Author: Fu, Jiaojiao
Title: The effect of data breaches in the financial service industry : an empirical study
Degree: D.B.A.
Year: 2022
Subject: Business -- Data processing -- Security measures
Computer networks -- Security measures
Crisis management
Information resources management
Hong Kong Polytechnic University -- Dissertations
Department: Faculty of Business
Pages: 95 pages : color illustrations
Language: English
Abstract: A data breach is an incident where information is stolen from a system without the owner's authorization. Both small companies and large organizations suffer from data breach incidents. Stolen data usually involves sensitive, proprietary, or confidential information such as credit card numbers, trade secrets, customer-specific data, or national security matters. The effects post a data breach can come in the form of damage to the target company's firm value as well as reputation due to the "betrayal of trust" felt by the customer. Victims and customers usually will also suffer financial or monetary losses, as financial records can be part of the information stolen.
Economic developments and technological improvements have driven modern financial regulation during the last three decades. Banks and financial service institutions have progressed to making the global markets more competitive, and currently, they work more efficiently for banking and financial services customers. Across the last two decades of digitization and data-rization, the finance sector has increasingly combined its services with related technologies, including online banking, mobile banking, e-financial services, e-credit checking, e-Insurance, big data and artificial intelligence, initial coin offerings ICOs, distributed ledgers and blockchain, smart contracts, regulatory technology ('RegTech'), and digital identity, in a new era of FinTech.
The result of the advanced IT systems and devices in the financial service industry is that cybersecurity and data breach risks are now evolving into one of the major threats to the financial stability and financial security of banks and financial services across the globe. Furthermore, the new advancements of FinTech creative disruption and the cyber risks threaten the already weakened traditional banking and financial service models. The models depend on customer loyalty to upkeep the existing basic services. However, this loyalty is currently facing increased risks, partially caused by the technology challenges and improvements of new FinTech models of services.
The top motivation for cyber-attacks and threats are financial gain or money robbery. Cyber attackers or hackers use malware to obtain money from customer bank accounts. Other motivations for cybercrime may include sabotage or curiosity. There was an estimated cost of more than 2 trillion United States (US) dollars by 2019 on fraud or cyber threats and data breaches. The frequency and severity of cybercrime and cyber-attacks are increasing but can be controlled by further investment in system protection and new FinTech secure and safety technology.
Data breaches in the last two decades received significant attention in the financial press but little attention in the academic literature. Analysts and investors have little guidance on the effects of breaches on security-related financial losses. Additionally, when analysts, managers, and investors hear about a data breach, they have little guidance on the potential impact of the breach on the firm stock. Furthermore, the stock prices of different industry firms have different effects after cyber threats and data breach events. In this research study, hypothesis tests results shown that the post data breach incident firm value is negative for financial service firms in long term.
Data breach legislation differs in different countries around the world. Many countries still do not require firms to notify authorities of data breach incidents. However, in North America and France, firms are obliged to notify affected individuals of a data breach under certain conditions. In the US, listed firms need to disclose the data breach incidents, cyber-attack events, and financial losses estimated in financial reports as well as in public announcements.
In the United States, 47 out of 52 states laws and some sector-specific federal laws already require organizations suffering a data breach to disclose the incident and notify all customers if their data were exposed. Financial firms need to implement new skilled legal advisory personnel and make the correct disclosure and announcements post the data breach incidents. The disclosure and announcement need to meet legal requirements, comply with the law, meet the requirements of the board management, and be responsible to customers of the financial service firm. The skilled legal advisor or cyber security legal management officer needs to be in a senior position, and the trend is to position the law officer in the board room.
Based on the above, how major listed firms are affected in earnings and profits by cyber threats? How have the listed financial companies in the US disclosed the cyber security threats or data breach threats in their financial reports? How will firms handle a change of management or respond to the data breach incident in the board room to implement more security control? Finally, if the firms enhance corporate governance in cyber security control by employing an IT officer and implementing a legal background board room officer, will the firm value increase after the data breach incident?
Thus this research developed two hypotheses and performed additional empirical tests to examine 1) if the financial service firm value is impacted after data breach events, 2) how managers respond after data breach events, and whether the firm will add an IT officer to reinforce cyber security control and enhance corporate governance, and 3) finally, will employing an IT officer and legal background officer affect firm value.
Data were collected from databases of the global financial news channels, 3rd party analytical channels, companies' public online reports, Securities and Exchange Commission (SEC) reports, listed companies' earnings and profit reports, and companies' own announcements. These were analyzed to evaluate cyber threats and data breach losses of firms among the top-listed US financial institutions.
This study analyzes current top-listed financial institutions during the recent nine years time frame (2010-2018) to test the hypotheses developed. The sample construction begins with the Audit Analytics database Cybersecurity Module. The sample is limited to financial service companies only (SIC 6000-6700). The data is then merged with the S&P Capital IQ COMPUSTAT database and the Institutional Shareholder Services Director and Governance database. After eliminating observations with necessary variables missing, there are 88 firm-breaches observations left, with 58 unique firms. The sample period is year 2010 to year 2018 to avoid possible confounding factors from major financial and economic events such as the financial crisis and the coronavirus pandemic. The research study also designed and developed methods to measure data breaches and firms' cyber security awareness after the data breach incident.
In conclusion, the empirical results have shown that in US financial service industry, the listed firm value was negatively impacted after data breaches and cyber threat events disclosure, firms' cyber security awareness increased, and firms responded after data breach events by adding an IT officer and reinforce corporate governance in cyber security and legal management by adding a legal skilled background member in the board room. Finally, additional tests have further shown that the firm value will be positively affected after firms increase cyber security awareness, employ an IT security control manager, and enhance corporate governance.
Rights: All rights reserved
Access: restricted access

Files in This Item:
File Description SizeFormat 
6620.pdfFor All Users (off-campus access for PolyU Staff & Students only)1.96 MBAdobe PDFView/Open


Copyright Undertaking

As a bona fide Library user, I declare that:

  1. I will abide by the rules and legal ordinances governing copyright regarding the use of the Database.
  2. I will use the Database for the purpose of my research or private study only and not for circulation or further reproduction or any other purpose.
  3. I agree to indemnify and hold the University harmless from and against any loss, damage, cost, liability or expenses arising from copyright infringement or unauthorized usage.

By downloading any item(s) listed above, you acknowledge that you have read and understood the copyright undertaking as stated above, and agree to be bound by all of its terms.

Show full item record

Please use this identifier to cite or link to this item: https://theses.lib.polyu.edu.hk/handle/200/12172