Cybersecurity Risk Through the Supply Chain: Evidence From Relationship-Specific Investment

Abstract

This study examines how suppliers adjust their relationship-specific investment (RSI) in response to unexpected cybersecurity attacks affecting their major customers. Motivation or theoretical reasoning

Major customers play a pivotal role for many firms, often fostering enduring trading relationships with suppliers, especially in the United States. Strong ties with these customers can offer a competitive advantage. However, these relationships frequently require investments that hold value primarily within the partnership. As cyberattacks grow more prevalent, cybersecurity has become an urgent concern. Our initial analysis indicates that when a customer experiences a cyberattack, their sales growth declines by around 8%, while suppliers face an approximate 12% drop. Understanding the impact of cyberattacks on RSI with major customers is therefore essential. The test hypotheses

This study hypothesizes that suppliers respond to cyberattacks affecting their customer firms by reducing their RSIs. Furthermore, it is proposed that the extent of this reduction varies depending on the financial and technological characteristics of the suppliers. Specifically, suppliers experiencing higher financial distress risk are expected to exhibit a larger reduction in RSI compared with those with lower financial distress risk. Conversely, suppliers that have made significant investments in information technology and cybersecurity are anticipated to experience a smaller reduction in RSI than those with lower levels of such investments. Target population

This study focuses on supplier firms that have at least one customer who has experienced a data breach. Adopted methodology. Ordinary least square regression models. Analyses: The annual transaction-weighted R&D intensity for each customer–supplier pair serves as a proxy for suppliers’ RSI, with weights representing the significance of each customer to the supplier. The independent variable is an indicator set to 1 for customer firms affected by a cyberattack postincident, and 0 for customers prior to the attack as well as unaffected customer firms. Findings: The study finds that firms significantly decrease their RSI after a customer data breach. Further analysis shows that this reduction is more pronounced among suppliers at greater financial risk. However, a substantial investment in information technology and cybersecurity mitigates the negative impact, highlighting the importance of robust risk management practices in sustaining product–market relationships.