Interim dollar gains, cybersecurity pains

By Vince Chong

SMU Office of Research – Between 2005 and 2018, incidents of data breach in the United States rose by nearly eight times, according to the Identity Theft Resource Center. 

In 2019, the average cost of data breaches for US companies, for those involving more than 50 million compromised records, totalled US$388 million, according to The Ponemon Institute. Data from the renowned privacy and data protection research centre also showed that the average cost was US$42 million and US$8.19 million, for breaches involving more than 1 million and fewer than 1 million compromised records, respectively.

In 2016, Verizon reduced its initial offering price for Yahoo by US$350 million after Yahoo announced a massive data breach that hit over one billion user accounts.

These are examples – cited in a research paper by the Deputy Dean of Singapore Management University’s School of Accountancy – that in purely financial terms read like a train wreck. A wreck that the paper alludes could have been less severe if managers were less shortsighted in cutting discretionary expenses to “meet or beat short-term earnings targets.”

“Managerial myopia is a persistent challenge,” Professor of Accounting Zhang Liandong tells the Office of Research, adding that while it cannot be completely cured, it can be properly mitigated. 

“The temptation of short-term rewards is strong, especially when managerial performance is closely tied to immediate financial metrics.”

His detailed and informative research paper The impact of managerial myopia on cybersecurity: Evidence from data breaches – co-authored by Professors Chen Wen and Wu Haibin, of the City University of Hong Kong, and Professor Li Xing of China’s Xi’an Jiaotong University – is based on a sample of US firms taken between 2005 and 2017.

It defines cybersecurity risk as that arising from “the theft or damage of hardware, software, or electronic data, as well as from the disruption or misdirection of the services provided by a company's information technology (IT) system.” A risk that can be controlled by adequate investments in intangible assets such as technology capabilities.

However, as the research finds, certain industry reports show that while a significant amount of data breaches result from human error, myopic managers “underinvest in cybersecurity expenditures such as research and development, software, and employee recruitment and training, because of their negative impact on current earnings.”

Potential solutions

By “realigning incentives and fostering a corporate culture that values long-term sustainability over short-term gains, we can reduce myopic behaviour,” says Professor Zhang. This can involve extending the vesting periods for stock options or linking bonuses to lengthier strategic goals such as cybersecurity and sustainability metrics.

Reporting policies can also be tweaked for this benefit, he adds, citing the Singapore Exchange’s decision to remove mandatory quarterly earnings reports which in turn reduced the pressure to deliver short-term gains. This means “companies can allocate more resources to areas like cybersecurity without the constant pressure to meet short-term earnings targets.”

“By integrating environmental, social, and governance considerations into business strategies, companies can align their operations with long-term societal goals, which in turn drive sustainable financial performance,” Professor Zhang continues, adding that this carries the extra benefit of appealing to stakeholders who value responsible business practices. 

This segues into the task of also educating and cultivating an investor base whose sights are set on the longer horizon, he says. This means engaging with the investing community to stress on long-term strategies and the importance of spending in areas like cybersecurity and sustainability. 

Institutional block ownership is another potential solution, notes The impact of managerial myopia, citing previous research that suggests “sophisticated investors, such as blockholders, place greater weight on long-run value than on short-term earnings performance.” 

“In addition, to the extent that these sophisticated investors actively monitor management, managers should also have less freedom to engage in myopic actions,” the research says.

Implementing the above, Professor Zhang admits, requires a “significant mindset change” across a company and its investors.

“While challenging, this paradigm shift is increasingly necessary in today’s rapidly evolving business environment, where long-term resilience and adaptability are essential for success,” he says. 

The academic adds that while the research was based on US companies, managerial myopia remains “a global phenomenon” though its prevalence may vary depending on “cultural, regulatory, and market factors.”

“The fundamental tension between short-term performance and long-term investment exists in many markets,” he says.

An encouraging sign, his research further notes, is that managerial myopia might improve in certain firms following data breach announcements among industry peers. There is “extensive evidence that firms learn from the experiences of their peers and respond accordingly,” it says, citing prior studies. 

“Insufficient” ties between research and industry

Professor Zhang’s interest in the topic was piqued by the rising number and severity of data breaches amid persistent reports of “managerial short-termism,” and he believes closer ties between researchers and the industry can improve corporate policies.

“Based on my observation, there is insufficient communication and collaboration between academics and the industry,” he tells the Office of Research. 

“[This] hinders the incorporation of research findings into actionable practices or policies. This gap prevents valuable insights from being fully leveraged by practitioners who could benefit from them.”

SMU, he continues, is addressing the issue by actively bringing the two sides together, through academic-industry events like the School of Accountancy’s Conference on Digital Transformation in the Financial Market.

Encouragingly, there is “growing interest” from both the private and public sectors in understanding the implications of managerial myopia on cybersecurity risk, Professor Zhang says. 

“In Singapore, where there is a strong emphasis on technological advancement and cybersecurity, our findings align with national initiatives to strengthen cyber defences and promote sustainable business practices,” he says. 

Currently, and unsurprisingly, the academic is researching and working out how managers can be encouraged to invest in long-term intangibles, including environmental and social dimensions. 

“These areas are becoming increasingly important as stakeholders demand more sustainable and socially responsible business practices,” he explains, adding that stressing on “long-term intangibles” helps organisations build resilience, among other things. 

“This research is crucial because investing in environmental and social initiatives not only benefits society but also enhances a company's reputation, competitiveness, and long-term financial performance.” 

Back to Research@SMU November 2024 Issue