The anatomy of cyber risk

Rustam Jamilov, Hélène Rey, Ahmed Tahoun 05 July 2021

a

A

The COVID-19 pandemic and the Great Lockdown have contributed to the global rise in cyber risk, which is already a source of systemic risk for firms (WEF 2016). The number of reported cyber attacks in 2020 has grown by an unprecedented 50% (WEF 2020). INTERPOL reported a 569% growth in malware and phishing activities from February to March of 2020 alone (INTERPOL, 2020). The average ransomware payment for 2020 was $180,000 (Davis, 2020). 

Existing work on the economics of cyber security has established a negative relationship between realised cyber attacks and firm performance (Kamiya et al. 2020). We also know that attacks can get amplified by firm supply chain networks (Crosignani et al. 2020). Due to the lack of viable alternatives, most studies rely on realised cyber incidents. But for many reasons, such as reputational losses, attacks are severely underreported, the full extent of the problem may be much greater, and economic damage assessment is challenging (Biancotti and Cristadoro 2018). Precise measurement and quantification of cyber threats is a matter of great importance for regulators and central banks (Kashyap and Wetherilt 2018).

We attempt to fill the gap and provide a new measure of cyber risk exposure that does not rely on voluntary disclosure of information (Jamilov et al. 2021). Our approach builds on Tahoun et al. (2019) and applies state-of-the-art techniques from machine learning and computational linguistics to the texts of quarterly earnings announcements of publicly listed firms. We have transcripts of calls for over 12,000 firms from 85 countries. For each transcript, we use the algorithm to detect relevant combinations of words (“bigrams”). Some of the 30+ relevant bigrams include “cyber risk”, “data breach”, “hack”, “malware”, “phishing”, “trojan”, “email compromise”, “information theft”, and so on. 

The advantage of our approach is that earnings calls have Q&A sessions. Firms get questioned and pressed by investors and market analysts on issues that presenters may not have preferred to touch upon. We find that it is these Q&A sessions that tend to reveal the most interesting conversations. This important feature of the data is also absent in standard regulatory filings.

Our baseline measure of global cyber risk, which is the normalised time-series average of firm-level exposure, is shown in Figure 1. It also plots the percentage of all transcripts that record positive exposure. Cyber risk has quadrupled since 2002 and more than tripled since 2013. The number of affected firms, and the intensity of impact, are both at record highs. The figure also highlights several salient cyber incidents, such as the 2014 Sony hack and the 2017 Equifax data breach. Our text-based measures seem to pick up notable cyber incidents very well. In the paper we also show that our index can predict future realized attacks.

Figure 1 Global Cyber Risk Exposure Index

Figure 2 shows the geographical composition of cyber risk exposure. While most threats are still directed at U.S. companies, the share of European, Asian, and British firms has more than doubled over the past five years. In terms of industrial composition, the most affected sectors worldwide are Information & Technology, Services, Finance, and Manufacturing. Finance has grown substantially from virtually no exposure before 2013 to being one of the most impacted areas. A more granular look reveals that 40% of all exposure in the financial sector is attributed to financial intermediaries (banks), 40% to insurance companies, 10% to broker-dealers, and 10% to all the rest.

Figure 2 Global heatmap of cyber risk exposure

The breadth and completeness of textual information allows us to run conditional searches that identify cyber chatter in close proximity to other topics of interest. We use three categories from Tahoun et al. (2019) (“Risk and Uncertainty”, “Positive Sentiment”, “Negative Sentiment”) and construct eight new topics: “Country Names”, “Crypto”, “Insurance and Legal”, “Monetary Loss”, “Pandemics”, “Social Media”, “Politics”, and “Global Events”, such as “Monetary Loss”, “Insurance and Legal”, or “Crypto”. The algorithm then counts how many times topic-specific terms are uttered within a 50-word distance of each of our 30+ cyber-specific terms. This approach allows us to contextualise and provide colour on every cyber-risk dialogue. 

We find that the sentiment surrounding cyber risk is becoming increasingly negative. Association of cyber-related discussions with uncertainty and risk is growing. The prevalence of “Insurance and Legal”, “Monetary Loss”, “Global Events”, and “Country Names” topics has risen sharply in recent years. The "Crypto" topic seems to spike around local peaks in the price of Bitcoin. The "Global Events" topic is clustered around famous global cyber incidents such as the 2017 Wannacry ransomware attack.

