Upload
others
View
4
Download
0
Embed Size (px)
Citation preview
Cybersecurity, Firms,and Financial Markets
Pat Akey
Trends in databreaches
Akey, Lewellen,Liskovich, and Schiller
Introduction
Value and reputationconsequences
Firm responses
Conclusion
Akey, Gregroire, andMartineau
Introduction
Scheme
Data
Price discovery results
Insider trading results
Conclusion
Cybersecurity, Firms, and FinancialMarkets
Pat Akey1
University of Toronto
July 2020
1Email: [email protected] / 47
Cybersecurity, Firms,and Financial Markets
Pat Akey
Trends in databreaches
Akey, Lewellen,Liskovich, and Schiller
Introduction
Value and reputationconsequences
Firm responses
Conclusion
Akey, Gregroire, andMartineau
Introduction
Scheme
Data
Price discovery results
Insider trading results
Conclusion
Introduction
More than 11 billion records breached since 20052
Regulators are concerned about impact of cyberattacks onfinancial markets
Cybersecurity risks pose grave threats to investors,our capital markets, and our country. Whether it isthe companies in which investors invest, their accountswith financial services firms, the markets through whichthey trade, or the infrastructure they count on daily, theinvesting public and the U.S. economy depend onthe security and reliability of information and com-munications technology, systems, and networks.
—SEC Guidance, Feb. 2018
2Source: Privacy Rights Clearinghouse
2 / 47
Cybersecurity, Firms,and Financial Markets
Pat Akey
Trends in databreaches
Akey, Lewellen,Liskovich, and Schiller
Introduction
Value and reputationconsequences
Firm responses
Conclusion
Akey, Gregroire, andMartineau
Introduction
Scheme
Data
Price discovery results
Insider trading results
Conclusion
Agenda for today
1. Present some statistics on cybersecurity and data breaches
2. Discuss recent research about the consequences of databreaches on firms and capital markets
2.1 What are the value and reputational consequences whenfirms experience a data breach?
2.2 What were the capital market consequences of a seriesmajor hacks against newswire providers?
3 / 47
Cybersecurity, Firms,and Financial Markets
Pat Akey
Trends in databreaches
Akey, Lewellen,Liskovich, and Schiller
Introduction
Value and reputationconsequences
Firm responses
Conclusion
Akey, Gregroire, andMartineau
Introduction
Scheme
Data
Price discovery results
Insider trading results
Conclusion
Attention to cybersecurity is rising
EquifaxBreach
ClintonE-mails
TargetBreach
Playstation NetworkBreach
WannaCry
0
1
2
3
4
5
Ln(G
oogl
e Tr
ends
Sco
re)
Jan. 2005 Jul. 2006 Jan. 2008 Jul. 2009 Jan. 2011 Jul. 2012 Jan. 2014 Jul. 2015 Jan. 2017 Jul. 2018
Cyberattack Data Breach
Source: Google Trends
4 / 47
Cybersecurity, Firms,and Financial Markets
Pat Akey
Trends in databreaches
Akey, Lewellen,Liskovich, and Schiller
Introduction
Value and reputationconsequences
Firm responses
Conclusion
Akey, Gregroire, andMartineau
Introduction
Scheme
Data
Price discovery results
Insider trading results
Conclusion
Data breaches over time
0
200
400
600
800
1000
Freq
uenc
y
2005 2006 2007 2008 2009 2010 2011 2012 2013 2014 2015 2016 2017 2018
Year
Source: Privacy Rights Clearinghouse
5 / 47
Cybersecurity, Firms,and Financial Markets
Pat Akey
Trends in databreaches
Akey, Lewellen,Liskovich, and Schiller
Introduction
Value and reputationconsequences
Firm responses
Conclusion
Akey, Gregroire, andMartineau
Introduction
Scheme
Data
Price discovery results
Insider trading results
Conclusion
Data breaches take many forms
External Hack
Insider
Physical Documents
Unintended Disclosure
Portable Device
UnknownOther
Source: Privacy Rights Clearinghouse
6 / 47
Cybersecurity, Firms,and Financial Markets
Pat Akey
Trends in databreaches
Akey, Lewellen,Liskovich, and Schiller
Introduction
Value and reputationconsequences
Firm responses
Conclusion
Akey, Gregroire, andMartineau
Introduction
Scheme
Data
Price discovery results
Insider trading results
Conclusion
They impact many different organizations
Medical Organization
Financial Institution
Retailer
Other Business
Government
Educational Institution
Other
Source: Privacy Rights Clearinghouse
7 / 47
Cybersecurity, Firms,and Financial Markets
Pat Akey
Trends in databreaches
Akey, Lewellen,Liskovich, and Schiller
Introduction
Value and reputationconsequences
Firm responses
Conclusion
Akey, Gregroire, andMartineau
Introduction
Scheme
Data
Price discovery results
Insider trading results
Conclusion
They impact most sectors of the economy
Banks
Telecommunications
Retail
Food Retail
Consumer Services
Other
Diversified Financials
Insurance
Com. Services
Software
Capital GoodsMedia
Source: Privacy Rights Clearinghouse
8 / 47
Cybersecurity, Firms,and Financial Markets
Pat Akey
Trends in databreaches
Akey, Lewellen,Liskovich, and Schiller
Introduction
Value and reputationconsequences
Firm responses
Conclusion
Akey, Gregroire, andMartineau
Introduction
Scheme
Data
Price discovery results
Insider trading results
Conclusion
Cyberattacks impact markets in many ways
SEC Division of Enforcement has taken action on a varietyof different cyber-related threats
I Digital Assets/Initial Coin Offerings
I Account intrusions
I Hacking into critical information providers and trading
I Market manipulation
I Failure to safeguard data
9 / 47
Cybersecurity, Firms,and Financial Markets
Pat Akey
Trends in databreaches
Akey, Lewellen,Liskovich, and Schiller
Introduction
Value and reputationconsequences
Firm responses
Conclusion
Akey, Gregroire, andMartineau
Introduction
Scheme
Data
Price discovery results
Insider trading results
Conclusion
Hacking Corporate Reputations
Pat Akey Stefan Lewellen Inessa Liskovich Christoph Shiller
University of Penn State AirBnB Arizona StateToronto University University
10 / 47
Cybersecurity, Firms,and Financial Markets
Pat Akey
Trends in databreaches
Akey, Lewellen,Liskovich, and Schiller
Introduction
Value and reputationconsequences
Firm responses
Conclusion
Akey, Gregroire, andMartineau
Introduction
Scheme
Data
Price discovery results
Insider trading results
Conclusion
Motivation
How do firms respond to negative shocks to capital?
