Microsoft Word evripidou-aspasia-dissertation final docx

party entities. (Crisanto & Prenio, 2017)

Yüklə 0,59 Mb.

Pdf görüntüsü

səhifə	2/2
tarix	11.12.2023
ölçüsü	0,59 Mb.
	#147878

1 2

EVRIPIDOU-ASPASIA-DISSERTATION FINAL v2 APOTHESIS

party entities. (Crisanto & Prenio, 2017).
Furthermore, there exists fragmentation in the regulations established by the trio of
European Supervisory Authorities (ESAs). Due to their role as pioneers in the financial
system's technological advancements, banks are subjected to more rigorous and all-
encompassing regulations pertaining to cyber risk. In recent years, the European Banking
Authority (EBA) has issued recommendations and regulatory technical standards, such as
the EBA recommendations on ICT and Security Risk Management. In recent months, the
European Securities and Markets Authority (ESMA) and the European Insurance and
Occupational Pensions Authority (EIOPA) have issued novel recommendations that pertain
to various aspects of cyber risk. (Crisanto & Prenio, 2017).
4.4 Cyber Risk Mitigation for Improved Economic Security
The coexistence of micro- and macro-prudential approaches is imperative in addressing
cyber risk. Micro-prudential policies play a crucial role in addressing the potential threat to
financial stability that may arise from the combined impact of cyber risk on individual

Aspasia Evripidou, Financial Cybersecurity Risk Management,
Cybernomics and Financial Repercussions of Cybersecurity
Breaches. A Study of the Impact on Share Prices and Overall
Firm Value of Cyber-Attacked Organizations
Postgraduate Dissertation
39
financial institutions. The issue of cyber risk has been a longstanding consideration in micro-
prudential regulation, and a variety of measures have been developed to mitigate its effects.
In contrast to their focus on cyclical or structural systemic threats to financial stability,
macroprudential policies have yet to accord priority to the mitigation and avoidance of cyber
risk. The domain of cyber risk has been acknowledged solely as a component of operational
risk, and as a result, it has been approached from a micro-prudential perspective. This
observation may serve to clarify the reasons behind this phenomenon. A plausible
hypothesis is that the financial sector has not yet experienced a significant impact from any
authentic cyber incident.
The preventive nature of macroprudential policies may limit their efficacy in addressing
challenges arising from a cyber-incident, rendering current macroprudential tools
inadequate for this purpose. In the event of a cyber incident causing a Global Systemically
Important Bank (G-SIB) to lose its account balance data, traditional measures such as capital
buffers or liquidity tools may not be effective in preventing a potential systemic crisis.
Similarly, in the event of a cyber-attack that incapacitates a significant financial market
infrastructure, causing it to be non-functional for a prolonged duration, these technologies
may become futile.
The potential for cyber threats to materialize swiftly and extensively poses a challenge for
governing entities, rendering existing measures inadequate. Insufficient and inadequate
responses from authorities may result when they are lacking appropriate information
regarding the origin, purpose, and effect of a cyber-incident, particularly when dealing with
system-wide confidence.
Policymakers will need to act in the areas of cyber risk mitigation and enhancement of
financial system resilience. From our perspective, there is a need to enhance both the micro
and macro-prudential regulatory frameworks to effectively address the challenges posed by
cyber threats.
Effective collaboration among authorities is crucial in addressing the multifaceted and
rapidly materializing consequences of cyber risks, which possess the ability to manifest in
diverse forms. The implementation of a collaborative mechanism for coordination is deemed
necessary to achieve this objective. The establishment of a foundational structure should be