What are the characteristics of firms that have high cyber risk exposure? We document that firms with a higher likelihood of positive exposure to cyber risk typically fit into the following profile: high ratio of intangible assets to total assets, high liquidity ratio, and large size (as mentioned by total assets). This finding is robust across different industries and regions.

An important analytical exercise in the paper explores asset pricing implications of cyber risk. We find that firms which record positive cyber risk exposure suffer negative and significant stock market losses. Effects are more severe if cyber chatter carries heavy negative sentiment or is concurrent with terms from the “Insurance and Loss” and “Monetary Loss” topics.

We are able to move beyond estimating direct effects and ask whether there are contagion effects on unaffected firms. A key result in the paper is that cyber risk exposure impacts negatively and significantly unaffected peer firms which are defined as companies from the same country and industry as their affected peer. Every affected firm, on average, impacts 23 unaffected. The distribution of peer-to-affected firm ratios is very skewed, suggesting that the scope for downside risk and cascade effects is substantial. In other words, idiosyncratic cyber incidents have the capacity to spread through financial market networks and cause ripple effects across the system. In this sense, cyber risk can be viewed as a source of systemic risk.

Motivated by a long history of aggregate cyber incidents, we also ask whether there is factor structure in our text-based firm-level measures. We construct a new pricing factor – CyberE – which is defined as residuals of an AR(1) model fit into our baseline time series. CyberE betas generate a spread in stock portfolio returns which cannot be explained away by canonical factors. The portfolio that is long low-CyberE-beta stocks and short high-CyberE-beta stocks pays 3.3% on average per year. Classical Fama-Macbeth analysis shows that the price of cyber risk is positive and always significant, despite controlling for the three Fama-French factors and the momentum factor. The economic and statistical significance of our new pricing factor adds further evidence to the notion that cyber risk is systemic in nature.

Can time-variation in cyber risk be gauged and hedged? Our final exercise explores the association between our measures and popular traded cybersecurity ETFs. Interestingly, we find virtually no association as cybersecurity ETF returns can be wholesomely explained by the market factor. Existing market-based instruments may be potentially mispriced and cannot credibly serve as a hedge against cyber risk shocks. Understanding and measuring the insurability of cyber threats is an important topic for future research.

References

Biancotti, C and R Cristadoro (2018), “The machine stops: The price of cyber (in)security”, VoxEU, 17 January. h

Davis, J (2020), “COVID-19 impact on ransomware, threats, healthcare cybersecurity”, Healthy IT Security. 

Crosignani, M, M Macchiavelli, and A F Silva (2020), “Pirates without Borders: The Propagation of Cyberattacks through Firms’ Supply Chains,” Federal Reserve Bank of New York staff report No 937.

Hassan, T, S Hollander, L van Lent and A Tahoun (2019),“Firm-Level Political Risk: Measurement and Effects,” Quarterly Journal of Economics 134(4).

Jamilov, R, H Rey and A Tahoun (2021), “The Anatomy of Cyber Risk”, NBER Working Paper 28906.

INTERPOL (2020), “INTERPOL report shows alarming rate of cyberattacks during COVID-19”.

Kamiya, S, J Kang, J Kim, A Milidonis, and R Stulz (2020), “Risk Management, Firm Reputation, and the Impact of Successful Cyberattacks on Target Firms,” Journal of Financial Economics, forthcoming

Kashyap, A and A Wetherilt (2018), “Regulating cyber risk”, VoxEU.org, 21 December.

WEF – World Economic Forum (2016), “Understanding Systemic Cyber Risk,” World Economic Forum: Global Agenda Council on Risk and Resilience.

WEF (2020), “COVID-19 Risks Outlook: A Preliminary Mapping and its Implications”.

a

A

Topics:  Financial markets Microeconomic regulation

Tags:  cyber risk, cyber attacks, systemic risk

Post-Doctoral Research Fellow, All Souls College, University of Oxford

Lord Bagri Professor of Economics, London Business School and CEPR Vice President and Research Fellow

Associate Professor of Accounting, London Business School

Events

CEPR Policy Research