Merger and acquisition, firm-level cybersecurity risk, and research and development intensity

Abstract

This paper investigates the relationship between firm-level cybersecurity risk and merger and acquisition (M&A) activities of firms in the United States from 2007 to 2018. Using a novel measure of firm-level cybersecurity risk and the multivariate regression analysis, we find empirical evidence of a positive association between M&A and cybersecurity risk. Interestingly, cybersecurity risk only increases with intangible assets acquisitions, but not with tangible assets acquisitions. Further empirical analysis shows that the impact of M&A on cybersecurity risk is moderated by technological intensity, with firms that have higher levels of research and development (R&D) intensity facing less pronounced cybersecurity risk. Our findings are robust to different variable measurements and endogeneity diagnoses. Our results deliver important implications for practitioners and policymakers and make a valuable contribution to the literature by providing a more comprehensive understanding of the relationship between M&A and cybersecurity risk and by highlighting the role of corporate innovation in mitigating this risk.