Aspasia Evripidou, Financial Cybersecurity Risk Management,
Cybernomics and Financial Repercussions of Cybersecurity
Breaches. A Study of the Impact on Share Prices and Overall
Firm Value of Cyber-Attacked Organizations
Postgraduate Dissertation
40
based on a commonly agreed-upon vocabulary and taxonomy, which includes
predetermined criteria and cutoffs for categorization.
The implementation of a standardized taxonomy will facilitate the consistent categorization
of occurrences across all jurisdictions. Additionally, the utilization of a lexicon will ensure
that the material is comprehended accurately by all relevant authorities. An essential aspect
of a coordinating framework is the inclusion of widely recognized points of contact, secure
communication methods, and common information-sharing formats among all participating
authorities.
In order to enhance the groundwork established in the development and evaluation of
diverse cyber risk scenarios, a deeper understanding of the intricacies of the financial system
is imperative. A comprehensive comprehension of the technological and operational
interdependencies within the financial industry may enhance our understanding of the
potential impact of cyber risk on financial stability.
It is probable that the authorities will employ a bottom-up approach in developing a sectorial
map of these interdependencies. This will involve commencing with simpler maps at the
national level, followed by the aggregation and analysis of data at the European level.
Through the implementation of this methodology, domestic governing bodies would be
capable of discerning the interconnectedness inherent within their jurisdiction, whereas
supranational governing entities would possess a comprehensive and overarching
viewpoint. (Healey et al., 2018).
Enhancing our quantitative and qualitative models pertaining to cyber risk, as well as the
interdependencies, amplifiers, and mitigating factors that contribute to a cyber-incident,
would serve as a crucial instrument. (Ros, 2020).
It is imperative for the authorities to not only develop efficient mechanisms, including a
standardized coordination framework, a shared taxonomy and lexicon, interdependencies
maps, and pre-established action plans for specific scenarios, to address a cyber-incident,
but also to guarantee their ability to proficiently employ these mechanisms and enhance
their own and the financial sector's capacities. (Healey et al., 2021).
The establishment of routine cyber exercises in both domestic and international settings by
authorities may aid in preparing the financial industry. Although crisis simulations are

Aspasia Evripidou, Financial Cybersecurity Risk Management,
Cybernomics and Financial Repercussions of Cybersecurity
Breaches. A Study of the Impact on Share Prices and Overall
Firm Value of Cyber-Attacked Organizations
Postgraduate Dissertation
41
conducted within the financial industry, their effectiveness is often limited due to their
narrow scope. These drills may only focus on specific aspects such as Financial Market
Infrastructures, single jurisdictions, or particular financial institutions, while overlooking
critical components of a cyber-crisis. The level of maturity exhibited within various legal
systems lacks consistency. If nations engage in periodic cross-national cyber exercises, they
may be incentivized to conduct regular exercises within their own territories.
The exchange of information serves as the fundamental basis for coordination and is an
essential component for implementing a comprehensive response to cyber threats across a
system. Apart from the Financial Services Information Sharing and Analysis Center (FS-
ISAC) and the Cross Market Operational Resilience Group in the United Kingdom, there is
an increasing emphasis on information exchange among regulatory bodies and legal
frameworks.
The establishment of trust is a critical factor in the disclosure of knowledge. There is a
possibility that banks may not disclose all their knowledge regarding cyber-attacks to either
their competitors or regulatory bodies. The promotion of information exchange between
financial institutions and authorities necessitates the elimination of impediments such as
limitations imposed by regulations or national security agencies, absence of trust between
parties, and apprehensions regarding confidentiality and liability. (Healey et al., 2021).
The establishment of a dependable communication system by regulatory bodies would
prove advantageous for the financial sector. It is posited that the optimal approach to achieve
this objective is to foster transparency and confidence among financial establishments,
governmental entities, and the aforementioned parties. It is recommended that an open and
transparent discourse be initiated to address any obstacles that have been identified, and to
explore potential remedies, such as amending existing laws, implementing secure
information sharing mechanisms, or establishing public-private collaboration forums.
Additionally, it is advised that all parties come to a consensus on a standardized set of
regulations and formats for exchanging information.
As previously mentioned, extant micro-prudential regulations pertaining to cyber risk must
be updated to align with emerging technologies and changing conditions and to meet the
expectations of regulatory bodies and international organizations more effectively. (Healey
et al., 2021).

Aspasia Evripidou, Financial Cybersecurity Risk Management,
Cybernomics and Financial Repercussions of Cybersecurity
Breaches. A Study of the Impact on Share Prices and Overall
Firm Value of Cyber-Attacked Organizations
Postgraduate Dissertation
43
5. Research: Impact on Share Prices of Cyber-Attacked
Organizations
To understand the size of the financial impact of cyber security breaches, a literature review
will follow regarding studies that have measured such impacts on the organizations’ share
prices and overall market value.
Then, the study that was performed to test the hypothesis that cyber-attacks negatively affect
the share price of cyber-attacked companies, will be presented.
5.1 Literature review of conducted research on the impact of cyber-
attacks on an organization’s market value
In their study, Tweneboah-Kodua, Atsu and Buchanan (2018), point out that the annual cost
of cyber-crime to organizations is more than 400 billion USD and that is only taking into
account the measurable implications of known data breaches. Moreover, they indicate that
there is a large negative impact on the hacked organizations’ stock prices, not only during
the days surrounding the data breach event, but during a larger time span. That is because
investors become cautious over the organizations’ security policies and their effect on the
organizations’ value. Their study also shows that different market sectors react differently
to cyber-crime and other security breaches.
Kamiya et al. (2018) composed a working paper for the USA’s National Bureau of
Economic Research (NBER) studying the impact of cyber-attacks on organizations. They
found that larger and more known organizations with more intangible assets and/or little
investment in risk management, are more prone to cyber-attacks. There is a clear negative
correlation between the cyber-attacks and the organizations’ stock value and other financial
markers, such as sales. Another conclusion they reached is that when the financial
information of the attacked organizations’ clientele is breached, the financial impact is much
more severe than otherwise.
Kammoun et al. (2019) conclude that there are negative but also positive reactions after
cyber-attacks and data breaches. Their results vary depending on the date and the specific
market sector of the organizations under attack. The negative financial impacts are more
evident after the 11/9/2001 (9/11) terrorist attacks in the USA. They also demonstrate that

