LAKEWOOD RANCH, Fla.–A new study from the American Accounting Association suggests banks that have been hit by data breaches charge higher interest rates on loans than banks that have not been breached.
“…There is a very real cost for companies that can't protect their customers' personal information,” the AAA said in releasing its findings. “In addition to any reputational damage, the study finds that banks effectively apply a financial penalty to companies that have experienced data breaches.”
At issue are data breaches in which personal data, such as customer financial account information or social security numbers, is either stolen or inadvertently made public.
‘Financial Consequences’
"We knew that data breaches were important, but wanted to find a way of quantifying their financial consequences," said Henry Huang, co-author of the study and an associate professor of accounting at Yeshiva University, in a statement. "We also wanted to learn which variables come into play. For example, we learned there are things companies can do to mitigate damage after a data breach."
According to the American Accounting Association, researchers wanted to know whether companies that experienced data breaches had faced additional requirements when trying to secure bank loans.
“To that end, the researchers drew on data regarding 1,081 bank loans to publicly traded companies from 2003 to 2016: 587 loans were to companies that had experienced a data breach; 494 loans were to companies that had not,” the organization said. “To ensure they were seeing the impact of the data breach, and not other factors, the researchers matched each company that had experienced a breach with another company that had similar characteristics but hadn't experienced a breach.”
The AAA said the “results were clear: banks charged substantially higher interest rates to companies that had experienced a data breach, compared to companies that had not.”
Making Things Worse
Meanwhile, for companies in general that had been breached, the American Accounting Association said several factors could make things worse, including whether the breach involved data on a lot of people, in which case the effect was exacerbated. The effect was also exacerbated if the breach was the result of criminal hacking – rather than a mistake, the AAA said.
“The effect was also more pronounced for companies in a subset of ‘vulnerable" industries’: health, personal services, business services, computer, electronic equipment, and transportation. Lastly, companies with good reputations for IT quality fared worse after a data breach – because banks had to make a bigger adjustment to their assessment of the company's security,” AAA said.
In addition, banks also required more collateral and more covenants from companies that had experienced breaches, the AAA said.
The study, "Do Banks Price Firms' Data Breaches?," was published in The Accounting Review.