by Sayan Dasgupta, Renuka Sane and Karthik Suresh.
In a previous report on the Information Technology Act, 2000 we described the infirmities in the laws and institutions that govern cybersecurity threat detection and response in India. However, two questions persist. Firstly, what is the true scale of the cybersecurity problem among Indian firms? Secondly, what are the financial and reputational consequences of a cybersecurity breach at an Indian firm?
It is difficult to find answers to the first question in the public domain. But when it comes to the second question, we can gain some insights by looking at how investors respond to the news of cybersecurity incidents whenever such details are made public. In the United States, the results of these studies range from a slightly negative effect on stock prices following the announcement of an incident (e.g. Cavusoglu et al, 2004 estimated an average 2.1% loss in the first two days after disclosure) to no significant effects (e.g. Kannan et al, 2007). Amir et al (2018) however observed that there is a significant difference between the fall in stock prices for firms that disclosed the cybersecurity incident (0.7% decline in one month) vs. firms that withheld this information (3.6% decline in one month).
It is important and interesting to understand the current state of play. How many Indian listed companies made public disclosures of cybersecurity incidents? How did investors in these companies respond to this news given the limited information they had? We attempt to provide some insights into this question by conducting an event study of stock price movements that follow cybersecurity incidents in Indian listed companies. We found that there was a significant negative effect on stock prices given the prior system of disclosures.
Why is it important to make disclosures of cybersecurity incidents?
A cybersecurity incident can be a costly negative externality. In 2022, IBM surveyed 49 Indian companies and estimated the loss they suffered from a single data breach to be USD 2.32 million (INR 184.5 million). A firm suffers direct costs (e.g. costs of data recovery) as well as indirect costs (e.g. loss of trust and goodwill) due to a cybersecurity incident. These costs, along with the reluctance to divulge details about its vulnerabilities to competitors, mean that firms are not incentivized to share information on their cybersecurity incidents.
There are two reasons why firms should make disclosures about cybersecurity incidents. Firstly, consumers have a reasonable expectation of privacy. In India, the Supreme Court in the Puttaswamy decision traced this expectation of privacy to one's right to life and personal liberty. On these grounds, data privacy legislations, such as Article 34 of the EU General Data Protection Regulation and Section 8 of the Digital Personal Data Protection Act, 2023 require firms to disclose details of data breaches to their users. Secondly, securities laws are concerned with whether cybersecurity risks are "material information" that should be disclosed to investors. The concept originated in the United States --- the US Supreme Court in TSC Industries v. Northway held that a given piece of information is "material" if there is "a substantial likelihood that a reasonable shareholder would consider it important in deciding how to vote".
Specifically on materiality, the US Securities and Exchanges Commission (SEC) issued non-binding guidance in 2011 and 2018 which provided the format in which a listed entity or market participant should report on cybersecurity risks. However, in March 2023, the SEC proposed a framework for compulsory disclosures of cybersecurity risk and preparedness. In India, SEBI's general disclosure requirements on materiality are found in Regulation 30 read with Schedule III of the SEBI (Listing Obligations and Disclosure Requirements) Regulations, 2015 ("LODR Regulations"). Sub-part B, no. 6 requires the listed entity to report "disruption of operations of any one or more units or division ... due to natural calamity (earthquake, flood, fire etc.), force majeure or events such as strikes, lockouts etc." While it was not explicitly mentioned that cybersecurity risks are to be reported, many listed companies (example) made such disclosures anyway. In June 2023, specific reporting requirements for cybersecurity incidents were added to the LODR regulations which we describe in the discussion section.
Data
Our list of cybersecurity incidents comes from two datasets that provide firm-specific incident information. The first dataset --- the "CISSM Cyber Attacks Database" --- is based on the work of Harry and Gallagher (2018). It is hosted by the University of Maryland (UoM). It has a set of 285 incidents that took place in India between 2014 and 2023. Of these, 45 incidents took place in companies listed in India. This dataset includes detailed information on the type of data that was compromised, the method of attack, and the responses of the affected companies. This data was collected by deploying a customised script that queries a list of news websites for articles or news items on cybersecurity incidents which are collected, sorted and stored. Another script then categorizes these incidents into various types.
