Are the good spared? Corporate social responsibility as insurance against cyber security incidents

Despite the increasing consensus that socially responsible behavior can act as insurance against externally induced shocks, supporting evidence remains somewhat inconsistent. Our study provides a clear demonstration of the insurance‐like properties of corporate social responsibility (CSR) in preserving corporate financial performance (CFP), in the event of a data (cyber) breach. Exploring a sample of 230 breached firms, we find that data breaches lead to significantly negative CFP outcomes for low CSR firms, with the dynamic being particularly pronounced in consumer‐sensitive industries. Further, we show that firms increase their CSR activities in the aftermath of a breach to recover lost goodwill and regain stakeholder trust. Overall, our results support the use of CSR as a strategic risk‐mitigation tool that can curtail the consequences of data breaches, particularly for firms operating in consumer‐centric environments.

For instance, Chen et al. (2022) use value-at-risk and lower partial moment measures to demonstrate that excellent CSR performance can alleviate downside risks.This mechanism can protect firms from negative events and offer better control of stakeholder expectations in crisis situations (Lins et al., 2017).However, the empirical evidence in support of the insurance hypothesis remains somewhat inconsistent (Awaysheh et al., 2020), with studies reporting contrasting findings even when examining the same type of events (Peloza, 2006).For example, studies looking at the consequences of oil spills have observed both positive (Luo et al., 2018) and negative (Luo et al., 2013) associations with CSR, indicating that CSR activities, depending on the event and its magnitude, can be both a benefit and a liability. 2everal meta-analytic studies have been put forward to shed light on the tenuous nature of the CSR-CFP relationship.While there is controversy over measurement issues and sample variability, a consensus seems to be emerging toward a positive directionality between CSR and corporate performance.However, the relationship is highly contingent on different factors and moderators.For example, Friede et al. (2015) consider more than 2000 studies on the relationship between environmental, social, and governance criteria and CFP, and reveal that the vast majority find a non-negative and/or positive relationship.The relationship is strong across various regions, with North America and developed European countries showing the strongest associations.Wang et al. (2016) find that while the overall effect size of the CSR-CFP relationship is positive and significant, they highlight its tenuous nature by showing that CSR and CFP measurement strategies explain some of the variations observed.They uncover that the institutional environment a firm operates within is significant to the strength of the relationship and that the relationship is stronger for firms from advanced versus developing economies.Velte (2021), employing a qualitative meta-analysis, confirms that while both CSR and environmental performance increase CFP, the context of analysis plays an important role in the strength of the relationship.Finally, Busch and Schnippering (2022) specifically focus on the role of innovation, motivated by the ambiguous findings of how R&D intensity influences the corporate social performance (CSP)-CFP relationship.They find that extreme R&D intensity values contribute to elevated CFP and that overly simplistic functional misspecification of the innovation dynamic may have driven the inconclusive results in previous studies.
It is clear from the above discussion that the CSR-CFP relationship is conditional upon the context being exploredthe region, the country, the industry, or even the timeframe.In this study, therefore, we take a context-specific view of the CSR-CFP relationship to observe the relationship under conditions of crisis.Despite acknowledging the role of CSR in protecting and preserving financial performance, to date, there is a paucity of literature on the ethics in risk decisionmaking under crisis conditions (Doorn, 2015).Utilizing the insurance and crisis management literature, we address this gap in the literature by looking at a very specific type of crisis: data breaches, a new type of event not previously investigated from a CSR-CFP perspective.