Aspasia Evripidou, Financial Cybersecurity Risk Management,
Cybernomics and Financial Repercussions of Cybersecurity
Breaches. A Study of the Impact on Share Prices and Overall
Firm Value of Cyber-Attacked Organizations
Postgraduate Dissertation
44
the negative financial impacts are more severe on the date of the announcement of the data
breach, and they decrease over time. The finding not expected is that there is a positive
financial effect when only customer information, excluding financial information, is
breached. The literature they examined suggests that this occurs when the organizations
under attack apply a mitigating communication strategy and because the cost of cyber-
attacks is becoming more inexpensive than before.
Iosifidou, Livanis and Zournatzidou (2019), presented the results of their research at the
18th annual conference of the Hellenic Finance and Accounting Association (HFAA). They
demonstrated that there is evidence of negative impact on stock prices of cyber-attacked
companies. Their research also presented an interesting finding, that the negative
implications of cyber-attack announcements seem to be decreasing the more recent the
cyber-attack is. One explanation could be that the markets seem to be growing confidence
that the organizations are being fortified against the negative implications of cyber-attacks
and thus, are mitigating probable risks.
In their study, covering a 10-year period from 2007 to 2016, McShane and Nguyen (2020)
argue that the negative financial impacts are more severe when the data breach results in a
suspension of the organizations’ activities in contrast to more mild data breaches, such as
clientele’s information. Additionally, the markets react more negatively when the data
breach is a result of an inside job, explaining that this fact indicates that there are deeper
organizational issues than just cyber security weaknesses. They too find that organizations
in different market sectors suffer different negative results.
Ali et al. (2021) also reach the conclusion that the negative implications of data breaches
depend on the market sector, the size of the organizations under attack, the information
affected and the event window under examination. They also noted that in many cases, the
negative implications commenced just before the announcement of the data breach, which
indicates that there might be leakage of the events to a part of the market.
In their research paper, Roškot, Wanasika, and Kreckova Kroupova (2021), found that there
is an impact on stock prices as a result of cyber-attacks. Interestingly, there seems to be a
positive reaction of markets when the data breach is announced by the organization under
attack indicating that markets reward with confidence such organizations. However, there
seems to be a short-term negative impact on stock prices.

Aspasia Evripidou, Financial Cybersecurity Risk Management,
Cybernomics and Financial Repercussions of Cybersecurity
Breaches. A Study of the Impact on Share Prices and Overall
Firm Value of Cyber-Attacked Organizations
Postgraduate Dissertation
45
Tayaksi et al. (2022), conducted research including 192 samples of cyber-attacks of
organizations from various types of market sectors. Like in previously performed research,
they also concluded that the negative implications on a cyber-attacked company’s market
value vary depending on the market sector said company is part of and the event window
surrounding the cyber-attack. Their literature review along with their study, found evidence
that not only negative implications can be observed, but in some cases, there are positive
implications on stock prices of cyber-attacked organizations.
5.2 Research methodology and data collection
As stated above, a research was conducted to test the hypothesis that there are negative
implications on stock prices of cyber-attacked organizations. After a literature review of
previous similar research and following their example, an event study was conducted, using
secondary research methodology i.e., collection of open-source data (“Dissertation
Handbook for the Master’s Degree Programme in Business Administration (MBA)”, 2022),
as this is a study of choice by several researchers, to evaluate the impact of a significant
event on an organization’s market value (Ali et al., 2021; Iosifidou, Livanis & Zournatzidou,
2019; Kamiya et al., 2018; Kammoun et al., 2019; McShane & Nguyen, 2020; Roškot,
Wanasika, & Kreckova Kroupova, 2021; Tayaksi et al., 2022; Tweneboah-Kodua, Atsu &
Buchanan, 2018).
The first step was to identify organizations which had suffered cyber-attacks. A google
search was performed using key words such as “data breaches”, “cyber-attacks”, “cyber
security breaches”. This led to finding the Wikipedia article “List of Data Breaches” (2023).
Companies that their brand name was world widely known were chosen, as opposed to local
market
companies.
Then,
using
the
internet
site
Yahoo!
Finance
(
https://finance.yahoo.com/
), those companies which were not being publicly traded and
therefore could not become part of this study, were eliminated. Following statistical models
which require a sample size greater than 30, to ensure that the results are statistically
significant (Iosifidou, Livanis & Zournatzidou, 2019), a sample size of 33 organizations,
which had been cyber-attacked between the years 2019-2023, was reached.

