a way of quantifying their financial consequences," says Henry Huang, co-author of the study and an associate professor of accounting at Yeshiva University. "We also wanted to learn which variables come into play. For example, we learned there are things companies can do to mitigate damage after a data breach."
Specifically, the researchers wanted to know whether companies that had experienced data breaches faced additional requirements when trying to secure bank loans. To that end, the researchers drew on data regarding 1,081 bank loans to publicly traded companies from 2003 to 2016: 587 loans were to companies that had experienced a data breach; 494 loans were to companies that had not.
To ensure they were seeing the impact of the data breach, and not other factors, the researchers matched each company that had experienced a breach with another company that had similar characteristics but hadn’t experienced a breach.
The results were clear: banks charged substantially higher interest rates to companies that had experienced a data breach, compared to companies that had not. Several factors could make things worse. If the breach involved data on a lot of people, the effect was exacerbated. The effect was also exacerbated if the breach was the result of criminal hacking – rather than a mistake.
The effect was also more pronounced for companies in a subset of "vulnerable" industries: health, personal services, business services, computer, electronic equipment, and transportation. Lastly, companies with good reputations for IT quality fared worse after a data breach – because banks had to make a bigger adjustment to their assessment of the company’s security.
In addition, banks also required more collateral and more covenants from companies that had experienced breaches.
"However, we also identified remedial actions that mitigated the adverse impact of data breaches," says Chong Wang, co-author of the study and an assistant professor of accounting at Hong Kong Polytechnic University. Examples of these actions include retaining a third party to address the data breach and developing plans to improve IT security.
"One take-away message is that firms, especially those in vulnerable industries, should invest more in data security in order to avoid costly punishment in capital markets," Wang says.
"There are also valuable lessons here for accountants and auditors," says Huang. "It highlights the consequence of different types of data breaches in different industries, the importance of safeguarding confidential information, and the value of remedial actions after a breach."
The study, "Do Banks Price Firms’ Data Breaches?," is published in The Accounting Review.
The American Accounting Association (www.aaahq.org) is the largest community of accountants in academia. Founded in 1916, we have a rich and reputable history built on leading-edge research and publications. The diversity of our membership creates a fertile environment for collaboration and innovation. Collectively, we shape the future of accounting through teaching, research and a powerful network, ensuring our position as thought leaders in accounting.
SOURCE American Accounting Association