I Tangible capital: usually straightforward to rebuild
I What about intangible capital, such as a firm’s reputation?
I Is it possible for firms to rebuild intangible capital?I If so, how does this take place?
11 / 47
Cybersecurity, Firms,and Financial Markets
Pat Akey
Trends in databreaches
Akey, Lewellen,Liskovich, and Schiller
Introduction
Value and reputationconsequences
Firm responses
Conclusion
Akey, Gregroire, andMartineau
Introduction
Scheme
Data
Price discovery results
Insider trading results
Conclusion
This paper
Do reputation shocks cause increased CSR investment?
I Unexpected cyberattacks as a shock to corporatereputations
I 2016 Economist Intelligence Unit CEO study: main concernabout a data breach → negatively affects corporatereputation
I Investment dimension: CSR
I CSR can help firms differentiate themselves to stakeholders(Albuquerque, Koskinen, and Zhang, 2018)
I Literature: ex-ante CSR can mitigate effects of negativeevents
I We focus on ex-post CSR investment following reputationshocks
12 / 47
Cybersecurity, Firms,and Financial Markets
Pat Akey
Trends in databreaches
Akey, Lewellen,Liskovich, and Schiller
Introduction
Value and reputationconsequences
Firm responses
Conclusion
Akey, Gregroire, andMartineau
Introduction
Scheme
Data
Price discovery results
Insider trading results
Conclusion
What we do
1. Examine short-run returns and “reputation scores” followingdata breaches
I Does the market react at all?
I Are firms’ reputations impacted?
2. Examine long-run market reactions / firm performance
I Are effects long-lasting? Otherwise, why invest?
I M/B, ROE, and P/E
3. Examine how firms respond over the longer term
I Increased IT spending?
I Increased advertising?
I Increased CSR investment?
13 / 47
Cybersecurity, Firms,and Financial Markets
Pat Akey
Trends in databreaches
Akey, Lewellen,Liskovich, and Schiller
Introduction
Value and reputationconsequences
Firm responses
Conclusion
Akey, Gregroire, andMartineau
Introduction
Scheme
Data
Price discovery results
Insider trading results
Conclusion
Data sources
1. Privacy Rights Clearinghouse: 196 data breaches from2005-2015I Focus on breaches with ≥ 1000 records affected
2. MSCI ESG KLD Stats: panel of CSR scores
3. RepRisk: Reputation data
4. Scrape annual reports: IT investment dataI We scrape 10-Ks to identify IT related words in the
proximity of “investment”
5. COMPUSTAT: Firm fundamentals
Record Distribution
14 / 47
Cybersecurity, Firms,and Financial Markets
Pat Akey
Trends in databreaches
Akey, Lewellen,Liskovich, and Schiller
Introduction
Value and reputationconsequences
Firm responses
Conclusion
Akey, Gregroire, andMartineau
Introduction
Scheme
Data
Price discovery results
Insider trading results
Conclusion
IT investment by sector
0%
10%
20%
30%
Prop
ortio
n in
Sam
ple
Inform
ation
Techn
ology
Teleco
mmunica
tion S
ervice
s
Utilities
Financ
ials
Consu
mer Disc
retion
ary
Indus
trials
Health
Care
Consu
mer Stap
les
Energy
Materia
ls
IT security IT investments
I Firms discuss IT investment and IT security most frequentlyin technology, telecom and utilities
15 / 47
Cybersecurity, Firms,and Financial Markets
Pat Akey
Trends in databreaches
Akey, Lewellen,Liskovich, and Schiller
Introduction
Value and reputationconsequences
Firm responses
Conclusion
Akey, Gregroire, andMartineau
Introduction
Scheme
Data
Price discovery results
Insider trading results
Conclusion
IT investment over time
0%
1%
2%
3%
IT In
vest
men
ts
0%
10%
20%
30%
40%
IT S
ecur
ity
2000 2005 2010 2015
Year
IT Security IT Investments
I Firms discuss IT investment and IT security more frequentlyover time
16 / 47
Cybersecurity, Firms,and Financial Markets
Pat Akey
Trends in databreaches
Akey, Lewellen,Liskovich, and Schiller
Introduction
Value and reputationconsequences
Firm responses
Conclusion
Akey, Gregroire, andMartineau
Introduction
Scheme
Data
Price discovery results
Insider trading results
Conclusion
Short term valuation effects
-.05
-.04
-.03
-.02
-.01
0
.01
.02
Aver
age
Cum
ulat
ive
Abno
rmal
Ret
urn
(CAR
)
-10 -5 0 5 10 15 20 25 30
Day relative to data breach
Mean +95% CI -95% CI
CAR [-1;3] CAR [-1;5] CAR [-1;10] CAR [-1;30]-.00764** -.00897** -.009* -.0192**(.00387) (.00415) (.00487) (.00842)
17 / 47
Cybersecurity, Firms,and Financial Markets
Pat Akey
Trends in databreaches
Akey, Lewellen,Liskovich, and Schiller
Introduction
Value and reputationconsequences
Firm responses
Conclusion
Akey, Gregroire, andMartineau
Introduction
Scheme
Data
Price discovery results
Insider trading results
Conclusion
Reputational consequences
-.5
-.4
-.3
-.2
-.1
0
.1
.2
.3
.4
.5
.6
.7
.8
.9
1
Rep
utat
ion
Rat
ing
-8 -7 -6 -5 -4 -3 -2 -1 +0 +1 +2 +3 +4 +5 +6 +7 +8
Quarter relative to data breach
I RepRisk reputation score declines by 15% of a standarddeviation
