Cyber Attacks and US Banks

Cyberattacks are becoming a larger part of what all industries, not just financial firms, have to deal with. Cyber risk exposure has an economically and statistically significant negative effect on the stock market performance of affected firms. Additionally, there is evidence of contagion effects: idiosyncratic firm-level cyber risk has the potential of spreading through interconnected financial markets (same country and industry). In 2011, the Securities Exchange Commission (SEC) released its initial cybersecurity guidance after a spike in cyber attacks, encouraging companies to pay more attention to cyber risks. Together with Professor Savaser, we are working on a project that aims to document and examine the US bank holding companies’ governance strategies to mitigate cyberattacks. The goal is to construct a measure that captures banks’ cybersecurity proactiveness and examine the type of governance structures that are most effective in dealing with a cyber attack.

We approach the question in multiple stages. First, using text analysis, we document how often cyber terms are mentioned in banks’ annual reports and proxy statements. Second, we analyze the context in which the cyber terms were used. Third, we identify which banks mention cyber risk factors in their disclosures before they or their peers experience an attack or before the SEC published its first guidance of the matter, and which banks act retroactively. Lastly, we merge the dataset with the publicly available data on cyber attacks to examine the relationship between the type of governance mechanisms utilized by banks and the frequency of cyberattacks they experience. In the future, we aim to further investigate the topic in the context of non-financial firms.