Companies that are transparent about their cybersecurity risk management efforts are more attractive to investors, after or before a data breach happens in their industry.
In a "contagion effect," though, investors are less likely to show interest in a company after another organization in the same industry suffered a data breach. A paper discussing this effect, called "Do voluntary disclosures mitigate the cybersecurity breach contagion effect?", was published in the Journal of Information Systems by Andrea Seaton Kelton of Middle Tennessee State University.
When a company suffers a data breach, the effect is two-fold. There's the direct financial loss from the breach itself, but it also signals potential investors to be careful or even to back off. The effect is powerful enough to contaminate other businesses in the industry, even if they haven't suffered a breach.
"While the company suffers some decline in attractiveness after the breach, on average it suffers the least if it discloses its cybersecurity risk management program, in a way that is similar to the AICPA's (American Institute of Certified Public Accountants) voluntary reporting guidelines," said Robin Pennington, a professor of accounting in North Carolina State University's Poole College of Management and co-author for the paper.
"We did see evidence of the competition effect with some investors in our study, but on average, the contagion effect overwhelmed the competition effect."
The paper is based on a study involving 120 nonprofessional investors who had to make a few important choices. The researchers found companies that reveal their cybersecurity risk management efforts were much more likely to keep the investors interested. The "contagion effect" was also less likely to affect the more transparent organization.
The paper also tried to better quantify the "competition effect." This happens when investors look for another company to invest in the same industry after their initial choice suffered a breach, and think of it as an advantage. When averaged out, the "contagion effect" was overpowering the "competition effect."
The study concludes that the best policy, for any company, is to be forthcoming on their cybersecurity practices because it's a clear sign to potential investors.