The other dataset, called the Data Breach Investigations Report (DBIR), is hosted by Verizon. It has information on the type of breach (e.g., malware, hacking, social engineering), the target of the breach (e.g., government, enterprise, small business), the method of attack (e.g., phishing, spear phishing, watering hole attack) and the impact of the breach (e.g., data loss, financial loss, reputational damage). The DBIR dataset accepts information from a broad set of user-reported sources which are manually sorted by varying levels of confidence. The dataset has 83 incidents that took place in India between 2009 and 2017, of which 11 incidents took place in Indian-listed companies. 8 of the 11 incidents are already mentioned in the UoM database, so we are left with 3 unique entries in the DBIR. We manually categorized these three incidents based on the typology provided by Harry and Gallagher (2018).
The distribution of the different types of cybersecurity incidents is as follows:
| Type | Description | No. of incidents |
|---|---|---|
| Data attack | This type of attack covers the manipulation, destruction, or encryption of data in the target network. | 7 |
| Exploitation of application server | This type of attack uses a misconfiguration or vulnerability to gain access to data in a server-side application (e.g. a database) or the server itself. | 27 |
| Exploitation of network infrastructure | This type of attack covers the theft of data through direct access to network infrastructure such as routers, switches and modems. | 1 |
| Denial of service | This type of attack is meant to degrade or deny access to other parts of the firm's network. | 3 |
| Message manipulation | This type of attack covers interferences with the target's ability to accurately communicate information to its customers. | 3 |
| Combination of methods | 5 | |
| Undetermined | 2 | |
| Total | 48 |
In total, our dataset has 40 unique companies and 48 incidents that took place between June 2013 and March 2023.
For stock prices, we retrieved the NSE daily closing prices for all the affected companies from CMIE Prowess for the period between 1 March 2013 to 31 July 2023.
Methodology
The event study methodology (ESM) is commonly used to measure stock price reactions to certain events (Fama et al, 969). We use the ESM to analyze the stock price consequences of cybersecurity incidents. Price reactions are represented by abnormal returns, which are stock returns adjusted for the normal daily stock price and market. We use the eventstudies package developed by Anand et al (2014) for our analysis.
This methodology involves the following steps:
- Identifying the event date: The event dates are the dates on which each of the cybersecurity incidents were made public i.e. the date of the news article.
- Calculating the abnormal returns: The abnormal returns for the affected companies are calculated on the event date and 45 days before and after the event. Abnormal returns are the difference between the actual returns of the affected companies and the expected returns of the market. The expected returns are calculated using the market model.
- Statistical tests: They help us determine whether the abnormal returns are statistically significant. The abnormal returns are used to test whether the cybersecurity incidents had a significant impact on the stock prices of the affected companies. The statistical tests are conducted using a variety of methods such as the t-test and the Wilcoxon signed-rank test.
- Analyzing the results: The results of the event study are analyzed to determine (i) the magnitude of the impact of cybersecurity incidents on stock prices, (ii) the factors that influence the impact of cybersecurity incidents on stock prices, and (iii) the implications of the results for investors, companies, and regulators.
Results
Event study results covering all incidents
Fig 1: Event study results for all 48 incidents.
We observe a significant decrease in the cumulative abnormal return (CAR) after the event date. The average decrease in the first month after the event was 3.48%. At its lowest, the CAR was -8.06%. However, with a widening 95% confidence interval, there is some uncertainty about the true effect of the cybersecurity incident on the stock prices of the companies. The sample size is low and the information available regarding the nature and magnitude of the incident is limited.
Event study covering incidents of the type "exploitation of application server"
Fig 2: Event study results for 27 incidents which were of the type "exploitation of application server".
The majority of the cybersecurity incidents were of the type "exploitation of application server". We conducted another event study on this set of incidents. However, we do not see significant results. In the first month after the event, the CAR increased by an average of 9.79%.
Limitations
Our list of 48 incidents is certainly not exhaustive. Many cybersecurity incidents may not have been reported. Given that the majority of our data comes from news sources, some disclosures may have been made long past the incident date.