Aspasia Evripidou, Financial Cybersecurity Risk Management,
Cybernomics and Financial Repercussions of Cybersecurity
Breaches. A Study of the Impact on Share Prices and Overall
Firm Value of Cyber-Attacked Organizations
Postgraduate Dissertation
46
The second step was to determine when exactly the cyber-attack was made publicly known,
as opposed to when it had actually taken place. This choice is logically justified because in
order for an event to have an impact on publicly traded companies, the knowledge of said
event needs to be publicly available. To be able to complete this step, another google search
was performed using the company’s name followed by keywords such as previously stated
and by the year of the cyber-attack. The article used to determine the exact date of the
announcement or leakage of the data breach event to the public, was the one dated before
all other available articles. Moreover, in most cases, the exact date of the announcement was
being reported in the relevant articles (Abrams, 2020; Associated Press, 2022; Bischoff,
2019; Chan, 2021; Drapkin, 2023; Flitter & Weise, 2019; Gatlan, 2023; Goodin, 2023;
Heiligenstein, 2023a; Heiligenstein, 2023b; Marczak et al., 2021; McKeon, 2021; Sharma,
2020; Whittaker, 2019; Zorz, 2020; “T‑Mobile Shares Updated Information Regarding
Ongoing Investigation into Cyberattack”, 2021; “The Nintendo Cyber Security Data
Breach”, n.d.).
The third step was to determine the event windows under examination i.e., the number of
days surrounding the cyber-attack, as well as the time span of the stock prices before the
event, which would be used as reference for statistical comparison purposes. Following the
research of Ali et al. (2021); Iosifidou, Livanis & Zournatzidou (2019); Tayaksi et al.
(2022), along with the dissertation supervisor’s guidance, event windows (-1,1), (-3,3), (-
5,5), (-10,10) were chosen to be examined and as reference sample size, stock prices of 240
business days would be retrieved, the most recent being 17 business days prior to the
announcement or leakage of the event to the public. Moreover, the indices of the stock
markets in which each company was being traded would also be retrieved, for statistical
comparison purposes, for the exact same event windows and reference time span. The
relevant stock market for each company, as well as the stock prices and the stock market
indices
were
downloaded
from
the
internet
site
Yahoo!
Finance
(
https://finance.yahoo.com/
), with the exception of one stock market’s indices (S&P/ASX
200)
which
were
retrieved
from
the
internet
site
Investing.com
(
https://in.investing.com/indices/
).