A data breach can be defined as a "compromise of security that leads to the unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, protected data transmitted, stored or otherwise processed" (Knight & Nurse, 2020). 3Therefore, such incidents may consist of different types of events, such as malware, ransomware, denial-ofservice attacks, card payment fraud, malicious insiders, or even human error.Most data breaches can be attributed to external parties such as criminals, competitors, and hackers (including activist hackers, referred to, by some, as hacktivists).The average cost of a data breach in an enterprise or large organization has now reached $4.35 million (Ponemon Institute, 2022).Prominent examples include when Marriott International announced in 2018 that cyber thieves had stolen data on approximately 500 million customers.Even companies that are supposed to be at the front line of technological innovation and data protection, that is, Google, Yahoo, eBay, and Equifax, have been the subject of cyberattacks. 4With the prevalence of cyberattacks increasing, posing threats at organizational (Paté-Cornell et al., 2018) and federal (Zheng & Albert, 2019) levels, studying data breaches with respect to the insurance capabilities of CSR can offer invaluable insights toward advancing our understanding of the CSR-CFP preservation relationship.
Meanwhile, in better examining the context-specific nature of the CSR-CFP relationship, we further focus on the industry-specific dimension of the CSR-CFP relationship.This study specifically considers firms with a strong consumer focus, on the premise that data breaches will challenge the trust and reputational foundation of consumer-focused businesses.Our study offers a number of distinct contributions to the literature.First, we explore the CSR-CFP relationship in relation to data breaches.We show that although data breaches have significant negative performance implications, a firm's CSR investment can provide insurancelike protection.We advance the existing theory on CSR as insurance by showing that this mechanism is particularly observable for firms operating in consumer-sensitive industries.Second, we add to the empirical literature on the insurance-like properties of CSR by exploring the ex-post implications of CSR in the aftermath of a data breach.This has become more pertinent when we consider that despite the increased risk of a company becoming a data breach victim (Ponemon Institute, 2022), many corporate executives believe their companies are unequipped to handle the fallout from a breach.Our findings denote that insurance properties of CSR can hence help alleviate stakeholder concerns over inadequate internal controls.
The study is structured as follows.We begin the next section by providing the key theoretical underpinnings that form the basis for our hypotheses.Next, we present our methodological framework, the empirical design, and data employed.We then present our findings and conclude with a discussion of our contribution to theory and practice.

THEORETICAL BACKGROUND AND HYPOTHESES DEVELOPMENT
Business risks are inevitable in today's dynamic work environment (Baghersad & Zobel, 2022;Hashemi et al., 2019), with Christensen and Kohls (2003) identifying that crisis conditions are more likely as technology advances, meaning that recognizing and anticipating business risks is imperative for future success.Meanwhile, previous literature has highlighted a selection of benefits of incorporating ethical considerations into risk analysis frameworks (Hansson & Aven, 2014;Rozell, 2018).More specifically, a good CSR strategy can act as a buffer against unexpected negative events and/or fraudulent actions that could affect a firm's reputation and performance.Therefore, this growth in business risk increases the need to understand the "insurance mechanism hypothesis" dimension of CSR strategies (Godfrey et al., 2009;Koh et al., 2014;Minor & Morgan, 2011;Shiu & Yang, 2017) During times of crisis, companies are often accused of ignoring their most important stakeholders (Sellnow et al., 2012).However, it can be argued that companies that introduce CSR activities enjoy higher levels of trust and understanding from their stakeholders.In these cases, a firm's stakeholders may exhibit higher resilience in response to a negative incident (Cheng et al., 2014;Lins et al., 2017), especially when it is externally initiated, temporary, and uncontrollable, as stakeholders are more likely to accept an incident as "an honest mistake" or simply bad luck, rather than as bad management and negligence (Klein & Dawar, 2004;Minor & Morgan, 2011).Meanwhile, a firm showcasing sensitivity to social and moral concerns is expected to portray the same behavior toward its external and internal actors.In other words, employees that perceive their firm as "doing good" may be discouraged from rouge or outright illegal activities, therefore reducing the internal threat of a breach (Koh et al., 2014).Campbell (2007) and Li et al. (2019) also highlight the importance of employees, by identifying the presence of employee associations, as well as state regulation and nongovernmental organizations (NGOs), as factors leading to firms being more likely to engage in a socially responsible manner.Doh and Guay (2006) demonstrate the role of advocacy by NGOs in encouraging such responsible behavior by firms.More directly, Sen and Borle (2015) highlight how stricter laws reduce the risk of data breaches, which aligns with Velte (2021) who presents the benefits of increased government regulation in the form of stronger CSR reporting requirements.
