Navigating through cyberattacks: The role of tax aggressiveness

The spread of information technology has had an impact on all economic sectors, and while digital transformation from the Fourth Industrial Revolution has rapidly changed the world of manufacturing and business, the risk of a potential cyberattack has grown alongside increased connectivity. Cybersecurity aspects are transforming at an unprecedented rate, resulting in skyrocketing economic losses in multiple areas of organizations' businesses. Compared to the rest of the world, the U.S. has endured the most expensive data breaches with the average total cost per breach rising from $3.54 million in 2006 and reaching a peak of $8.19 million in 2019.¹ Such cyber risk induces huge costs for threatened targeted firms and has potentially impacted financing, accounting, and investment decisions. One of the possible practices is aggressive tax positions, which are still overlooked in the current literature. We are thus motivated in this study to understand for the first time whether firms engage in tax aggressiveness after experiencing cyberattacks.

Aggressive corporate tax strategy refers to a company's efforts to reduce tax liabilities by all legal methods feasible. Such a company receives tax advantages that were not necessarily anticipated by the government. There are compelling reasons to believe that information security breaches have an effect on tax avoidance, because they are detrimental to firms in both direct and indirect ways.² The direct immediate monetary influence is usually on sales revenue and then in turn a significant reduction of income and financial stability. Kamiya et al. (2021) show that attacked firms experience lower sales growth, deteriorated credit ratings, and increased probability of bankruptcy. Garg et al. (2003) show that breached companies underperform the market by 2.7% on the post-attack day and continue to decline by 4.5% three days after the attack.

Firms that have suffered a data cyberattack will also generally see surging costs associated with updated systems, repairing networks, litigation costs, and public relations expenses. They tend to spend a large amount of money on legal services to control the fallout of litigation (Romanosky et al., 2014) or financial reimbursement or settlement costs to impacted customers. For example, Equifax paid up to $700 million to settle federal and state investigations due to their 2017 massive data breach. The settlement includes $425 million to help 147 million consumers directly cover the costs incurred post-attack.³ In this response, firms also set up an emergency call center for affected customers to timely inform them of cyber security incidents, leading to crippling rises in operational expenses.

Edwards et al. (2016) argue that cash from tax planning practices offers an alternative source of funds for investment in financially-constrained firms. Attacked firms may face intangible costs that can continue to blight a business long after the event, particularly the increased cost of debt. If the increased cost of external finance outweighs the marginal cost of increased tax aggressiveness activities, then firms are likely to be more tax aggressive. Edwards et al. (2016) also indicate that tax savings are less likely to adversely influence a firm's operations. Therefore, cash savings from taxes paid help firms compensate for operational disruption costs in response to a cyber breach.

Indirect costs also raise significant concerns for breached firms, such as increases in information asymmetry (Lending et al., 2018). Cybersecurity breaches are frequently undetected by the company or its stakeholders for a long period after they occur. It is likely that many corporate stakeholders will never be notified of a cybersecurity breach. A distributed denial-of-service attack, for example, might bring down an online site, but until the firm and/or the media tell them otherwise, this could appear to be the result of an equipment or power failure to customer or suppliers. Although authorities have issued regulations for notifying aggrieved parties after a data breach of sensitive information, firms can also have operational and political reasons to defer investigation of a breach, which increases the uncertainty and information asymmetry around cybersecurity breaches. Indeed, Gwebu et al. (2014) provide empirical evidence showing a statistically significant increase in the dispersion of financial analysts' quarterly earnings forecasts between 90 days before and after the breach announcement. When the firm's financial information environment is opaque, it may be better able to obscure its tax liability to government agencies, because all information available to investors and analysts is also obtainable from tax-enforcing entities, and thus avoid paying more taxes.

To study the impact of cyberattacks, we rely on the Privacy Rights Clearinghouse (PRC) database to identify firms that have been attacked from 2005 to 2017. This database allows us to analyze in detail the public information about a breach such as announcements date, hacked information, losses, and even whether attacked firms are public firms or unlisted subsidiaries. We follow Kamiya et al. (2021) and employ a difference-indifferences analysis to explore the effect of cyberattacks on tax aggressiveness. Although cyberattacks are unpredicted external events, the target of the attack is not necessarily random. Hackers may target firms with good performance, reputation, or growth opportunities. Such attacked firms may differ in a variety of ways from those that have not experienced cyber-attacks. To deal with this issue, we construct a matched sample that consists of breached firms and their matched control peers that share similar characteristics.

