- Companies that suffer a data breach face a 22% higher loan spread and a 40-basis-point increase in borrowing costs on average, a study published in The Accounting Review finds.
- Breached companies also tend to face a roughly 25% increase in loan covenants, say the researchers, Henry Huang, associate professor of accounting at Yeshiva University, and Chong Wang, assistant professor of accounting at Hong Kong Polytechnic University.
- “Breached firms experience significantly higher increases in loan spread, the likelihood of collateral requirement, and [a higher] number of covenants,” the researchers say in the study, “Do Banks Price Firms’ Data Breaches?”
- These costs come on top of the other consequences breached companies face, including costs for notifying customers, remediating the damage and fighting lawsuits.
The study is based on a look at 1,081 bank loans to publicly traded companies over roughly a dozen years.
Although the higher lending costs apply to breached companies across the board, the negative impact is worse for companies in what the researchers consider vulnerable industries, including healthcare, business services and transportation.
The impact is also made worse based on the number of customers impacted and whether the breach stemmed from a criminal hacking or an employee mistake.
What’s more, the impact tends to be worse for companies with a reputation for strong internal controls. That's because the breach forces banks to make a greater adjustment in their risk assessment of the company than they otherwise would have.
“Banks have high expectations for firms with a strong IT reputation and significantly adjust their risk assessment of these firms following data breaches,” the researchers say.
Notwithstanding the fallout, companies that remake their internal controls into a best-in-class system might be able to reduce the impact on their borrowing costs.
HEI Hotels & Resorts, for example, engaged outside data forensic experts after it was hit with a data breach in 2016. It also transitioned its payment card processing to stand-alone systems, and it reconfigured its point-of-sale and payment card processing systems.
“This piece of anecdotal evidence suggests that a breached firm might be able to improve its information system shortly post-breach through a series of corrective actions, thereby mitigating some of the adverse consequences,” the researchers say.