Aspasia Evripidou, Financial Cybersecurity Risk Management,
Cybernomics and Financial Repercussions of Cybersecurity
Breaches. A Study of the Impact on Share Prices and Overall
Firm Value of Cyber-Attacked Organizations
Postgraduate Dissertation
47
5.3 Research results
After having gathered all necessary data, the CARs of each company and for each event
window were calculated. The results are presented in Table 1 below:
Company (Stock Coding)
Event Date
CAR
(-10,10)
CAR
(-5,5)
CAR
(-3,3)
CAR
(-1,1)
Quest Diagnostics Incorporated (DGX)
3-Jun-2019
0.056655
0.004729
0.004564
0.002303
Capital One Financial Corporation (COF)
29-Jul-2019
0.010991
0.020543
-0.002987
-0.051034
Adobe Inc. (ADBE)
25-Oct-2019
-0.021752
-0.004895
0.020064
0.005054
Marriott International, Inc. (MAR)
1-Apr-2020
-0.067867
-0.035949
-0.168510
-0.149394
Nintendo Co., Ltd. (7974.T)
24-Apr-2020
-0.023012
-0.046093
-0.052518
-0.024871
Meta Platforms, Inc. (META)
1-Jul-2020
-0.032418
-0.029892
-0.009702
0.023291
Rakuten Group, Inc. (4755.T)
12-Nov-2020
0.013877
-0.014674
-0.021945
-0.011366
Capcom Co., Ltd. (9697.T)
16-Nov-2020
-0.204312
-0.104132
-0.020776
-0.052749
Microsoft Corporation (MSFT)
3-Jan-2021
-0.054604
-0.036393
-0.042849
-0.011645
T-Mobile US, Inc. (TMUS)
16-Aug-2021
-0.072955
-0.004388
-0.006434
-0.021907
Microsoft Corporation (MSFT)
24-Aug-2021
0.009601
-0.008209
-0.011746
-0.030477
Apple Inc. (AAPL)
13-Sep-2021
-0.007548
-0.015851
-0.032843
-0.020626
Credit Suisse Group AG (CS)
20-Feb-2022
-0.158474
-0.067063
-0.035479
-0.016310
Morgan Stanley (MS)
18-Mar-2022
-0.058509
-0.004932
0.008541
-0.021434
Microsoft Corporation (MSFT)
22-Mar-2022
-0.006969
-0.021333
-0.025805
-0.007712
Verizon Communications Inc. (VZ)
26-May-2022
0.068674
0.024890
0.024110
-0.002063
Marriott International, Inc. (MAR)
5-Jul-2022
-0.072267
0.006855
-0.050150
-0.032029
Uber Technologies, Inc. (UBER)
26-Jul-2022
0.334026
0.185194
-0.082474
-0.033258
Apple Inc. (AAPL)
19-Aug-2022
0.000319
0.007477
0.010790
-0.002582
Samsung Electronics Co., Ltd. (005930.KS)
2-Sep-2022
-0.044968
-0.016930
-0.026293
-0.019036
Holiday Inn | InterContinental Hotels Group PLC (IHG)
6-Sep-2022
-0.026186
0.025475
0.002457
0.002925
Uber Technologies, Inc. (UBER)
15-Sep-2022
0.112748
0.056353
0.089634
0.054111
American Airlines Group Inc. (AAL)
20-Sep-2022
0.052757
-0.006170
-0.042704
-0.012543
Toyota Motor Corporation (7203.T)
11-Oct-2022
-0.016474
0.019267
-0.003920
0.027177
Microsoft Corporation (MSFT)
19-Oct-2022
-0.072282
-0.024582
0.025971
-0.001264
Medibank Private Limited (MPL.AX)
26-Oct-2022
-0.282567
-0.214609
-0.233691
-0.205999
PayPal Holdings, Inc. (PYPL)
18-Jan-2023
0.040807
-0.030034
-0.022783
-0.000676
T-Mobile US, Inc. (TMUS)
19-Jan-2023
-0.066558
-0.062003
-0.056253
-0.020531
Sharp Corporation (6753.T)
6-Feb-2023
-0.063887
-0.109039
-0.131624
-0.008255
Activision Blizzard, Inc. (ATVI)
21-Feb-2023
0.063315
0.016756
0.011723
0.001700
Western Digital Corporation (WDC)
3-Apr-2023
-0.022926
0.069045
-0.015938
-0.045747
Micro-Star International Co., Ltd. (2377.TW)
6-Apr-2023
-0.017912
0.017160
0.015137
0.003512
T-Mobile US, Inc. (TMUS)
1-May-2023
-0.058535
-0.029453
-0.058652
-0.065552
Mean CAR:
-0.020885
-0.013117
-0.028578
-0.022697
Table 1. CARs per Cyber-Attacked Company and per Event Window

Aspasia Evripidou, Financial Cybersecurity Risk Management,
Cybernomics and Financial Repercussions of Cybersecurity
Breaches. A Study of the Impact on Share Prices and Overall
Firm Value of Cyber-Attacked Organizations
Postgraduate Dissertation
50
6. Conclusions and Suggestions
As the progressive alteration of financial activities in cyberspace is being thoughtfully
considered, it is evident that the proliferation and differentiation of such actions have
resulted in notable advantages. The burgeoning of online banking and digital payments has
redefined how people manage their finance, making it more accessible and efficient than
ever before. Furthermore, the facet of virtual currencies, crowdfunding programs, and robo-
advisors has widened entry to monetary services and brought forth outstanding procedures
of economic dealings. Recently, advances like DeFi have been pushing the outskirt of
chances available in the digital money universe.
Nonetheless, along with these benefits, the surfacing and intensification of correlated danger
factors must not be overlooked. Data theft, fishing attacks, and ransomware assaults have
generated dreading consequences for the security of our economic data and systems.
Moreover, as technology progresses and financial activities become increasingly digitized,
the complexity and subtlety of cyber risks also heighten.
The result of such perils, when major cyber occurrences like the breach in JPMorgan Chase
and the hacking of the Bangladesh Bank's SWIFT system occur, has been observed. These
events highlight not just the potential size and consequences of cyber-attacks on the fiscal
sector, but also the significance of full-fledged cybersecurity measures.
In the future, financial operations in cyberspace will keep advancing and diversifying due
to technological advancement and varied consumer behavior. Consequently, fresh sources
of danger will appear as well. For instance, concepts like DeFi have immense prospects
though they illustrate new security issues regarding smart contract safety, control, and the
safeguarding of cryptographic keys.
However, notwithstanding these pressure points, there is no mode of moving back the clock
on the digitization of financial undertakings. Thus, the query should not be whether one
ought to accept these developments or not; rather, it is a matter of how, attached hazards,
can be handled efficiently.

