Cyberattacks have become a growing threat to the global economy but are still treated by many companies as merely technical issues. This column uses a novel and direct approach to measure a firm’s cyber risk based on the network vulnerability scans. It shows that companies with greater cybersecurity exposure consistently underperform their peers in the stock market. The persistence of cybersecurity vulnerabilities can be attributed to several factors, including labour shortages and managerial priorities. Bridging the cybersecurity talent gap, improving managerial focus on cybersecurity, and increasing transparency in financial markets are crucial steps toward reducing the economic risks associated with cybersecurity.
Cyberattacks have become a growing threat to the global economy with some estimating damages as large as $9.5 trillion globally in 2024 (Cybersecurity Ventures 2024). Despite the increasing prominence of cybersecurity risks, many companies still treat cybersecurity as a primarily technical issue, separate from broader financial concerns. Our new research (Liu et al. 2024) highlights that this approach may be detrimental to companies, as cybersecurity vulnerabilities can negatively impact firm value and investor returns. Firms with more exposed computer networks tend to underperform in the stock market, resulting in significant financial losses for their shareholders. These findings suggest that cybersecurity risks are not only a concern for IT departments, but also for financial stakeholders, investors, and the overall economy.
A major challenge in managing cyber risk is accurately measuring a firm’s vulnerability. Traditional methods of assessing cybersecurity risk, such as analysing disclosed breaches, provide only a partial view of the problem. To address this gap, our paper draws on a novel approach by using network vulnerability scans to measure the exposure of firms’ computer systems to cyberattacks (Liu et al. 2024). These scans detect vulnerabilities in a firm’s network, such as outdated software or open ports, which can be exploited by hackers. By quantifying these ‘open doors’, we provide a direct measure of cybersecurity exposure, which allows for a better understanding of a firm’s vulnerability to cyber threats.
Figure 1 Measurement of cybersecurity exposures
Note: This figure illustrates the measurement of cybersecurity exposures for one high risk port: Telnet (port number 23). This procedure is replicated for all other high-risk ports. Cybersecurity Exposures measures the total number of exposures across all high-risk ports (Telnet, SMB, SSH, and RDP), in a given firm-month.
This method enables the measurement of cyber risk without relying on public disclosures of breaches, which are often incomplete or delayed. This direct measure offers a more accurate picture of a firm’s cybersecurity risks. Importantly, the exposure metric varies across firms: while some companies have well-secured systems, others have multiple entry points for cybercriminals. By tracking these vulnerabilities over time, our paper links cybersecurity exposures to financial performance, clarifying the financial implications of a firm’s cyber posture.
We find that companies with greater cybersecurity exposure consistently underperform their peers in the stock market. Specifically, firms with high cybersecurity exposure – characterised by numerous exploitable vulnerabilities – experience 0.42% lower excess returns per month compared to firms with lower exposure. The value-weighted average portfolio gives a similar result of 0.59% lower excess returns per month compared to firms with lower exposure.
That translates into a 5% underperformance relative to more secure companies. The financial cost of this underperformance is economically meaningful: for a typical Fortune 500 firm, $87 million in shareholder value is lost due to high cybersecurity exposure. These high vulnerability companies are also more likely than their low vulnerability counterparts to incur publicly reported data breaches, which could hurt their reputation and intangible capital.
Figure 2 Cybersecurity breaches by exposure
Note: This figure displays the cumulative number of cybersecurity breaches by high and low cybersecurity exposures. The sample reflects Fortune 500 firms from 2018 through 2022 that can be matched to CRSP and Compustat. High (Low) Exposure is defined as having above (below) median Cybersecurity Exposures. Detailed variable descriptions can be found in the Appendix of our paper.
Some scholars may find that surprising given that risk usually comes with a higher premium, as Florackis et al. (2023) point out that there is a positive cybersecurity premium. Using textual analysis to search financial reporting from companies on their cybersecurity posture, they rightly capture public signalling to investors on cybersecurity risk. However, what we are measuring is actual cybersecurity vulnerabilities, which we show are acted upon (e.g. through more data breaches). That’s why there is less than a 0.50 correlation between our two measures.
