Risks associated with data breaches and cyberattacks have been identified as one of the most important factors on which regulators, investors, and company executives should focus. In February 2018, the US Securities and Exchange Commission (SEC) issued its “Statement and Guidance on Public Company Cybersecurity Disclosures,” which that that “given the frequency, magnitude and cost of cybersecurity incidents, the Commission believes that it is critical that public companies take all required actions to inform investors about material cybersecurity risks and incidents in a timely fashion, including those companies that are subject to material cybersecurity risks but may not yet have been the target of a cyberattacks.”^1,2

Historically, cyberattacks on businesses mainly compromised customer records and other operational data of the target, and the decrease in the targeted firm’s (equity) value following such incidents usually was due to reputation damage for failing to protect those data. However, daily operations of targeted firms usually were not significantly interrupted. For example, Equifax reported on September 7, 2017 that unauthorized access occurred from mid-May through July 2017 and stole 145.5 million consumer records from the company. Although the stock price of Equifax declined by 35.5% within a week of the reporting of this incident, daily operations of Equifax were not heavily interrupted.³

In contrast, a noticeable trend is that ransomware cyberattacks are now more frequent. These directly affect the targeted firm’s daily operations by blocking access to computer systems and/or shutting down facilities until a ransom is paid by a deadline. Consequently, the recent prevalence of ransomware attacks has a more direct impact on the targeted firms’ operating cash flows, and attacks affect the financial situation of targeted firms more directly than reputational damage. For example, Colonial Pipeline, the largest US pipeline system for refined oil products, suffered a ransomware attack on May 7, 2021, which led to fuel shortages in the next few days across several states. The company paid $4.4 million in bitcoin as ransom within a few hours of the attack (Eaton and Volz 2021). Similarly, another ransomware attack targeted JBS, the world’s largest meatpacker, on May 30, 2021, which rendered all JBS-owned beef facilities in the United States temporarily inoperative. JBS had to pay an $11 million ransom in bitcoin...