Corporate ownership price and institutional investors’ leverage of cybersecurity incidents

Download This Article

Yasemin Zengin-Karaibrahimoglu ORCID logo, Laura Georg Schaffner ORCID logo

https://doi.org/10.22495/cocv22i3art11

Creative Commons License
This work is licensed under a Creative Commons Attribution 4.0 International License.

Abstract

Using a data breach incident at a Big Four audit firm, we examine whether companies pay a price for not securing their clients’ data. Leveraging a sample of 1,737 firm-year observations of UK-listed firms audited by Big Four auditors during 2015–2019, we apply difference-in-difference (DiD) models to test whether clients of the breached company, as the audit service provider paid lower audit fees post-breach, particularly in the presence of large institutional shareholders. Our findings document that following a data breach, compared to other comparable non-breached companies, the breached company loses its premium for services, particularly for clients with large institutional shareholders. Given companies’ dual societal and profit-generating functions, our results suggest that data breaches not only compromise a company’s reputation in the capital markets but also erode the trust of their clients, especially in the presence of institutional investors. These findings underscore the economic consequences of data breaches and highlight the critical role of effective control execution in cybersecurity and stakeholder management, thereby preserving market confidence. Our study contributes to the literature by providing novel evidence on reputational spillovers in a non-US setting, highlighting how institutional ownership and service-based trust shape client responses to cybersecurity failures in credence-good industries.

Keywords: Corporate Ownership, Company Reputation, Institutional Investors, Cyber-Attacks, Data Breach, Cybersecurity Controls

Authors’ individual contribution: Conceptualization — Y.Z.-K. and L.G.S.; Methodology — Y.Z.-K. and L.G.S.; Investigation — Y.Z.-K. and L.G.S.; Writing — Original Draft — Y.Z.-K. and L.G.S.; Writing — Review & Editing — Y.Z.-K. and L.G.S.

Declaration of conflicting interests: The Authors declare that there is no conflict of interest.

JEL Classification: D8, M42, O32

Received: 20.06.2025
Revised: 03.09.2025; 22.09.2025
Accepted: 08.10.2025
Published online: 10.10.2025

How to cite this paper: Zengin-Karaibrahimoglu, Y., & Georg Schaffner, L. (2025). Corporate ownership price and institutional investors’ leverage of cybersecurity incidents. Corporate Ownership & Control, 22(3), 138–152. https://doi.org/10.22495/cocv22i3art11