18 / 47
Cybersecurity, Firms,and Financial Markets
Pat Akey
Trends in databreaches
Akey, Lewellen,Liskovich, and Schiller
Introduction
Value and reputationconsequences
Firm responses
Conclusion
Akey, Gregroire, andMartineau
Introduction
Scheme
Data
Price discovery results
Insider trading results
Conclusion
Long term valuation effects
Years 0–1
M/B ROE P/E
(1) (2) (3) (4) (5) (6)Years 0-1 Post -.856∗∗∗ -.49∗∗∗ -.0635∗∗ -.0318 -3.38∗∗ -3.13∗∗
(.151) (.116) (.0279) (.0251) (1.34) (1.32)
Treated .75∗∗∗ .0027 2.19∗∗
(.161) (.0173) (1.02)Controls Yes Yes Yes Yes Yes YesYr × GIC FE Yes Yes Yes Yes Yes YesFirm FE No Yes No Yes No YesObservations 74591 73146 84129 82899 84121 82890R2 0.274 0.666 0.075 0.330 0.134 0.352
I In the two years following the data breach:
I Market-to-book declines by 16% of a standard deviationI Return on equity declines by 5% of a standard deviationI Price-earnings ratio declines by 14% of a standard deviation
I Effects persist up to four years following the breach
19 / 47
Cybersecurity, Firms,and Financial Markets
Pat Akey
Trends in databreaches
Akey, Lewellen,Liskovich, and Schiller
Introduction
Value and reputationconsequences
Firm responses
Conclusion
Akey, Gregroire, andMartineau
Introduction
Scheme
Data
Price discovery results
Insider trading results
Conclusion
How do firms respond?
I We study three different actions that firms can use torespond to data breaches
1. Do firms improve their CSR?
2. Do firms invest in their IT capacity?
3. Do firms increase their advertising?
I Do firms incur one-time expenses?
I Are firms more likely to report non-recurring expenses ontheir income statement?
20 / 47
Cybersecurity, Firms,and Financial Markets
Pat Akey
Trends in databreaches
Akey, Lewellen,Liskovich, and Schiller
Introduction
Value and reputationconsequences
Firm responses
Conclusion
Akey, Gregroire, andMartineau
Introduction
Scheme
Data
Price discovery results
Insider trading results
Conclusion
CSR scores following data breaches
-.6
-.4
-.2
0
.2
.4
.6
.8
1
1.2
1.4
Nor
m C
SR (K
LD)
-4 -3 -2 -1 +0 +1 +2 +3 +4
Year relative to data breach
I CSR scores increase by 40% of a standard deviation
21 / 47
Cybersecurity, Firms,and Financial Markets
Pat Akey
Trends in databreaches
Akey, Lewellen,Liskovich, and Schiller
Introduction
Value and reputationconsequences
Firm responses
Conclusion
Akey, Gregroire, andMartineau
Introduction
Scheme
Data
Price discovery results
Insider trading results
Conclusion
IT investment
IT Reaction to Data Breaches
IT Security (0/1) IT Investment (0/1)
(1) (2) (3) (4) (5) (6) (7) (8)Years 0-1 Post .0565∗ .0385 .042∗∗ .0363∗∗
(.0304) (.0285) (.019) (.0168)Years 0-4 Post .121∗∗∗ .0917∗∗∗ .0293 .0213
(.031) (.0293) (.0191) (.0154)
Treated .0676∗∗∗ .0359 .0124 .00948(.0242) (.0235) (.0117) (.0101)
Length 10K 1.68∗∗∗ 1.58∗∗∗ 1.67∗∗∗ 1.56∗∗∗ .0214 .129∗ .0199 .126∗
(.233) (.254) (.234) (.254) (.0523) (.0672) (.0526) (.0673)10K Vocab. Complexity .243∗∗ .24∗∗ .241∗∗ .237∗∗ .000627 -.0181 .000515 -.0194
(.113) (.111) (.113) (.111) (.0245) (.0385) (.0245) (.0385)Controls Yes Yes Yes Yes Yes Yes Yes YesYr × GIC FE Yes Yes Yes Yes Yes Yes Yes YesFirm FE No Yes No Yes No Yes No YesObservations 50167 49086 50167 49086 50167 49086 50167 49086R2 0.297 0.631 0.297 0.631 0.056 0.420 0.056 0.420
I Firms are 4% more likely to discuss “IT investment”immediately after the breach
I Firms are 12% more likely to discuss “IT security” up tofour years after the breach
22 / 47
Cybersecurity, Firms,and Financial Markets
Pat Akey
Trends in databreaches
Akey, Lewellen,Liskovich, and Schiller
Introduction
Value and reputationconsequences
Firm responses
Conclusion
Akey, Gregroire, andMartineau
Introduction
Scheme
Data
Price discovery results
Insider trading results
Conclusion
Advertising and nonrecurring expenses
Other Reactions to Data Breaches
Nonrecurring (0/1) Advertising/Assets
(1) (2) (3) (4) (5) (6) (7) (8)Years 0-1 Post .0671∗∗ .0675∗∗ .0000638 -.000182
(.0341) (.031) (.00133) (.000931)Years 0-4 Post .0864∗∗∗ .0851∗∗∗ .000296 -.000134
(.0306) (.0278) (.00162) (.00112)
Treated .0524∗∗∗ .0355∗∗ -.00169 -.00179(.0178) (.017) (.00219) (.00229)
Controls Yes Yes Yes Yes Yes Yes Yes YesYr × GIC FE Yes Yes Yes Yes Yes Yes Yes YesFirm FE No Yes No Yes No Yes No YesObservations 84309 83081 84309 83081 34326 33562 34326 33562R2 0.134 0.333 0.135 0.334 0.351 0.834 0.351 0.834
I Firms do not change their advertising after the breach
I Firms are 8% more likely to disclose a non-recurringexpense on their income statement
I Possibly a specific response to the data breach
RepRisk Results
23 / 47
Cybersecurity, Firms,and Financial Markets
Pat Akey
Trends in databreaches
Akey, Lewellen,Liskovich, and Schiller
Introduction
Value and reputationconsequences
Firm responses