We next compare this matched sample with control firms to analyze how the aggressive tax strategies of breached firms (treated firms) change after a cyber-attack year. Using a matched sample of 63 cyberattacks from 2005 to 2017, we find that tax aggressiveness (i.e., cash effective tax rate – CETR, and discretionary book-tax differences - DDBT) significantly increase after a firm suffers a cyberattack compared with similar firms that do not experience a security breach. Looking at the economic magnitude, treated firms' cash effective tax rate drops by 2.2% percentage points relative to the control firms that do not experience a cyber breach. The evidence therefore suggests a strong positive effect of cyberattacks on corporate tax aggressiveness.

We further examine the factors that influence the link between cyberattacks and corporate tax avoidance to explore the underlying economic channels. First, we link tax aggressiveness and cyberattacks with firm financial distress risk and cash holding policy and argue that greater direct costs induced by cyberattacks lead to higher financial distress risk. Under this circumstance, firms engage in more aggressive tax planning as a better way to mitigate financial constraints (Law and Mills, 2015). As expected, we present results that cyber attacks increase financial distress risk. Hence, the positive impact of cyber attacks on tax aggressiveness is more pronounced for firms with high financial distress risk. We also consider whether cash taxes paid from tax planning practices become an ideal tool to deal with financial shortages. According to the notion of the precautionary motive of cash (Bates et al., 2009), if firms have a precautionary motive to hold more cash when financial obstacles increase, then the influence of a cyber breach on firm tax aggressiveness should be less pronounced for ex ante cash-rich firms. In line with this view, we find that increased tax aggressiveness after experiencing cyberattacks is significantly lower for ex ante cash-rich firms.

To understand more variations in the documented correlation between cyberattacks and tax aggressiveness, we also take into account the role of information technology (IT) and cybersecurity investment in the effect. Xu et al. (2019) state that firms with IT experts or technology investments may be able to better mitigate the adverse impact of cyberattacks, simply because they can prevent or detect timely breaches. Indeed, the Ponemon Institute discovered that implementing an incident response team and having an incident response plan can reduce costs up to $360,000 per breach. Firms that possess security testing systems or a security model save up to $10.55 per compromised record.⁴ If the motivations for tax aggressiveness are due to high financial losses induced by cyberattacks, then the linkage between cyberattacks and tax aggressiveness should be lower if firms have higher IT or cybersecurity investment intensity. We find evidence that is consistent with this prediction. Firms with higher ex ante investment in IT and cybersecurity better mitigate the effect of cyberattacks on tax aggressiveness.

We finally use the exogenous shock of the introduction of mandatory data breach notification laws to confirm the effect of data breaches on tax aggressiveness. Mandatory disclosures make attacked firms receive higher attention from the public and empower consumers to take action to mitigate any potential harm caused by the breach. In this regard, breached firms may face higher risks and costs (e.g., fines, investigations, customer loss) relating to publicly-disclosed data breaches. Consistently, we find the passage of the Data Breach Notification Laws by U.S. state courts reduce the positive impact of data security breaches on tax avoidance.

Our study contributes to the literature in several ways. First, we extend the growing works on determining the real consequences of cyberattacks by showing how uncertainty and risk shape firm-level tax decisions. Kamiya et al. (2021) document that attacked firms appear to have lower sales growth and operating performance due to reputation cost arising from weakening customer confidence. Consequently, those firms tend to hold more cash (Garg, 2020) and bear a higher cost of debt after facing cyberattacks (Sheneman, 2017). Although these studies enhance our understanding of the influence of cyberattacks on corporate policy and performance, their impact on firm tax strategies is largely overlooked. Going beyond these works, we directly evaluate how firms cope with the impact of cyberattack risk in terms of tax planning practices.

Second, our paper further adds to the vein of emerging studies on the determinants of tax aggressiveness (Hanlon and Slemrod, 2009; Fairhurst et al., 2020). Extant research mainly focuses on internal factors such as ownership structure (Chen et al., 2010), CEO inside debt (Chi et al., 2017), and financial constraints (Edwards et al., 2016). We shift our attention to external factors that are largely outside of a firm's control and cannot be easily managed. Cyber risk has intense adverse consequences - a situation dramatically different from industry volatility studied in many previous papers. Gallemore and Labro (2015) indicate that higher-quality internal information environments in terms of accessibility, usefulness, reliability, and accuracy ratio of the data are associated with greater tax avoidance. We extend this line of the literature by showing that the weaknesses of information systems due to external agents from cyberattacks push firms to be more aggressive in tax planning practices.

Third and finally, cyberattacks are increasing in frequency and intensity due to greater digitalization. Thus, we believe that our investigation is particularly crucial and important for academics, tax authorities, and practitioners attempting to define and identify the conditions that increase the likelihood of corporate tax aggressiveness.

The remainder of the paper proceeds as follows. Section 2 reviews the literature and lays out our hypothesis. Section 3 details the data and methodology. Section 4 provides the empirical results. 5 Cross-sectional analysis, 6 Additional analysis conduct cross-sectional and additional tests, respectively. Section 7 concludes.