{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2025,12,30]],"date-time":"2025-12-30T08:59:04Z","timestamp":1767085144207,"version":"3.41.2"},"reference-count":78,"publisher":"Oxford University Press (OUP)","issue":"1","license":[{"start":{"date-parts":[[2021,9,15]],"date-time":"2021-09-15T00:00:00Z","timestamp":1631664000000},"content-version":"vor","delay-in-days":257,"URL":"https:\/\/creativecommons.org\/licenses\/by-nc-nd\/4.0\/"}],"content-domain":{"domain":[],"crossmark-restriction":false},"short-container-title":[],"published-print":{"date-parts":[[2021,9,15]]},"abstract":"<jats:title>Abstract<\/jats:title><jats:p>Growing reliance on third-party services, such as cloud computing, is believed to increase client firms\u2019 exposure to third-party induced cyber incidents. However, we lack empirical research on the prevalence and scale of third-party induced cyber incidents. Moreover, we do not know who pays more of the price for experiencing these incidents\u2014the client firm and\/or the third-party provider firm. We study these questions using a sample of 1397 cyber incidents in public firms between 2000 and 2020 of which 246 are third-party induced incidents. Our findings offer several novel insights. Third-party induced cyber incidents are not growing in prevalence any faster than other incidents, but they do compromise greater volumes of confidential data per incident. As to the price paid for third-party induced incidents, the picture is more nuanced. Client (first-party) firms suffer drops in equity returns that are comparable to those for homegrown incidents, while small third-party provider firms suffer significantly larger drops in equity returns and large third-party provider firms do not suffer a discernible drop in equity returns. We discuss implications of these findings for client firms and service providers.<\/jats:p>","DOI":"10.1093\/cybsec\/tyab020","type":"journal-article","created":{"date-parts":[[2021,9,15]],"date-time":"2021-09-15T12:06:49Z","timestamp":1631707609000},"source":"Crossref","is-referenced-by-count":9,"title":["Third-party induced cyber incidents\u2014much ado about nothing?"],"prefix":"10.1093","volume":"7","author":[{"ORCID":"https:\/\/orcid.org\/0000-0002-8605-8814","authenticated-orcid":false,"given":"Michel","family":"Benaroch","sequence":"first","affiliation":[{"name":"Whitman School of Management, Syracuse University, 721 University Ave., Syracuse, NY 13244, USA"}]}],"member":"286","published-online":{"date-parts":[[2021,9,15]]},"reference":[{"article-title":"Large vendor ecosystems and low visibility are increasing third-party cyber risk","year":"2020","author":"BlueVoyant","key":"2021091512044502200_bib1"},{"article-title":"Third-party data breaches: weakest link in cybersecurity","year":"2017","author":"DiGiacomo","key":"2021091512044502200_bib2"},{"key":"2021091512044502200_bib3","doi-asserted-by":"crossref","first-page":"235","DOI":"10.1016\/j.jbusres.2018.06.006","article-title":"The emerging Cloud Dilemma: balancing innovation with cross-border privacy and outsourcing regulations","volume":"97","author":"Gozman","year":"2019","journal-title":"J Bus Res"},{"key":"2021091512044502200_bib4","article-title":"Data breach? Blame your third party's remote access systems","author":"Messmer","year":"2012","journal-title":"Network World"},{"volume-title":"Data Risk in the Third-Party Ecosystem","year":"2018","author":"Ponemon","key":"2021091512044502200_bib5"},{"key":"2021091512044502200_bib6","article-title":"IBM report: compromised employee accounts led to most expensive data breaches over past year","author":"IBM","year":"2020","journal-title":"PR Newswire Asia"},{"key":"2021091512044502200_bib7","first-page":"130","article-title":"Can improved transparency reduce supply chain risks in cloud computing?","volume":"10","author":"Akinrolabu","year":"2017","journal-title":"Oper Supply Chain Manage"},{"key":"2021091512044502200_bib8","article-title":"Linking operational IT failures to IT control weaknesses","volume-title":"Proceedings of AMCIS\u20192015","author":"Benaroch","year":"2015"},{"key":"2021091512044502200_bib9","article-title":"Optimizing cybersecurity program: evidence from data breaches in healthcare","volume-title":"13th