Conclusion
Akey, Gregroire, andMartineau
Introduction
Scheme
Data
Price discovery results
Insider trading results
Conclusion
Conclusion
I Use corporate data breaches to study consequences ofnegative shocks to reputation
I Following the announcement of a data breach affected firmshave:
I negative announcement returns of 1.9%I reduced reputation ratings of 15% of a standard deviation
I Over the two years after the data breach:
I M/B ratios decline by 16% of a standard deviationI ROE declines by 5% of a standard deviationI P/E ratios declines by 14% of a standard deviation
I Over the four years after the breach, firms respond by
I increasing their CSR 40% of a standard deviationI increasing their likelihood of investing in IT by 4%
RepRisk results
24 / 47
Cybersecurity, Firms,and Financial Markets
Pat Akey
Trends in databreaches
Akey, Lewellen,Liskovich, and Schiller
Introduction
Value and reputationconsequences
Firm responses
Conclusion
Akey, Gregroire, andMartineau
Introduction
Scheme
Data
Price discovery results
Insider trading results
Conclusion
Price Revelation from Insider Trades:Evidence from Hacked Earnings News
Pat Akey Charles Martineau Vincent Gregoire
University of University of HEC MontrealToronto Toronto
25 / 47
Cybersecurity, Firms,and Financial Markets
Pat Akey
Trends in databreaches
Akey, Lewellen,Liskovich, and Schiller
Introduction
Value and reputationconsequences
Firm responses
Conclusion
Akey, Gregroire, andMartineau
Introduction
Scheme
Data
Price discovery results
Insider trading results
Conclusion
One of the largest securities fraud cases ever
From 2010 to 2015, a group of Ukranian hackers breached the ITsystems of 3 of the largest newswire companies.
I Accessed earnings press releases several hours before theirscheduled release.
I Sold the information to a select group of traders.
Traders aggressively traded before the news was publicly releasedto exploit this private information.
In 2015, the SEC charged some of the traders based in the U.S.for illegal insider trading for profits amounting to +$100 million.
26 / 47
Cybersecurity, Firms,and Financial Markets
Pat Akey
Trends in databreaches
Akey, Lewellen,Liskovich, and Schiller
Introduction
Value and reputationconsequences
Firm responses
Conclusion
Akey, Gregroire, andMartineau
Introduction
Scheme
Data
Price discovery results
Insider trading results
Conclusion
Research Questions
This setting allows us to answer the following questions:
1. (How) do prices incorporate private information imbedded intrades?
2. Which measures of potential informed trading best detectthis type of behavior?
3. Were there spillover effects on liquidity traders?
Our setting allows us to compare the price discovery dynamics ofa group of “treated” firms whose earnings were exposed at aparticular point in time to a “control” set whose earnings werenot exposed at that point in time
I Hackers intermittently gained and lost access to newswires’IT systems at different points in time
27 / 47
Cybersecurity, Firms,and Financial Markets
Pat Akey
Trends in databreaches
Akey, Lewellen,Liskovich, and Schiller
Introduction
Value and reputationconsequences
Firm responses
Conclusion
Akey, Gregroire, andMartineau
Introduction
Scheme
Data
Price discovery results
Insider trading results
Conclusion
After-hours market
No trading
Regular trading hours
9:30 16:00 20:00 4:00 9:30 16:00
Trading day t Trading day t+1
Regular trading hours
After hours After hours
Earnings announcements occur overnight
Closing auction Opening auction
28 / 47
Cybersecurity, Firms,and Financial Markets
Pat Akey
Trends in databreaches
Akey, Lewellen,Liskovich, and Schiller
Introduction
Value and reputationconsequences
Firm responses
Conclusion
Akey, Gregroire, andMartineau
Introduction
Scheme
Data
Price discovery results
Insider trading results
Conclusion
Trading anecdotes
16:0010:00 11:00 12:00 13:00 14:00 15:00
Time
43.0
43.5
44.0
44.5
45.0
45.5
46.0
Pri
ce($
)
Align Technology (2013/10/17), next day closing price = $57.98
0
500,000
1,000,000
1,500,000
2,000,000
2,500,000
3,000,000
3,500,000
4,000,000
Cu
mu
lati
vep
rofi
t($
)
Stock priceCumulative profitsTrades in stocks (solid) and derivative instruments (dotted)
29 / 47
Cybersecurity, Firms,and Financial Markets
Pat Akey
Trends in databreaches
Akey, Lewellen,Liskovich, and Schiller
Introduction
Value and reputationconsequences
Firm responses
Conclusion
Akey, Gregroire, andMartineau
Introduction
Scheme
Data
Price discovery results
Insider trading results
Conclusion
The hacking and insider trading scheme
Hackers (Russian and Ukranians)
Ivan Turchynov (eggPLC)Oleksandr IeremenkoVadym Iermolovych
From January 2010 to August 2015
eggPLC (ring leader)Ivan Turchynov
Oleksandr IeremenkoVadym Iermolovych
30 / 47