The underperformance in the stock market among more vulnerable firms is not due to factors such as industry or firm size, as the results are adjusted for standard risk factors. Instead, weak cybersecurity defences act as a drag on stock performance. Therefore, we argue cybersecurity vulnerabilities are increasingly being recognised by financial markets as a significant risk factor, with firms facing high exposure experiencing a direct impact on their market value.
The persistence of cybersecurity vulnerabilities can be attributed to several factors, including labour shortages and managerial priorities. The shortage of qualified cybersecurity professionals is a well-documented issue with an estimated shortage of 265,000 workers in the US alone (CyberSeek 2024). As firms struggle to find the necessary talent to identify and mitigate cybersecurity vulnerabilities, many are left exposed. In fact, experts predict that by 2025 over half of significant cyber incidents will be due to a lack of skilled personnel.
Additionally, managerial inattention could contribute to the persistence of cybersecurity weaknesses. Historically, many companies have treated cybersecurity as a secondary concern, often relegating it to the IT department. This oversight is evident in the fact that 88% of boards in S&P 500 companies lack cybersecurity expertise. Without clear leadership and accountability at the executive level, firms are less likely to prioritise cybersecurity investments, leaving vulnerabilities unaddressed. These findings underscore the importance of treating cybersecurity not just as an IT issue but as a strategic priority for senior management.
One might expect that financial markets would price in the risks associated with cybersecurity exposures, yet our study finds that these risks are not fully reflected in stock prices, particularly in firms with less sophisticated investor bases. While more institutional investors and analysts are beginning to recognise the importance of cybersecurity, many firms still lack investor scrutiny regarding cyber risks. As a result, cybersecurity vulnerabilities may not be adequately priced by the market. That could be an inefficient equilibrium that carries negative externalities for shareholders and society more broadly. An example of these externalities comes from the deep intersectoral linkages in the digital supply chain (Desai and Makridis 2022): a vulnerability by a professional services firm that works with the Department of Defense could lead to a dangerous backdoor, and these can propagate across the whole value chain.
Our paper suggests that this mispricing arises from a lack of investor expertise in understanding and assessing cybersecurity risks. Many investors may not have the technical knowledge required to evaluate cybersecurity measures effectively, consistent with survey evidence on firms from Shackelford et al. (2022) and ambiguity in the courts, leading to a disconnect between the actual risks faced by firms and the information reflected in stock prices. For firms with less sophisticated investors, cybersecurity exposures may go unnoticed, resulting in an investment environment where markets fail to appropriately adjust for cybersecurity risks. This inefficiency provides an opportunity for savvy investors to take advantage of mispriced stocks, but it also points to a broader market concern regarding the pricing of emerging risks.
Policymakers can help ensure that firms disclose their cybersecurity posture accurately and transparently. For example, the US Securities and Exchange Commission (SEC) introduced new regulations in 2023 requiring public companies to disclose material incidents (SEC 2023), which built on a patchwork of state laws. That could help increase transparency and provide investors with the information needed to make informed decisions about cybersecurity risks.
But the results also carry over into the boardroom. While publicly traded organisations generally have chief information security officers (CISOs), these titles often come with little authority. Firms need to start taking cybersecurity incidents seriously, and that means focusing on better measurement and taking proactive steps to improving their digital hygiene. Moreover, executives should treat cybersecurity as a critical part of their strategic risk management rather than as an IT issue, ensuring that it receives the necessary attention and funding.
In sum, our research demonstrates that companies with greater cybersecurity exposure tend to underperform in the stock market, costing shareholders significant value. As firms become more digital, the need to address cybersecurity vulnerabilities proactively will grow too, as the costs of inaction are substantial. Bridging the cybersecurity talent gap, improving managerial focus on cybersecurity, and increasing transparency in financial markets are crucial steps toward reducing the economic risks associated with cybersecurity. Ensuring better protection against cyber threats will not only safeguard firms from hackers but also protect investors and the broader economy from the financial losses associated with cybersecurity failures.
Source : VOXeu
