A New Approach for Estimating Firm-Level Cyber-Risk Exposure

Using computational linguistics to estimate firm-level cyber risk exposure based on quarterly earnings conference calls.

As the frequency of successful cyber-attacks grows and the uncertainty about potential future events intensifies, measurement and quantification of cyber risk and uncertainty are transforming into first-order issues for scholars and policymakers alike. In our new INET working paper, we construct novel, comprehensive text-based measures of firm-level exposure to cyber risk by leveraging quarterly earnings calls of listed firms and natural language processing techniques. Using these earnings calls, we measure cyber risk exposure faced by each firm in a given quarter by counting the number of times cybersecurity-related terms get mentioned. In addition, we bifurcate the quarterly firm-level measure of cyber risk (CyberRiski,t in formal terms) into discussions that adhere to certain predefined topics. We construct four novel and relevant topics: insurance, law, cryptocurrencies, and social media. Our long time series (2002q1-2021q3) and the quarterly frequency of our data, substantially increase our understanding of cybersecurity risk and its effect on firms and the economy.

We run a series of statistical exercises to check the validity of our new measures and understand their properties. First, we document stylized facts on the extent of variation of cyber risk across time, regions, and industries. Aggregate CyberRiski,t has increased considerably after 2013 with the SEC mandate for listed firms to begin to report material cybersecurity incidents and exposure and after 2015 when several high-profile cyber-attacks made headlines. Following the COVID-19 pandemic, the exposure index is currently at its historical peak. Figure 1 plots the time series of CyberRiskAi,t and CyberRiskRi,t, noting that CyberRiskRi,t adjusts for transcript length while CyberRiskAi,t measures the absolute frequency (number of counts).

Second, CyberRiski,t is concentrated in the United States and the IT and Services sectors. Interestingly, the regional composition has been systematically shifting away from the U.S. and towards the rest of the world over time. Industrial composition, particularly over the past decade, has shifted towards the financial sector (See Figures 2 and 3).

Third, we show that CyberRiski,t can predict realized cyberattacks within 1, 4, or 8 quarters. Fourth, we study the most affected firms’ balance sheets and income statement characteristics. Cyber-exposed firms are likely to be large, with a high share of intangible assets, high liquidity and cash flow ratios, and growth opportunities. Fifth, we conduct a series of case studies for some cyberattacked (“losers”) and cybersecurity (“winners”) firms. As expected, known cyberattacks, such as the 2017 Equifax breach or the 2019 First American Financial data leak, are associated with large spikes in CyberRiski,t (See Figure 4). Leading cybersecurity firms such as Cisco or CyberArk consistently record high levels of exposure.

Finally, we provide detailed earnings call snippets from selected transcripts of heavily exposed firms. Snippets highlight a wide range of intensity and tone of dialogue, ranging from extensive discussions of insurance coverage to the identification of foreign state actors as potential orchestrators of incidents. To quantify the economic implications of cyber risk, we document that exposure is negatively associated with firms’ quarterly stock return performance and positively associated with firms’ realized stock market volatility. We further demonstrate that high levels of CyberRiski,t predict worse firm-level economic outcomes such as low cash flow, return on assets, and firm market value. A simple back-of-the-envelope calculation reveals that the global cost of cyber risk exposure amounts to $226 billion annually. Our simple calculation does not account for indirect and second-order effects, so the true financial cost of cyber risk could be substantially larger.

We go further: our main empirical question involves understanding whether cyber risk exposure, as opposed to actual incidents, has any effect on firm outcomes. A key advantage of our approach is that we can not only capture discussions surrounding cyberattacked firms at the moment of the incident but also quantify concerns about potential future events that may or may not materialize. In other words, we are, to the best of our knowledge, the first to quantify uncertainty stemming from cyber risk exposure. Cyber risk uncertainty may affect investors’ beliefs about operational capabilities, the resilience of computer and network systems, and the likelihood of future attacks or breaches, and thus potentially cause direct monetary or indirect reputational losses. As a result, uncertainty about future cyber risk vulnerabilities may affect asset prices today. In the cross-section of firms, the immediate implication is that market-based costs of protection should “price in” greater cyber risk uncertainty emanating from a higher realization of CyberRiski,t. We test this prediction by estimating firm-level and sector-level impacts of CyberRiski,t on equity option market variables. We find strong evidence that cyber risk uncertainty is priced in the option market, and the magnitudes are consistent with the view that cyber risk is among first-order sources of risk for firms.

We then move beyond firm-level analysis and ask whether the idiosyncratic firm-level cyber risk can be a source of “systemic” risk for firms and markets. We conduct two exercises that address this question. First, and this is our second key empirical result, we document that CyberRiski,t spills over from affected firms to their peers, defined as firms in the same country and industry as the exposed firms but with zero cyber risk exposure of their own. Analysis of heterogeneous spillover effects reveals that this finding is not driven by a particular tail of the distribution of firm size - a key absorbing characteristic - and is fairly homogenous across the economy.

Secondly, and this is our third important result, we show that cyber risk exposure and uncertainty persist at the sectoral level. We aggregate all variables to the level of an industry and test whether idiosyncratic CyberRiski,t washes out in the aggregate. We find that sector-level effects on RoA and option market variables are strong and statistically significant at 3 and 4-digit NAICS levels. We run most of the empirical tests also for our topical measures. The Cyber Insurancei,t index stands out on several dimensions. First, it has the highest unconditional pairwise correlation with CyberRiski,t across the whole sample. Second, analysis of earnings call snippets shows that insurance-related terms are flagged consistently in transcripts of heavily exposed firms. In particular, they frequently appear in the questions that investors pose to firm managers. Third, Cyber Insurancei,t has large and significant predictive power for realized cyberattacks. Finally, Cyber Insurancei,t is significantly positively associated with firm-level equity option market variables. These findings suggest that insurance considerations are viewed by analysts, investors, and financial markets as especially important when it comes to cyber risk uncertainty.

We supplement our main analysis with additional findings. Notably, we test whether our measures are statistically associated with the market price of crypto coins. We document a strong contemporaneous, backward, and forward-looking association between the price of Bitcoin (the dominant cryptocurrency) and our crypto topical measure, suggesting that analyst attention - specifically in the context of cybersecurity discussions in earnings calls - is correlated with crypto price movements (See Figure 5). With this auxiliary exercise, we do not establish causal linkages but hope to encourage future research to conduct more comprehensive, targeted studies of this issue. Finally, we explain the international distribution of cyber risk exposure with a gravity model extended with measures of financial proximity to the world technological leader - the U.S. We document that our expanded gravity model can explain a large fraction of cross-country variation in cyber risk exposure.

Share your perspective