Jun 7, 2021 By: yunews
A recent study co-authored by Dr. Henry Huang, program director of the MS in Accounting and an associate professor of accounting at , and Dr. Chong Wang, an assistant professor of accounting at Hong Kong Polytechnic University, and published by the American Accounting Association finds that there is a very real cost for companies that can鈥檛 protect their customers鈥 personal information. In addition to any reputational damage, the authors found that banks effectively apply a financial penalty to companies that have experienced data breaches. At issue are data breaches in which personal data, such as customer financial account information or social security numbers, is either stolen or inadvertently made public.
鈥淲e knew that data breaches were important, but wanted to find a way of quantifying their financial consequences,鈥 says Dr. Huang. 鈥淲e also wanted to learn which variables come into play. For example, we learned there are things companies can do to mitigate damage after a data breach.鈥
Specifically, the researchers wanted to know whether companies that had experienced data breaches faced additional requirements when trying to secure bank loans. To that end, the researchers drew on data regarding 1,081 bank loans to publicly traded companies from 2003 to 2016: 587 loans were to companies that had experienced a data breach; 494 loans were to companies that had not.
To ensure they were seeing the impact of the data breach and not other factors, the researchers matched each company that had experienced a breach with another company that had similar characteristics but hadn鈥檛 experienced a breach. The results were clear: banks charged substantially higher interest rates to companies that had experienced a data breach, compared to companies that had not.
Several factors could make things worse. If the breach involved data on a lot of people, the effect was exacerbated. The effect was also exacerbated if the breach was the result of criminal hacking rather than a mistake. The effect was also more pronounced for companies in a subset of 鈥渧ulnerable鈥 industries: health, personal services, business services, computer, electronic equipment, and transportation.
Lastly, companies with good reputations for IT quality fared worse after a data breach because banks had to make a bigger adjustment to their assessment of the company鈥檚 security. In addition, banks also required more collateral and more covenants from companies that had experienced breaches. 鈥淗owever, we also identified remedial actions that mitigated the adverse impact of data breaches,鈥 says Dr. Wang. Examples of these actions include retaining a third party to address the data breach and developing plans to improve IT security.
鈥淥ne take-away message is that firms, especially those in vulnerable industries, should invest more in data security in order to avoid costly punishment in capital markets,鈥 Dr. Wang says. 鈥淭here are also valuable lessons here for accountants and auditors,鈥 says Dr. Huang. 鈥淚t highlights the consequence of different types of data breaches in different industries, the importance of safeguarding confidential information, and the value of remedial actions after a breach.鈥
The study, 鈥,鈥 is published in The Accounting Review. The is the largest community of accountants in academia. Founded in 1916, it has a rich and reputable history built on leading-edge research and publications. The diversity of the Association鈥檚 membership creates a fertile environment for collaboration and innovation, collectively shaping the future of accounting through teaching, research and a powerful network and ensuring the Association鈥檚 position as a thought leader in accounting.