Cybersecurity Risk and Bank Loan Contracting

ABSTRACT Cybersecurity risk is a growing concern for public companies as economic activity increasingly relies on technology. Drawing on finance theory, which posits that lenders possess private information about borrowers, I hypothesize that lenders price cybersecurity risks into loan contracts. A priori, this relation is unclear, given the unpredictable nature of cybersecurity risk and the difficulty lenders face in assessing the likelihood and magnitude of associated losses. Using the private debt market, I find a positive association between cybersecurity risk and the cost of debt. This relation is weaker for borrowers with high-quality information technology and stronger in less competitive lending markets. I also find that, following successful cyberattacks, secondary market loan prices decline (increase) for borrowers with high (low) ex ante cybersecurity risk. Overall, these results suggest that, whereas the SEC’s newly adopted cybersecurity disclosures may provide decision-useful information to retail investors, they may be less relevant for certain stakeholders. Data Availability: Data are available from the public sources cited in the text. JEL Classifications: G21; G32; K24; M15.