Annual Symposium on Information Assurance (ASIA\u201918)","author":"Vasishta","year":"2018"},{"year":"2016","author":"NetDiligence","key":"2021091512044502200_bib10"},{"key":"2021091512044502200_bib11","article-title":"Target breach happened because of a basic network segmentation error","author":"Vijayan","year":"2014","journal-title":"Computerworld"},{"key":"2021091512044502200_bib12","doi-asserted-by":"crossref","first-page":"132","DOI":"10.1016\/j.irle.2019.03.007","article-title":"Why information security law has been ineffective in addressing security vulnerabilities: evidence from California data breach notifications and relevant court and government records","volume":"58","author":"Park","year":"2019","journal-title":"Int Rev Law Econ"},{"key":"2021091512044502200_bib13","first-page":"227","article-title":"Much ado about nothing: the (lack of) economic impact of data privacy breaches","volume":"33","author":"Richardson","year":"2019","journal-title":"J Inf Syst"},{"key":"2021091512044502200_bib14","first-page":"34","article-title":"A global comparison of corporate value adjustments to news of cyber-attacks","volume":"9","author":"Hogan","year":"2020","journal-title":"J Gov Regul"},{"year":"2020","author":"CISA","key":"2021091512044502200_bib15"},{"key":"2021091512044502200_bib16","doi-asserted-by":"crossref","first-page":"383","DOI":"10.2307\/2325486","article-title":"Efficient capital markets: a review of theory and empirical work","volume":"25","author":"Fama","year":"1970","journal-title":"J Finance"},{"article-title":"The economic impact of information security breaches: firm value and intra-industry effects","year":"2006","author":"Aytes","key":"2021091512044502200_bib17"},{"key":"2021091512044502200_bib18","doi-asserted-by":"crossref","first-page":"97","DOI":"10.1046\/J.1098-1616.2003.026.x","article-title":"The impact of denial-of-service attack announcements on the market value of firms","volume":"6","author":"Hovav","year":"2003","journal-title":"Risk Manag Insur Rev"},{"key":"2021091512044502200_bib19","doi-asserted-by":"crossref","first-page":"69","DOI":"10.2753\/JEC1086-4415120103","article-title":"Market reactions to information security breach announcements: an empirical analysis","volume":"12","author":"Kannan","year":"2007","journal-title":"Int J Electron Commer"},{"article-title":"Is there a cost to privacy breaches? An event study","year":"2006","author":"Acquisti","key":"2021091512044502200_bib20"},{"key":"2021091512044502200_bib21","doi-asserted-by":"crossref","first-page":"70","DOI":"10.1080\/10864415.2004.11044320","article-title":"The effect of internet security breach announcements on market value: capital market reactions for breached firms and internet security developers","volume":"9","author":"Cavusoglu","year":"2004","journal-title":"Int J Electron Commer"},{"key":"2021091512044502200_bib22","doi-asserted-by":"crossref","first-page":"74","DOI":"10.1108\/09685220310468646","article-title":"Quantifying the financial impact of IT security breaches","volume":"11","author":"Garg","year":"2003","journal-title":"Inf Manag Comput Secur"},{"key":"2021091512044502200_bib23","doi-asserted-by":"crossref","first-page":"61","DOI":"10.1111\/j.1540-6296.2010.01178.x","article-title":"The effect of data breaches on shareholder wealth","volume":"13","author":"Gatzlaff","year":"2010","journal-title":"Risk Manag Insur Rev"},{"key":"2021091512044502200_bib24","first-page":"13","article-title":"The impact of information security breaches on financial performance of the breached firms: an empirical investigation","volume":"17","author":"Ko","year":"2006","journal-title":"J IT Manag"},{"key":"2021091512044502200_bib25","doi-asserted-by":"crossref","first-page":"544","DOI":"10.1109\/TSE.2007.70712","article-title":"An empirical analysis of the impact of software vulnerability announcements on firm stock price","volume":"33","author":"Telang","year":"2007","journal-title":"IEEE Trans Softw Eng"},{"key":"2021091512044502200_bib26","first-page":"22","article-title":"Do data breaches matter?","volume":"May","author":"Dane","year":"2016","journal-title":"ISSA J"},{"key":"2021091512044502200_bib27","first-page":"18","article-title":"The market value and reputational