Do Banks Price Firms' Data Breaches?

This paper studies the financial consequences of a reported data breach for bank loan terms. Using a staggered difference-in-differences approach with treatment and control samples matched by data breach propensity, we find that firms that have reported data breaches face higher loan spreads and their loans are more likely to require collateral and demand more covenants. The effects are more pronounced when the data breach involves criminal activities or the loss of a large number of records, or when the breached firm belongs to certain industries or has a high IT reputation. Moreover, using the introduction of state mandatory data breach notification laws as an exogenous shock, we find that the negative effect of data breaches on bank loan terms is more significant after these laws took effect. Our evidence also suggests that breached firms that take more remedial actions following the breach incident receive less unfavorable loan terms.