When a company is hacked, market participants take notice. This has been observed consistently for at least a decade, mostly through calculating abnormal returns of individual corporate stocks after a company's information security incident announcement. Some researchers have found that information security incidents have had a decreasing effect on stock price over time. Their reports suggest that breach related stock price impacts have become increasingly shallow and short-lived. This has led

more »

... ome information security economists to suggest that market forces are not enough to incentivize sufficient corporate investment to information security. They argue that further regulation is necessary to remedy what seems like a rise in investor apathy toward corporate breaches. Other researchers, though, have cautioned that further examination is required and that other market metrics—beyond individual stock price movements—are available to better understand the effects of an information security incident. Sector-wide systematic risk is a measure of the sector's exposure to exogenous shock. Here, this risk measurement is applied to measure the spillover effects of a corporate information security incident. I conduct 203 event studies between the years 2006 and 2016, calculating sector-wide systematic risk within American stock markets, to measure the spillover effects of data breaches within finance, healthcare, technology and services sectors. The novel application of a longitudinal analysis of variance between repeated event studies reveals that the sector-wide spillover of an incident is both significant and growing. This suggests that an increasingly compelling market incentive exists for sectors to police themselves. Also, further inquiry into common factors among outliers to these sector-wide trends may reveal best-practice strategies for information security risk management.