effects from lost confidential information","volume":"5","author":"Tanimura","year":"2009","journal-title":"Int J Financ Manag"},{"key":"2021091512044502200_bib57","doi-asserted-by":"crossref","first-page":"719","DOI":"10.1016\/j.jfineco.2019.05.019","article-title":"Risk management, firm reputation, and the impact of successful cyberattacks on target firms","volume":"139","author":"Kamiya","year":"2021","journal-title":"J Financ Econ"},{"key":"2021091512044502200_bib28","doi-asserted-by":"crossref","first-page":"431","DOI":"10.3233\/JCS-2003-11308","article-title":"The economic cost of publicly announced information security breaches: empirical evidence from the stock market","volume":"11","author":"Campbell","year":"2003","journal-title":"J Comput Secur"},{"key":"2021091512044502200_bib29","first-page":"606","article-title":"Event study analysis of the economic impact of IT operational risk and its subcategories","volume":"12","author":"Goldstein","year":"2011","journal-title":"J Assoc Inf Syst"},{"article-title":"The value of security audits, asymmetric information and market impacts of security breaches","year":"2004","author":"Zhou","key":"2021091512044502200_bib30"},{"key":"2021091512044502200_bib31","doi-asserted-by":"crossref","first-page":"Article 1","DOI":"10.2202\/1932-9156.1081","article-title":"Security breaches and firm value","volume":"5","author":"Bolster","year":"2010","journal-title":"J Bus Valuation Econ Loss Analysis"},{"key":"2021091512044502200_bib45","doi-asserted-by":"crossref","first-page":"107","DOI":"10.1007\/s10799-018-00297-3","article-title":"The effect of information security certification announcements on the market value of the firm","volume":"20","author":"Deane","year":"2019","journal-title":"Inf Technol Manag"},{"key":"2021091512044502200_bib46","doi-asserted-by":"crossref","first-page":"455","DOI":"10.14257\/jse.2014.12.04","article-title":"An analysis of information security management system and certification standard for information security","volume":"11","author":"Kang","year":"2014","journal-title":"J Secur Eng"},{"article-title":"The stock market impact of information security investments: the case of security standards","year":"2019","author":"Malliouris","key":"2021091512044502200_bib47"},{"key":"2021091512044502200_bib48","first-page":"10","article-title":"A study of effect of Information Security Management System [ISMS] certification on organization performance","volume":"10","author":"Park","year":"2010","journal-title":"Int J Comput Sci Netw Secur"},{"article-title":"Timing in information security: an event study on the impact of information security investment announcements","year":"2018","author":"Szubartowicz","key":"2021091512044502200_bib49"},{"key":"2021091512044502200_bib74_1631324088289","article-title":"Cybersecurity Regulati ons: Banking and Third Party Providers","author":"Bryant","year":"2016","journal-title":"A Capstone Project Submitted to the Faculty of Utica College, May 2016"},{"key":"2021091512044502200_bib75_1631324194588","article-title":"MITIGATINGRISK TO DOD INFORMATION NETWORKS BY IMPROVING NETWORK SECURITY IN THIRD-PARTY INFORMATION NETWORKS","author":"Kansteiner","year":"2016","journal-title":"Master\u2019s thesis"},{"key":"2021091512044502200_bib76_1631326149173","article-title":"Amid Cyber Threat to your Business Data,\u00a0Trust but Verify Third-Party Processing","volume":"85","author":"Goldstein","year":"2015","journal-title":"Mortgage Banking"},{"key":"2021091512044502200_bib77_1631327218749","first-page":"64","article-title":"Are Your BusinessPartners Letti ng in the Hackers?\u201d Compliance Week. November 25","author":"Kroll","year":"2014"},{"key":"2021091512044502200_bib50","doi-asserted-by":"crossref","first-page":"1","DOI":"10.1109\/SECON.2015.7132885","article-title":"Trust in cloud computing","volume-title":"Proceedings of the IEEE SoutheastCon 2015","author":"Horvath","year":"2015"},{"article-title":"Cloud security: transparency is crucial for service providers","year":"2015","author":"Vijayan","key":"2021091512044502200_bib51"},{"key":"2021091512044502200_bib73","doi-asserted-by":"crossref","DOI":"10.1007\/978-3-030-45819-5_13","article-title":"Cyber security and IT outsourcing: challenges and emerging realities","volume-title":"IS Outsourcing: The Era of Digital Transformation","author":"Benaroch","year":"2020","edition":"5th edn."