Cybersecurity, Firms,and Financial Markets
Pat Akey
Trends in databreaches
Akey, Lewellen,Liskovich, and Schiller
Introduction
Value and reputationconsequences
Firm responses
Conclusion
Akey, Gregroire, andMartineau
Introduction
Scheme
Data
Price discovery results
Insider trading results
Conclusion
The hacking and insider trading scheme
From January 2010 to August 2015
Hackers (Russian and Ukranians)
eggPLC (ring leader)Ivan Turchynov
Oleksandr IeremenkoVadym Iermolovych
PR Newswire (US)Businesswire (US)
Marketwired (Canada)
Targets: Newswire providers
SQL injectionPhishing emails
Retrieved upcomingcorporate earnings releases
Hacking methods
31 / 47
Cybersecurity, Firms,and Financial Markets
Pat Akey
Trends in databreaches
Akey, Lewellen,Liskovich, and Schiller
Introduction
Value and reputationconsequences
Firm responses
Conclusion
Akey, Gregroire, andMartineau
Introduction
Scheme
Data
Price discovery results
Insider trading results
Conclusion
The hacking and insider trading scheme
From January 2010 to August 2015
Hackers (Russian and Ukranians)
eggPLC (ring leader)Ivan Turchynov
Oleksandr IeremenkoVadym Iermolovych
PR Newswire (US)Businesswire (US)
Marketwired (Canada)
Targets: Newswire providers
SQL injectionPhishing emails
Retrieved upcomingcorporate earnings releases
Middlemen
Send the hackedpress releases
40%
Profits
10%
Recruited traders
For sale on thedark web
50%+100 individuals (FBI)
Executed trades (equity, options, CFD) hours prior to after-hours
earnings announcements
Send “wish list”
Hacking methods
32 / 47
Cybersecurity, Firms,and Financial Markets
Pat Akey
Trends in databreaches
Akey, Lewellen,Liskovich, and Schiller
Introduction
Value and reputationconsequences
Firm responses
Conclusion
Akey, Gregroire, andMartineau
Introduction
Scheme
Data
Price discovery results
Insider trading results
Conclusion
The hacking and insider trading scheme
C: story works out 100%E: story doesn’t work out 100%
33 / 47
Cybersecurity, Firms,and Financial Markets
Pat Akey
Trends in databreaches
Akey, Lewellen,Liskovich, and Schiller
Introduction
Value and reputationconsequences
Firm responses
Conclusion
Akey, Gregroire, andMartineau
Introduction
Scheme
Data
Price discovery results
Insider trading results
Conclusion
The hacking and insider trading scheme
Hackers (Russian and Ukranians)
eggPLC (ring leader)Ivan Turchynov
Oleksandr IeremenkoVadym Iermolovych
PR Newswire (US)Businesswire (US)
Marketwired (Canada)
Targets: Newswire providers
SQL injectionPhishing emails
Retrieved upcomingcorporate earnings releases
From January 2010 to August 2015
Middlemen
Send the hackedpress releases
40%
Profits
10%
Recruited traders
For sale on thedark web
50%+100 individuals (FBI)
Arrested or charged U.S. based tradersDubovoys’ family:
Arkadiy and Pavel (brothers)Igor (Arkadiy’s son)
Valery Pychnenko (cousin)
Vitaly Korchevsky (Baptist pastor)Alexander Garkusha (business partner)
Leonid Momotok (accountant)
Friends and facilitators
Send the profitsvia shell companies
Executed trades (equity, options, CFD) hours prior to after-hours
earnings announcements
Send “wish list”
Hacking methods
34 / 47
Cybersecurity, Firms,and Financial Markets
Pat Akey
Trends in databreaches
Akey, Lewellen,Liskovich, and Schiller
Introduction
Value and reputationconsequences
Firm responses
Conclusion
Akey, Gregroire, andMartineau
Introduction
Scheme
Data
Price discovery results
Insider trading results
Conclusion
How they were caught ...
$100 million represents only a fraction of the money authoritiesbelieve was made off the stolen press releases.
As of August 2015, 20 individual traders have been charged.
Factors leading to the prosecutions:
I The arrest of the hacker Vadym Iermolovych in Mexico.
I The SEC and FINRA, developed algorithms to detect stockprice fluctuations caused by some trades before corporateannouncements.
I Not an easy task since insiders used multiple accounts butthe owners of the accounts were linked similar social orfamilial networks.
35 / 47
Cybersecurity, Firms,and Financial Markets
Pat Akey
Trends in databreaches
Akey, Lewellen,Liskovich, and Schiller
Introduction
Value and reputationconsequences
Firm responses
Conclusion
Akey, Gregroire, andMartineau
Introduction
Scheme
Data
Price discovery results
Insider trading results
Conclusion
Data
1. Extract all earnings announcements in IBES from 2010 to2015 for stocks in CRSP.I Calculate earnings surprises
2. Assign to each earnings announcement the correspondingnewswire company with Ravenpack with substantialvalidation work.I A total of ∼ 44,000 earnings announcements.
3. Retrieve intraday data from TAQ.
4. SEC documentation and legal filings to retrieve when werenewswire companies exposed to hacks, expert witnessreports, etc. (>4500 pages of court documents fromPACER).
