Did IT consulting firms gain when their clients were breached?

Despite all the research investigating the impact of data and information technology (IT) breaches to the market value of the breached firms, few studies explore the effects of breach events on the stock price of consulting firms that supplies the know-how and infrastructure to create, implement and maintain those information systems that were hacked. Information transfer theory and capital market expectation suggest that as more data breaches occur every year, investors, clients and customers may well look beyond the faults of the individual firms, and place some responsibility on the shoulders of these IT providers. In this study, we investigated a total of 83 breach events affecting a wide range of US firms in various industries in year 2006 and 2007. We found that the market value of the IT consulting firms is positively associated with the disclosure of IT security breaches. The IT consulting firms realized an average abnormal return of 4.01% during the 2-day period after the announcement. Using the event-study method and Ordinary Least Squares Regression to calculate and analyze these firms’ abnormal returns, we found evidence that as the number of breached records increased, the IT consulting firms tended to suffer negative returns. In addition, the observed impact was more salient for breaches that affect technology intensive firms than retailing or other firms. In other words, generally speaking, the IT consulting firms have similar experiences with the attacked firms.

► The impacts of these breach events on the stock price of IT providers were positive.
► The number of breached records increased, the IT consulting firms tended to suffer negative returns.
► The observed impact was more salient for breaches that affect technology intensive firms than retailing or other firms.