Aspasia Evripidou, Financial Cybersecurity Risk Management,
Cybernomics and Financial Repercussions of Cybersecurity
Breaches. A Study of the Impact on Share Prices and Overall
Firm Value of Cyber-Attacked Organizations
Postgraduate Dissertation
51
The growth of risk management science has been charted, particularly digital financial
activities. Stress has been laid on the demand for ongoing adaptation and change in pace
with the cyber threat environment and the changing nature of such engagements. (Sandhu,
2012).
As a kickoff, conventional risk management strategies, mainly centered on managing credit,
market, and operational risks were taken into consideration. Though they do possess their
value, these methods were not sufficient to deal with the novel risks caused by cyberspace;
as a result, an expansive transformation of risk management science had to occur. (Soin and
Collier, 2013).
This caused the advancement of cyber risk management, a new discipline that integrates
cybersecurity, data science, and risk management related to finances. This called for
overriding shifts; including the compulsion for the proactive identification of imminent
cyber threats, immediate detection and responding capability, requiring an extensive
viewpoint of managing cyber risks, and attention towards resilience. (Soin and Collier,
2013).
To effectuate such tactics, banks have used a variety of cybersecurity measures and tools
like firewalls, encryption, multi-factor authentication, and real-time reconnaissance
systems. Examples from Standard Chartered Bank and Goldman Sachs demonstrated how
the structures plus effectual contingency plans together with seamless monitoring can be
utilized to take charge and lessen the probable cyber risks.
Looking forward, alteration in risk management science has not finished yet. As financial
actions advance in the digital world along with diversifying, new cyber threats will arise.
(Sandhu, 2012).
Risk management science has to still move ahead, embracing fresh equipment, proceedings,
and methodologies when the situation demands. This necessitates persistent investigation,
investing resources, and joining hands between several stakeholders. In addition, there is
the need for a proactively holistic approach focusing not only on defense using technicality
but also on business and human aspects.
The evolution of risk management science is an exemplification of the dynamic character
of financial responsibilities, as well as the cyber risk atmosphere. It demonstrates the

Aspasia Evripidou, Financial Cybersecurity Risk Management,
Cybernomics and Financial Repercussions of Cybersecurity
Breaches. A Study of the Impact on Share Prices and Overall
Firm Value of Cyber-Attacked Organizations
Postgraduate Dissertation
52
importance of constant productiveness, renovation, and alertness when it comes to
controlling cyber risks. As the world walks through the days of technology, the capacity to
administer this hazard effectively shall be crucially required to guarantee the security,
consistency, and continuity of digital financial involvements. (Sandhu, 2012).
The effective development, sustenance, and execution of financial service innovation,
maintenance, and strategy are significantly dependent on the data systems employed by
financial institutions. The dependence of the financial system on data and confidence,
coupled with its interdependencies and the challenge of obtaining a comprehensive
understanding of them, renders cyber risk a potential threat to financial stability. (Healey et
al., 2018).
The banking industry is frequently targeted by cyber-attacks. As per the findings of
scholarly investigations, the financial services sector bears a disproportionately high annual
expenditure in the aftermath of hostile cyber incidents. Upon closer examination of hostile
cyber incidents, it is evident that each passing month witnesses the emergence of fresh
attacks that exhibit greater levels of intensity and intricacy.
The risk posed by cyber threats is discernibly different from other forms of peril that
businesses may encounter. The concept of cyber risk is intricately linked to technology, yet
it is also heavily contingent on human factors and protocols, both of which can engender
vulnerabilities. Cybersecurity threats, which are frequently tailored to target the financial
sector, take advantage of vulnerabilities through various methods including but not limited
to stealing data, assuming identities, attacking supply chains, and encrypting data. While a
cyber-incident at a singular institution may not pose a threat to the entire system, it has the
potential to severely impede the institution's ability to operate effectively. (Healey et al.,
2021).
The financial sector highly values precision and reliability, however, the intricate network
of interconnections that sustains it remains largely opaque. The susceptibility of the
financial sector to cyber-attacks due to its inherent features has the potential to impact
financial stability through cyber risk. Both quantitative and qualitative models are being