Press Release
36 / 47
Cybersecurity, Firms,and Financial Markets
Pat Akey
Trends in databreaches
Akey, Lewellen,Liskovich, and Schiller
Introduction
Value and reputationconsequences
Firm responses
Conclusion
Akey, Gregroire, andMartineau
Introduction
Scheme
Data
Price discovery results
Insider trading results
Conclusion
Example of a press release
37 / 47
Cybersecurity, Firms,and Financial Markets
Pat Akey
Trends in databreaches
Akey, Lewellen,Liskovich, and Schiller
Introduction
Value and reputationconsequences
Firm responses
Conclusion
Akey, Gregroire, andMartineau
Introduction
Scheme
Data
Price discovery results
Insider trading results
Conclusion
Number of earnings news exposed to hacks
2010
-Q2
2010
-Q4
2011
-Q2
2011
-Q4
2012
-Q2
2012
-Q4
2013
-Q2
2013
-Q4
2014
-Q2
2014
-Q4
2015
-Q2
2015
-Q4
0
200
400
600
800
1000
Nu
mb
erof
earn
ings
new
s(b
ars)
Business Wire
Marketwired
PR Newswire
0.1
0.2
0.3
0.4
0.5
Pro
por
tion
ofh
acke
dea
rnin
gs(d
ots)
38 / 47
Cybersecurity, Firms,and Financial Markets
Pat Akey
Trends in databreaches
Akey, Lewellen,Liskovich, and Schiller
Introduction
Value and reputationconsequences
Firm responses
Conclusion
Akey, Gregroire, andMartineau
Introduction
Scheme
Data
Price discovery results
Insider trading results
Conclusion
Price drift before EAs (S&P 1500 firms)
12:15 16:00 9:45 16:00
0.000
0.005
0.010
0.015
0.020
0.025
0.030
0.035
Cu
mu
lati
vere
turn
s
Top quintile
12:15 16:00 9:45 16:00
−0.04
−0.03
−0.02
−0.01
0.00
Cu
mu
lati
vere
turn
s
Bottom quintile
Hacked Not hacked
I Pre-disclosure returns are more informative when hackershad access to information
I More of the “earnings surprise” (relative to analystexpectations) was already priced in
All Firms Non-S&P1500
39 / 47
Cybersecurity, Firms,and Financial Markets
Pat Akey
Trends in databreaches
Akey, Lewellen,Liskovich, and Schiller
Introduction
Value and reputationconsequences
Firm responses
Conclusion
Akey, Gregroire, andMartineau
Introduction
Scheme
Data
Price discovery results
Insider trading results
Conclusion
Afterhours returns and informed trading
Log ReturnAHi,t =β1Surprisei,t + β21[Hacked]i,t+
β3Surprisei,t × 1[Hacked]i,t + εi,t
(1) (2) (3) (4)
Surprise 1.357*** 1.428*** 1.436*** 1.419***(0.073) (0.078) (0.078) (0.061)
Surprise× 1[Hacked] -0.213** -0.228** -0.236** -0.211**(0.100) (0.103) (0.103) (0.100)
1[Hacked] -0.001 -0.001 -0.001 -0.000(0.001) (0.001) (0.001) (0.001)
N 43,991 43,991 43,991 43,991Adjusted R2 0.062 0.060 0.071 0.067
Controls N N Y YYear-Quarter F.E. Y Y Y N
Firm F.E. N Y Y YDate F.E. N N N Y
I After-hour returns of stocks exposed to hacks are 15% lesssensitive to earnings surprises.
40 / 47
Cybersecurity, Firms,and Financial Markets
Pat Akey
Trends in databreaches
Akey, Lewellen,Liskovich, and Schiller
Introduction
Value and reputationconsequences
Firm responses
Conclusion
Akey, Gregroire, andMartineau
Introduction
Scheme
Data
Price discovery results
Insider trading results
Conclusion
Prosecuted cases vs. matched events
12:15 16:00 9:45 16:00
0.00
0.01
0.02
0.03
0.04
0.05
0.06
Cu
mu
lati
vere
turn
s
Top quintile
12:15 16:00 9:45 16:00
−0.10
−0.08
−0.06
−0.04
−0.02
0.00
Cu
mu
lati
vere
turn
s
Bottom quintile
Prosecuted Not hacked
I Each prosecuted trade (∼ 350) is matched to fifteen eventsthat were not hacked
I After-hour returns are up to 45% less responsive toearnings surprises in this sample
I Larger magnitude possibly due to sample bias
Case Details
41 / 47
Cybersecurity, Firms,and Financial Markets
Pat Akey
Trends in databreaches
Akey, Lewellen,Liskovich, and Schiller
Introduction
Value and reputationconsequences
Firm responses
Conclusion
Akey, Gregroire, andMartineau
Introduction
Scheme
Data
Price discovery results
Insider trading results
Conclusion
Insider Trading
1. Volume-based measuresI VolatilityI Trade VolumeI Turnover
2. Order imbalance-based measuresI Absolute order imbalanceI Volume-synchronized Probability of Informed Trading
(VPIN)I Kyle’s λ: in the transaction price, Sk = dk
√DollarV olume
is the signed dollar volume of the trade
3. Liquidity-based measuresI Amihud MeasureI Quoted SpreadsI Effective Spread per trade (= Realized Spread + Price
Impact)
Variable Definitions
42 / 47
Cybersecurity, Firms,and Financial Markets
Pat Akey
Trends in databreaches
Akey, Lewellen,Liskovich, and Schiller
Introduction
Value and reputationconsequences
Firm responses
Conclusion
Akey, Gregroire, andMartineau
Introduction
Scheme
Data
Price discovery results
Insider trading results
Conclusion
Informed trading measures
Volatility Log(volume) Turnover Amihud∣∣OI∣∣ VPIN Quoted
spreadEffectivespread
Realizedspread
Price im-pact
Kyle’s λ
(1) (2) (3) (4) (5) (6) (7) (8) (9) (10) (11)
1[Hacked] 0.0421*** 0.0328** 0.0458*** 0.0108 0.0086 0.0021 0.0163* 0.0316*** 0.0449*** -0.0136 0.0140(0.01) (0.01) (0.02) (0.01) (0.01) (0.01) (0.01) (0.01) (0.02) (0.02) (0.01)
N 43,991 43,991 43,991 43,991 43,991 43,991 43,991 43,991 43,991 43,991 43,991R2 0.180 0.033 0.016 0.121 0.012 0.044 0.133 0.159 0.035 0.024 0.062
Controls Y Y Y Y Y Y Y Y Y Y YYear-Quarter F.E. Y Y Y Y Y Y Y Y Y Y Y
Firm F.E. Y Y Y Y Y Y Y Y Y Y Y
I Pre-earnings afternoon trading of stocks subject toinformed trading is characterized by increased:
I Volume and TurnoverI VolatilityI Effective spreads
I Driven by realized spread paid by liquidity takersI Not coming from price impact of trades
I Other measure of informed trading do not exhibit differentbehavior
Morning Results
43 / 47
Cybersecurity, Firms,and Financial Markets
Pat Akey
Trends in databreaches
Akey, Lewellen,Liskovich, and Schiller
Introduction
Value and reputationconsequences
Firm responses
Conclusion
Akey, Gregroire, andMartineau
Introduction
Scheme
Data
Price discovery results
Insider trading results
Conclusion
How does the spread distribution change?Realized spreads
20 40 60 80
Percentile
−0.00100
−0.00075
−0.00050
−0.00025
0.00000
0.00025
0.00050
0.00075
0.00100Morning
20 40 60 80
Percentile
Afternoon
Price impact
20 40 60 80
Percentile
−0.00100
−0.00075
−0.00050
−0.00025
0.00000
0.00025
0.00050
0.00075
0.00100Morning
20 40 60 80
Percentile
Afternoon
I Realized spreads increase from about the 70th percentileI Potentially represents increased transaction costs for
liquidity traders 44 / 47
Cybersecurity, Firms,and Financial Markets
Pat Akey
Trends in databreaches
Akey, Lewellen,Liskovich, and Schiller
Introduction
Value and reputationconsequences
Firm responses
Conclusion
Akey, Gregroire, andMartineau
Introduction
Scheme
Data
Price discovery results
Insider trading results
Conclusion
Were there spillover effects?