},{"key":"2021091512044502200_bib52","doi-asserted-by":"crossref","first-page":"452","DOI":"10.1016\/j.im.2016.10.002","article-title":"Information security concerns in IT outsourcing: identifying (in)congruence between clients and vendors","volume":"54","author":"Dhillon","year":"2017","journal-title":"Inf Manag"},{"year":"2011","author":"Raj","key":"2021091512044502200_bib53"},{"key":"2021091512044502200_bib32","doi-asserted-by":"crossref","first-page":"32","DOI":"10.1201\/1086\/44530.13.3.20040701\/83067.5","article-title":"The impact of virus attack announcements on the market value of firms","volume":"13","author":"Hovav","year":"2004","journal-title":"Inf Syst Secur"},{"key":"2021091512044502200_bib33","doi-asserted-by":"crossref","first-page":"60","DOI":"10.1016\/j.accinf.2005.10.002","article-title":"Market reaction to e-commerce impairments evidenced by website outages","volume":"7","author":"Anthony","year":"2006","journal-title":"Int J Account Inf Syst"},{"article-title":"Indirect financial loss of phishing to global market","year":"2008","author":"Leung","key":"2021091512044502200_bib34"},{"key":"2021091512044502200_bib35","first-page":"263","article-title":"Market price effects of data security breaches","volume":"20","author":"Morse","year":"2011","journal-title":"Inf Secur J: A Glob Perspect"},{"key":"2021091512044502200_bib36","doi-asserted-by":"crossref","first-page":"357","DOI":"10.1016\/j.accinf.2012.03.001","article-title":"An internal control perspective on the market value consequences of IT operational risk events","volume":"13","author":"Benaroch","year":"2012","journal-title":"Int J Account Inf Syst"},{"key":"2021091512044502200_bib37","doi-asserted-by":"crossref","DOI":"10.1109\/THS.2015.7225301","article-title":"Quantifying the impact of data loss incidents on publicly-traded organizations","volume-title":"2015 IEEE International Symposium on Technologies for Homeland Security (HST)","author":"Hsieh","year":"2015"},{"key":"2021091512044502200_bib38","doi-asserted-by":"crossref","first-page":"337","DOI":"10.1016\/j.im.2014.12.006","article-title":"The influence of data theft on the share prices and systematic risk of consumer electronics companies","volume":"52","author":"Hinz","year":"2015","journal-title":"Inf Manag"},{"key":"2021091512044502200_bib39","article-title":"The impact of information security breaches and IT security investments on a firm's competitors","volume-title":"38th International Conference on Information Systems","author":"Jeong","year":"2017"},{"article-title":"How does cyber crime affect firms? The effect of information security breaches on stock returns","year":"2017","author":"Arcuri","key":"2021091512044502200_bib40"},{"key":"2021091512044502200_bib41","doi-asserted-by":"crossref","first-page":"1","DOI":"10.58886\/jfi.v16i2.2263","article-title":"Stock price reaction to data breaches","volume":"16","author":"Johnson","year":"2017","journal-title":"J Finance Issues"},{"key":"2021091512044502200_bib42","first-page":"1","article-title":"Long-term market implications of data breaches, not","volume":"13","author":"Lange","year":"2017","journal-title":"J Inf Priv Secur"},{"key":"2021091512044502200_bib43","doi-asserted-by":"crossref","DOI":"10.2139\/ssrn.3033950","article-title":"What the hack: systematic risk contagion from cyber events","author":"Corbet","year":"2017"},{"key":"2021091512044502200_bib44","article-title":"Analysis: how data breaches affect stock market share prices","author":"Bischoff","year":"2017","journal-title":"Inf Secur Comparitech"},{"key":"2021091512044502200_bib54","article-title":"Computer glitch forced Datek to refuse online orders Monday","author":"Bennett","year":"1999","journal-title":"Dow Jones News Service"},{"article-title":"Web glitch costing ebay $2m a day","year":"1999","author":"Li","key":"2021091512044502200_bib55"},{"year":"2005","author":"Spence","key":"2021091512044502200_bib56"},{"key":"2021091512044502200_bib58","doi-asserted-by":"crossref","first-page":"117","DOI":"10.1287\/stsc.2020.0106","article-title":"Learning from digital failures? The