Aspasia Evripidou, Financial Cybersecurity Risk Management,
Cybernomics and Financial Repercussions of Cybersecurity
Breaches. A Study of the Impact on Share Prices and Overall
Firm Value of Cyber-Attacked Organizations
Postgraduate Dissertation
53
developed to assess the potential impact of cyber risk, each with its own unique advantages
and limitations. (Ros, 2020).
The conceptual model of the European Systemic Risk Board (ESRB) is founded upon the
approach of the Financial Stability Board (FSB) towards the macro-financial implications
of operational and cyber risks. The model can be utilized to examine both actual and
hypothetical scenarios in order to comprehend the progression of a cyber-incident into a
systemic event and identify potential countermeasures to mitigate its impact. (Ros, 2020).
Upon utilizing the model, the Economic and Social Council of Greece (ESCG) determined
that the occurrence of a cyber-incident would necessitate a specific convergence of
circumstances to pose a threat to financial stability. (Ros, 2020).
In order to address the potential impact of cyber risk on the financial system, it is imperative
to implement both micro- and macroprudential regulations. The efficacy of macroprudential
policies has been subject to scrutiny due to certain areas that require further improvement.
One such area pertains to the insufficient consideration of cyber risk, in contrast to the
relatively greater emphasis placed on micro-prudential policies. One possible explanation is
that following the introduction of macroprudential tools in financial regulation, there have
been no documented instances of a cyber-attack causing harm to financial stability. The
presence of cyber risk characteristics may pose a challenge in utilizing existing
macroprudential tools to tackle issues arising from cyber incidents. (Healey et al., 2018).
Regulatory bodies and entities with influence in the financial sector are placing greater
emphasis on cyber risk as a key area of concern. The scope of the work carried out varies
from overarching principles disseminated by entities such as the G7 or the Basel Committee
on Banking Supervision (BCBS) to particular directives, such as those promulgated by the
European Banking Authority (EBA). Several European initiatives have been introduced,
such as the Digital Operational Resilience Act (DORA) and the Revised Directive on
Security of Network and Information Systems (NIS2). Efforts are being made by authorities
to mitigate the effects of regulatory fragmentation on cyber risk through initiatives such as
DORA and NIS2, despite the lack of a uniform approach within the current regulatory
framework for addressing cyber risk.
It is a contention that, given the intrinsic characteristics of the financial industry and the
associated cyber hazards, coupled with the current legislative and policy framework,

Aspasia Evripidou, Financial Cybersecurity Risk Management,
Cybernomics and Financial Repercussions of Cybersecurity
Breaches. A Study of the Impact on Share Prices and Overall
Firm Value of Cyber-Attacked Organizations
Postgraduate Dissertation
54
additional efforts are required to alleviate the impact of cyber incidents on financial stability.
Notwithstanding the government's augmented emphasis on cyber risk, it is posited that
legislation could be fortified through two means:
(i) enhancing the collaboration among
authorities during cyber emergencies, and (ii) augmenting the comprehension of cyber risk
and its plausible ramifications on the overall economy.
(Healey et al., 2018).
During the conducting of the research, the reviewed previous researches demonstrated that
there is strong correlation between cyber security breaches and negative impact on a firm’s
market value. They also indicated the notion that many subcases exist and the repercussions’
significance of such data breaches may vary depending on the market sector, the size of the
cyberattacked firm, the value of the firm’s brand name, etc. There is also a suggestion
emerging, that the more the organizations are being fortified against the negative
implications of security breaches the less the negative impact of such breaches on their
value.
The research conducted within the scope of this dissertation, confirmed the previously
conducted studies, that there is negative impact on a firm’s stock price the days following
the cyber-attack. However, it has also suggested that the negative repercussions seem to
decrease the further away from the announcement day. Possible future research could
examine whether this suggestion is due to chance or a result of maybe how a cyber-attacked
firm is handling the event, e.g., announcing the security breach event along with measures
taken to mitigate the negative repercussions, as opposed to trying to hide it and the security
breach leaking another way to the public.
It is apparent that the more the organizations are depending on cyber technology and tools
to conduct their business, the more exposed they are to cyber risks and thus, the more they
will need to invest in systems, processes and procedures that prevent such risks, whether
external, internal or accidental and at the same time, in the event of an incurred security
breach to directly mitigate possible negative implications.