Results so far:
1. Insiders made a lot of money
2. Price impact of trades was generally not much higher
3. Liquidity providers widened spreads for a relatively largeproportion of trades
Did liquidity providers widen spread by more or less than the gainby the hackers?
Did uniformed traders pay higher costs because of the hackers’activity?
I We examine the average profitability of trades by liquiditytakers
45 / 47
Cybersecurity, Firms,and Financial Markets
Pat Akey
Trends in databreaches
Akey, Lewellen,Liskovich, and Schiller
Introduction
Value and reputationconsequences
Firm responses
Conclusion
Akey, Gregroire, andMartineau
Introduction
Scheme
Data
Price discovery results
Insider trading results
Conclusion
Spillover effects for liquidity takers
Profiti,t = β1[Hacked]i,t + Γ′Controlsi,t + αt + αi + εi,t.
Morning Afternoon
(1) (2) (3) (4)
1[Hacked] 0.017 0.016 -0.036** -0.037**(0.028) (0.027) (0.018) (0.018)
N 43,991 43,991 43,991 43,991Adjusted R2 0.000 0.001 0.000 0.001
Controls N Y N YYear-Quarter F.E. Y Y Y Y
Firm F.E. Y Y Y Y
I The average volume-weighted trade is 3.6 bps lessprofitable when the stock’s earnings announcement wasexposed to informed trading
I Back-of-the-envelope calculation suggests that thistranslated into $ 131 million in increased transaction fees
46 / 47
Cybersecurity, Firms,and Financial Markets
Pat Akey
Trends in databreaches
Akey, Lewellen,Liskovich, and Schiller
Introduction
Value and reputationconsequences
Firm responses
Conclusion
Akey, Gregroire, andMartineau
Introduction
Scheme
Data
Price discovery results
Insider trading results
Conclusion
Conclusion
Cyber risks expose financial markets to systematic informationleakage and insider trading.
I Our analysis shows that during the newswire hackingscheme:
1. Price discovery for stocks exposed to hacks occurred beforethe earnings announcements.
2. Stock prices exposed to hacks were 15-25% less responsiveto earnings surprises and as high as 50% for events reportedby the SEC.
3. Insiders chose to trade stocks with large surprises, thosewith better information environments and liquidity.
I Volume/volatility-based measures of informed trading andspreads detect this behaviorI This provides evidence that it is rational for informed
investors to attempt to trade strategically
I Higher spreads were passed on to uninformed traders whosetrades were less profitable
Insider Trading Morning ALIGN Volume
47 / 47
Cybersecurity, Firms,and Financial Markets
Pat Akey
Additional findings inAkey, Lewellen,Liskovich and Schiller
Additional results inAkey, Gregoire andMartineau
Number of compromised records
0
.02
.04
.06
.08
.1
Den
sity
0 5 10 15 20
Number of Records (Natural Logarithm)
kernel = epanechnikov, bandwidth = 1.1221
I ∼2/3 of records involve customer records, ∼1/3 involveemployee records
Main
1 / 11
Cybersecurity, Firms,and Financial Markets
Pat Akey
Additional findings inAkey, Lewellen,Liskovich and Schiller
Additional results inAkey, Gregoire andMartineau
How general are our results?
I Data breaches are a useful setting to study negativereputation shocksI Largely outside of the control of a firm or it’s management
teamI Reputational consequences are a first-order concern to
managersI Unlikely to systematically reveal new information about
products to managers
I But firms can suffer a wide range of negative shocks to theirreputationI How well would these results generalize?