effectiveness of firms\u2019 divestiture and management turnover responses to data breaches","volume":"5","author":"Say","year":"2020","journal-title":"Strategy Sci"},{"key":"2021091512044502200_bib59","doi-asserted-by":"crossref","first-page":"337","DOI":"10.1080\/10570314.2013.866686","article-title":"All that glitters is not gold: the role of impression management in data breach notification","volume":"78","author":"Jenkins","year":"2014","journal-title":"West J Commun"},{"key":"2021091512044502200_bib60","first-page":"163","article-title":"Do nonprofessional investors care about how and when data breaches are disclosed?","volume":"33","author":"Cheng","year":"2019","journal-title":"J Inf Syst"},{"article-title":"Surviving the service provider data breach: cybersecurity law alert","year":"2019","author":"McAndrew","key":"2021091512044502200_bib61"},{"key":"2021091512044502200_bib62","doi-asserted-by":"crossref","DOI":"10.5089\/9781484313787.001","article-title":"Cyber risk, market failures, and financial stability","author":"Kopp","year":"2017"},{"year":"2015","author":"PwC (Price Waterhouse Coopers)","key":"2021091512044502200_bib63"},{"key":"2021091512044502200_bib64","article-title":"Cyber criminals targeting third-party service providers","author":"Moorcraft","year":"2020","journal-title":"Insurance Business Magazine"},{"article-title":"Payment card data breaches: what you need to know about your risk and liability","year":"2014","author":"First Data","key":"2021091512044502200_bib65"},{"volume-title":"Survival Analysis","year":"1997","author":"Miller","key":"2021091512044502200_bib66"},{"key":"2021091512044502200_bib67","doi-asserted-by":"crossref","first-page":"626","DOI":"10.2307\/257056","article-title":"Event studies in management research: theoretical and empirical issues","volume":"40","author":"McWilliams","year":"1997","journal-title":"Acad Manag J"},{"key":"2021091512044502200_bib68","doi-asserted-by":"crossref","first-page":"3","DOI":"10.1016\/0304-405X(85)90042-X","article-title":"Using daily stock returns: the case of event studies","volume":"14","author":"Brown","year":"1985","journal-title":"J Financ Econ"},{"author":"Hilary","key":"2021091512044502200_bib78_1631344287201"},{"key":"2021091512044502200_bib69","doi-asserted-by":"crossref","first-page":"1177","DOI":"10.1007\/s11142-018-9452-4","article-title":"Do firms underreport information on cyber-attacks? Evidence from capital markets","volume":"23","author":"Amir","year":"2018","journal-title":"Rev Account Stud"},{"key":"2021091512044502200_bib70","article-title":"Nearly 65% of affected public companies did not report cybersecurity breaches to the SEC","author":"Coleman","year":"2018","journal-title":"Audit Analytics Report"},{"key":"2021091512044502200_bib71","article-title":"Majority of cybersecurity incidents go unreported to SEC, analysis finds","author":"Croce","year":"2019","journal-title":"Pensions & Investments"},{"key":"2021091512044502200_bib72","doi-asserted-by":"crossref","DOI":"10.2139\/ssrn.2852519","article-title":"Cyber-risk disclosure: who cares?","author":"Hilary","year":"2016"}],"container-title":["Journal of Cybersecurity"],"original-title":[],"language":"en","link":[{"URL":"http:\/\/academic.oup.com\/cybersecurity\/article-pdf\/7\/1\/tyab020\/40390427\/tyab020.pdf","content-type":"application\/pdf","content-version":"vor","intended-application":"syndication"},{"URL":"http:\/\/academic.oup.com\/cybersecurity\/article-pdf\/7\/1\/tyab020\/40390427\/tyab020.pdf","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2023,11,8]],"date-time":"2023-11-08T20:57:17Z","timestamp":1699477037000},"score":1,"resource":{"primary":{"URL":"https:\/\/academic.oup.com\/cybersecurity\/article\/doi\/10.1093\/cybsec\/tyab020\/6370580"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2021,1,1]]},"references-count":78,"journal-issue":{"issue":"1","published-print":{"date-parts":[[2021,9,15]]}},"URL":"https:\/\/doi.org\/10.1093\/cybsec\/tyab020","relation":{},"ISSN":["2057-2085","2057-2093"],"issn-type":[{"type":"print","value":"2057-2085"},{"type":"electronic","value":"2057-2093"}],"subject":[],"published-other":{"date-parts":[[2021,1,1]]},"published":{"date-parts":[[2021,1,1]]},"article-number":"tyab020"}}