Aspasia Evripidou, Financial Cybersecurity Risk Management,
Cybernomics and Financial Repercussions of Cybersecurity
Breaches. A Study of the Impact on Share Prices and Overall
Firm Value of Cyber-Attacked Organizations
Postgraduate Dissertation
56
Associated Press (2022).
Apple Warns of Security Flaws in iPhones, iPads and Macs
.
Retrieved on 12/5/2023, from
https://www.npr.org/2022/08/19/1118406888/apple-
iphone-ipad-mac-security-updates
.
Bischoff, P. (2019).
7 Million Adobe Creative Cloud Accounts Exposed to the Public
.
Retrieved on 12/5/2023, from
https://www.comparitech.com/blog/information-
security/7-million-adobe-creative-cloud-accounts-exposed-to-the-public/
.
Boer, M., & Vázquez, J. (2017).
Cyber Security & Financial Stability: How cyber-attacks
could materially impact the global financial system
, Institute of International Finance,
Washington, DC.
Böhme, R., Christin, N., Edelman, B., & Moore, T. (2015). Bitcoin: Economics,
Technology, and Governance.
The Journal of Economic Perspectives
, 29(2), 213–238.
Castells, M. (2010).
The Rise of the Network Society: The Information Age: Economy,
Society, and Culture Volume I
. Wiley-Blackwell.
Chan, D. (2021).
Microsoft Exchange Server Data Breach (2021)
. Retrieved on 9/5/2023,
from
https://cyberlaw.ccdcoe.org/wiki/Microsoft_Exchange_Server_data_breach_(2021)
.
Collin, E., & Juntti, G. (2016).
No Protection, No Business: An Event Study on Stock
Volatility Reactions to Cyberattacks between 2010 and 2015 for Firms Listed in the USA
.
(Unpublished Thesis). Umeå Universitet, Företagsekonomi.
Crisanto, J.C., & Prenio, J. (2017). Regulatory approaches to enhance banks’ cyber-security
frameworks.
FSI Insights on Policy Implementation, No. 2
, Financial Stability Institute,
Bank for International Settlements.
Drapkin, A. (2023).
Data Breaches That Have Happened in 2022 and 2023 So Far
.
Retrieved on 9/5/2023, from
https://tech.co/news/data-breaches-updated-list
.

Aspasia Evripidou, Financial Cybersecurity Risk Management,
Cybernomics and Financial Repercussions of Cybersecurity
Breaches. A Study of the Impact on Share Prices and Overall
Firm Value of Cyber-Attacked Organizations
Postgraduate Dissertation
59
Kammoun, N., Bounfour, A., Özaygen, A., & Dieye, R. (2019). Financial Market Reaction
to Cyberattacks.
Cogent Economics & Finance
, 7(1), 1645584.
Kashyap, A. K., & Wetherilt, A. (2019). Some principles for regulating cyber risk.
AEA
Papers and Proceedings, 109
, 482-487.
Kopp, E., Kaffenberger, L., & Wilson, C. (2017).
Cyber Risk, Market Failures and
Financial Stability
. Working Paper 17/185, International Monetary Fund.
Li, Y., & Liu, Q. (2021). A comprehensive review study of cyber-attacks and cyber security;
Emerging trends and recent developments.
Energy Reports
,
7
, 8176-8186.
Marczak, B., Scott-Railton, J., Razzak, B.A., Al-Jizawi, N., Anstis, S., Berdan, K., &
Deibert, R. (2021).
FORCEDENTRY: NSO Group iMessage Zero-Click Exploit
Captured
in
the
Wild
.
Retrieved
on
12/5/2023,
from
https://citizenlab.ca/2021/09/forcedentry-nso-group-imessage-zero-click-exploit-
captured-in-the-wild/
.
Marr, B. (2016).
Big Data in Practice: How 45 Successful Companies Used Big Data
Analytics to Deliver Extraordinary Results
(1st ed.). Wiley.
McCarthy, P.X., Gong, X., Eghbal, S., Falster, D.S., & Rizoiu, M. (2021). Evolution of
Diversity and Dominance of Companies in Online Activity.
PloS One
, 16(4), e0249993-
e0249993.
McKeon, J. (2021).
Microsoft Data Breach Exposes 38M Records Containing PII
.
Retrieved on 9/5/2023, from
https://healthitsecurity.com/news/microsoft-data-breach-
exposes-38m-records-containing-pii
.
McShane, M., & Nguyen, T. (2020). Time-Varying Effects of Cyberattacks on Firm Value.
Geneva Papers on Risk and Insurance. Issues and Practice
, 45(4), 580-615.

Yüklə 0,59 Mb.

Dostları ilə paylaş:

1 2