I We reexamine value consequences of and CSR responses toa wide variety of “negative reputation events” reported inthe mediaI 2,600 “high reach” negative news stories related to 28 CSR
categories
I Less clear that these are pure “shocks” to reputation butshould let us see how general our main results are
Main2 / 11
Cybersecurity, Firms,and Financial Markets
Pat Akey
Additional findings inAkey, Lewellen,Liskovich and Schiller
Additional results inAkey, Gregoire andMartineau
Abnormal returns around RepRisk events
-.03
-.02
-.01
0
.01
Aver
age
Cum
ulat
ive
Abno
rmal
Ret
urn
(CAR
)
-10 -5 0 5 10 15 20 25 30
Day relative to RepRisk event
Mean +95% CI -95% CI
I Market reactions of 2,600 negative media events arestrikingly similar to data breach disclosures
Main 3 / 11
Cybersecurity, Firms,and Financial Markets
Pat Akey
Additional findings inAkey, Lewellen,Liskovich and Schiller
Additional results inAkey, Gregoire andMartineau
Abnormal returns around RepRisk events
-.4
-.2
0
.2
.4
.6
.8
1
1.2
1.4
1.6
Nor
m C
SR (K
LD)
-4 -3 -2 -1 +0 +1 +2 +3 +4
Year relative to RepRisk event
I CSR responses are also similarMain Conclusion
4 / 11
Cybersecurity, Firms,and Financial Markets
Pat Akey
Additional findings inAkey, Lewellen,Liskovich and Schiller
Additional results inAkey, Gregoire andMartineau
Summary stats on the actual insider trading
2011
-Q2
2011
-Q4
2012
-Q2
2012
-Q4
2013
-Q2
2013
-Q4
2014
-Q2
2014
-Q4
2015
-Q2
0
20
40
60
80
100
Nu
mb
erof
earn
ings
new
s
Main
5 / 11
Cybersecurity, Firms,and Financial Markets
Pat Akey
Additional findings inAkey, Lewellen,Liskovich and Schiller
Additional results inAkey, Gregoire andMartineau
Hacked trading events and informed tradingmeasures
Volatility Log(volume) Turnover Amihud∣∣OI∣∣ VPIN Quoted
spreadEffectivespread
Realizedspread
Price im-pact
Kyle’s λ
(1) (2) (3) (4) (5) (6) (7) (8) (9) (10) (11)
1[Hacked] -0.0140 -0.0191 -0.0131 0.0171 -0.0091 -0.0047 0.0186* 0.0138 0.0222 -0.0024 0.0146(0.01) (0.02) (0.01) (0.01) (0.01) (0.01) (0.01) (0.01) (0.01) (0.02) (0.01)
N 43,991 43,991 43,991 43,991 43,991 43,991 43,991 43,991 43,991 43,991 43,991R2 0.044 0.029 0.010 0.102 0.011 0.033 0.108 0.073 0.029 0.018 0.035
Controls Y Y Y Y Y Y Y Y Y Y YYear-Quarter F.E. Y Y Y Y Y Y Y Y Y Y Y
Firm F.E. Y Y Y Y Y Y Y Y Y Y Y
I Informed trading measures are not generally different in themorning
Main Conclusion
6 / 11
Cybersecurity, Firms,and Financial Markets
Pat Akey
Additional findings inAkey, Lewellen,Liskovich and Schiller
Additional results inAkey, Gregoire andMartineau
Insider Trading Measures [1/2]
I Volatility:√∑T
t r2t , rt is the 5 minute returns.
I Volume: Log(Volume) where volume is the number oftraded shares.
I Turnover: VolumeShare outstanding
I Amihud: |rt|Dollar traded volume
I Absolute order imbalance (|OI|):∣∣Buy−SellBuy+Sell
∣∣I Quoted spread: The percent quoted bid-ask spread is
Askt−Bidt
Midt
I Effective spread (per trade): 2dk(Pricek−Midk)Midk
.I dk +1 if the trade is a market order buy and -1 if it is a
market order sell.
I Realized spread (per trade): 2dk(Pricek−Midk+5)Midk
.
I Price impact (per trade): 2dk(Midk+5−Midk)Midk
.
Main
7 / 11
Cybersecurity, Firms,and Financial Markets
Pat Akey
Additional findings inAkey, Lewellen,Liskovich and Schiller
Additional results inAkey, Gregoire andMartineau
Insider Trading Measures [2/2]
I Kyle’s λ: We follow Ahern (2018) and estimate Kyle (1985)lambda as the coefficient λ in the following regression:
∆pk = λSk + uk,
where ∆pk is the change in the transaction price,Sk = dk
√DollarV olume is the signed dollar volume of the
trade
Main Conclusion
8 / 11
Cybersecurity, Firms,and Financial Markets
Pat Akey
Additional findings inAkey, Lewellen,Liskovich and Schiller
Additional results inAkey, Gregoire andMartineau
Drifts before earnings announcements (Non-S&P1500)
12:15 16:00 9:45 16:00
0.000
0.005
0.010
0.015
0.020
0.025
0.030
Cu
mu
lati
vere
turn
s
Top quintile
12:15 16:00 9:45 16:00
−0.05
−0.04
−0.03
−0.02
−0.01
0.00
Cu
mu
lati
vere
turn
s
Bottom quintile
Hacked Not hacked
Main
9 / 11
Cybersecurity, Firms,and Financial Markets
Pat Akey
Additional findings inAkey, Lewellen,Liskovich and Schiller
Additional results inAkey, Gregoire andMartineau
Price drifts before earnings announcements (Allfirms)
12:15 16:00 9:45 16:00
0.000
0.005
0.010
0.015
0.020
0.025
0.030
Cu
mu
lati
vere
turn
s
Top quintile
12:15 16:00 9:45 16:00−0.05
−0.04
−0.03
−0.02
−0.01
0.00
Cu
mu
lati
vere
turn
s
Bottom quintile
Hacked Not hacked
Main
10 / 11
Cybersecurity, Firms,and Financial Markets
Pat Akey
Additional findings inAkey, Lewellen,Liskovich and Schiller
Additional results inAkey, Gregoire andMartineau
ALIGN Volume and Order Imbalance
13:00 13:30 14:00 14:30 15:00 15:30
0
500000
1000000
1500000
2000000
2500000
Cum
ul.
volu
me
Cumul. volumeCumul. insider volumeCumul. OI
−1.00
−0.75
−0.50
−0.25
0.00
0.25
0.50
0.75
1.00
Cum
ul.
OI
Conclusion
11 / 11