Please rotate your device to landscape mode to view the charts.

Are the good spared? Corporate social responsibility as insurance against cyber security incidents

Journal: Risk Analysis

Date: 2023

Author: Vassiliki Bamiatzi, Michael Dowling, Fabian Gogolin, Fearghal Kearney, Samuel Vigne

Abstract:
Despite the increasing consensus that socially responsible behaviour can act as insurance against externally induced shocks, supporting evidence remains somewhat inconsistent. Our study provides a clear demonstration of the insurance-like properties of corporate social responsibility (CSR) in preserving corporate financial performance (CFP), in the event of a data (cyber) breach. Exploring a sample of 230 breached firms, we find that data breaches lead to significantly negative CFP outcomes for low CSR firms, with the dynamic being particularly pronounced in consumer-sensitive industries. Further, we show that firms increase their CSR activities in the aftermath of a breach to recover lost goodwill and regain stakeholder trust. Overall, our results support the use of CSR as a strategic risk-mitigation tool that can curtail the consequences of data breaches, particularly for firms operating in consumer-centric environments.

Link: Google Scholar

Background and Context

The Security Risk

Data breaches are increasingly common cyber threats with an average cost of $4.35 million per incident for organizations.

CSR as Insurance

Corporate social responsibility (CSR) may provide an insurance-like mechanism that protects firms from the negative consequences of data breaches.

Research Approach

This study examined 230 breached firms, analyzing how CSR activities influence financial performance following a data breach incident.

Data Breaches Negatively Impact Corporate Financial Performance

Strong Performance Recovering Performance Data Breach
  • Data breaches cause significant drops in firm profitability, shown by negative return on assets (ROA).
  • The study found breaches lead to approximately 0.9% to 2.5% decrease in ROA.
  • While performance typically recovers over time, the initial financial impact is substantial and immediate.

Higher CSR Scores Reduce Negative Financial Impact of Data Breaches

  • Firms with high CSR scores experience less severe financial consequences after a data breach.
  • The insurance-like effect is demonstrated by the 0.3% performance improvement for each additional CSR point.
  • This protective effect supports the hypothesis that CSR serves as reputation insurance during crises.

Consumer-Sensitive Industries Experience Stronger Impact from Data Breaches

  • Companies in consumer-sensitive industries suffer a 3.4% greater ROA decline following data breaches.
  • Consumer trust is particularly important for retail, finance, and other consumer-facing businesses.
  • The greater financial impact reflects heightened consumer concern over personal data protection in these sectors.

CSR Provides Stronger Protection in Consumer-Sensitive Industries

CSR Insurance Effect by Industry Type Consumer-Sensitive 0.5% ROA improvement per CSR point Retail, Finance, Food & Beverage Non-Consumer-Sensitive 0.0% Little to no effect B2B, Industrial, Manufacturing
  • CSR provides a stronger insurance effect in consumer-sensitive industries with 0.5% ROA improvement per CSR point.
  • Non-consumer-sensitive industries see minimal protection from CSR following data breaches.
  • This demonstrates the strategic importance of CSR investments in industries where consumer trust is critical.

Firms Increase CSR Activities After Data Breaches to Recover Trust

  • Firms in consumer-sensitive industries significantly increase CSR activity in the year following a breach.
  • The CSR increase is most pronounced 1-2 years after the breach, indicating strategic post-crisis management.
  • This post-breach CSR enhancement reflects efforts to rebuild stakeholder trust and repair reputational damage.

Contribution and Implications

  • CSR activities provide insurance against data breaches, protecting firm financial performance during cyber security crises.
  • The protection effect is stronger in consumer-sensitive industries where customer trust is essential to business success.
  • Companies should invest in CSR as a strategic risk management tool, particularly those handling sensitive customer data.
  • Firms can use increased CSR activities after breaches to help repair stakeholder relationships and rebuild trust.

Data Sources

  • First visualization depicts the financial impact of data breaches based on Table 4 coefficients showing ROA decline.
  • Second visualization uses data from Table 4 interaction effects between data breaches and CSR scores.
  • Third visualization uses data from Table 5 showing different impacts in consumer vs. non-consumer industries.
  • Fourth visualization illustrates findings from Table 5's triple interaction between breaches, CSR, and industry type.
  • Fifth visualization is based on Table 6 data showing CSR score changes in post-breach periods.