Discussion
We began by asking about the financial and reputational consequences of a cybersecurity breach in a listed Indian firm. The trends in our analysis show that investors do tend to react negatively to the news of a cybersecurity incident.
As time progresses, we may be able to find more conclusive answers to both questions. This is thanks to some recent changes in the disclosure regime which will give us the true picture of cybersecurity incidents at Indian listed companies. In November 2022, SEBI in its consultation paper proposed amendments to these regulations. The consultation paper notes that cybersecurity incidents "may impact the operations and/or performance of the listed entity" but also recognizes that the "immediate disclosure of such events may not be desired since the entity may be vulnerable to further attacks". SEBI therefore proposed that the disclosures be made on a quarterly basis in the corporate governance report where the listed entity mentions the root cause of the incident as well as the remedial measures that they undertook. In June 2023, these proposals were adopted by amending Regulation 27(2) of the LODR regulations. Given the recent amendments to the SEBI LODR regulations, the quality of information on cybersecurity incidents could become richer. This could inform further studies which could deploy more sophisticated methodologies that control for other factors that could affect stock prices and remove the variation caused by them before performing the event study.
References
Chirag Anand, Vimal Balasubramaniam, Vikram Bahure and Ajay Shah, eventstudies: an R package for conducting event studies and a platform for methodological research on event studies, NIPFP Macro/Finance group, 2014.
Hassan Cavusoglu, B. K. Mishra, and S. Raghunathan, The Effect of Internet Security Breach Announcements on Market Value: Capital Market Reactions for Breached Firms and Internet Security Developers, International Journal of Electronic Commerce, Vol. 9 (2004), no. 104, pp. 70--104.
Karthik Kannan, Jackie Rees and Sanjay Sridhar, Market Reactions to Information Security Breach Announcements: An Empirical Analysis, International Journal of Electronic Commerce, Vol. 12 (2007), no. 1, pp. 69--91.
Eli Amir, Shai Levi and Tsafrir Livne, Do Firms Underreport Information on Cyber-Attacks? Evidence from Capital Markets, Review of Accounting Studies, Vol. 23 (2018), issue 3, no. 11, pp. 1177-1206.
Charles Harry and Nancy Gallagher, Classifying cyber events: a proposed taxonomy, Journal of Information Warfare, Vol. 17 (Summer 2018), no. 3, pp. 17-31.
Eugene F. Fama, Lawrence Fisher, Michael C. Jensen and Richard Roll, The Adjustment of Stock Prices to New Information, International Economic Review, Vol. 10, no. 1, pp. 1--21.
Sayan Dasgupta and Karthik Suresh are researchers at XKDR Forum. Renuka Sane is a researcher at TrustBridge. We thank Ajay Shah, Geetika Palta and Siddhant Bharti for their useful comments.
I find the conclusion of this paper quite weak. In more than half the cases, which is to do with the exploitation of the application server, not only does the conclusion not hold it actually goes against the conclusion. I suspect that the very large decrease in the overall cumulative abnormal return is due to a few outliers because more than half the data goes the other way. We should actually remove the outlet to see if there is a broad conclusion here otherwise it seems to be that data set points to there being no significant impact of a cybersecurity incident on the share price. Even the reports, authors conclude that if the confidence interval is tweaked just a little bit the statistical significance seems to go away. This point to my mind in the direction of a weak or non-existent correlation between cybersecurity incident and share price.
ReplyDeleteHi Sankarson, thank you for your comments. I agree, our correlation is not strong because the dataset is sparse and spread over a long period. The US studies we cited are based on datasets of a few hundred incidents over a much shorter period of time (e.g. one or two years). The idea behind the blog is simply to draw attention to the topic and spur further research, which we hope to do once companies start reporting breaches based on the new SEBI regulations.
ReplyDeleteFigure 2 points to a a very interesting pattern that’s ignored in the blog — firms tend to reveal cybersecurity incident of the most common type after the release of other good news. Thy is why we see a large runup in the stock price BEFORE event date zero. The opposite must be true for the other set of cybersecurity event disclosures.
ReplyDeleteI also agree with the previous comment: it is worth examining whether the pattern is driven by just one or two firms.