Taking the above into consideration, we expect that higher CSR activities lessen the negative implications of a cyber breach, act as a shield against public opinion and outcry, and preserve corporate reputation.Therefore, we posit that: Hypothesis 1. Higher CSR activity lessens the effects of data breaches on firm performance.
Consumer reactions differ greatly across shocks and industries (Figuié & Fournier, 2008;Wei et al., 2016).Data breaches are one such shock that impacts consumers directly, with Ponemon Institute (2022) citing that 60% of firms are raising prices due to the impact of data breaches.Yet, the implications of data breaches for consumer sentiment have only briefly been explored in the literature.Some examples include Das et al. (2012) and Tosun (2021), with Das et al. (2012) reporting that depending on the type of attack, web-based (i.e., e-commerce firms) and banking, financial services, and insurance companies suffer more severely from cyberattacks.Eling and Jung (2018) also find that data loss severity is highest for retail/merchant and banking and insurance industry sectors.The service provision of these companies depends heavily on the internet and as a result, they handle large volumes of confidential information such as customer PINs, social security numbers, and credit card data (Das et al., 2012).
Motivated by the above, we expect the impact of a data breach to be more severe for firms operating in high consumer-sensitive industries, that is, firms that produce goods and services primarily aimed at individual customers (Lev et al., 2010), for example, retail, food, and beverage.This is in contrast to low consumer-sensitive industries that primarily produce goods and services to meet industrial or governmental demand, for example, commercial aircraft manufacturers.Our expectations are based on two key premises.First, in high consumer-sensitive industries, consumers will be more attuned to the use, protection, and dissemination of their personal information, since any mishandling can have detrimental effects on their personal and professional lives.Recent reports on the pervasiveness of data breaches, for example, IBM's Cost of a Data Breach Report (Ponemon Institute, 2022), suggest that customers are becoming more sensitive and demanding when it comes to the handling of their personal data.Second, we expect that firms operating in industries that either handle large quantities of sensitive data or rely on consumer data (such as companies operating in high consumer-sensitive industries) to be "lucrative targets for financially-motivated cyber attackers" (Das et al., 2012).As Lev et al. (2010) succinctly put it: "firms that produce goods and services for individual customers (high consumer sensitivity) have greater incentive to appear charitable…than firms that produce goods and services for industrial or government use (low consumer sensitivity)".
While there is ample evidence suggesting that CSR practices differ substantially across firms (Chen et al., 2022), and the position of a firm in the value chain (Kim et al., 2019), our understanding of the context-specific nature of CSR-CFP remains fragmented, unbalanced, and incomplete (Dabic et al., 2016).As CSR can significantly influence consumer attitudes, purchase intentions, loyalty, satisfaction, and consequently their evaluation of a company and its products, we argue that the negative impact of a security breach will be exacerbated within a consumer-sensitive industry but significantly alleviated by increased CSR engagement.Hypothesis 2a.Firms in high consumer-sensitive industries will experience lower firm performance due to data breaches, compared to those in low consumer-sensitive industries.

Hypothesis 2b.
In high consumer-sensitive industries, higher CSR activity will lessen the negative effects of data breaches on firm performance at a greater level than in low consumer-sensitive industries.
On the other hand, we recognize that during times of crises there are different strategies that a firm can employ including apologizing, remuneration as well as price reductions and additional advertising (Löfstedt & Renn, 1997;Pfarrer et al., 2008).While these tactics are important, they do little to repair damaged stakeholder relationships and hence are insufficient in recovering stakeholder trust.On the contrary, we expect that explicit social acts can help firms to more efficiently rehabilitate their public image (Pfarrer et al., 2008).As mentioned for H1, increased CSR activities, targeting the general public and/or the affected stakeholders will increase stakeholders' conviction that such an incident was indeed a "one-time occurrence" (Klein & Dawar, 2004;Minor & Morgan, 2011), and reinforce their trust against a future recurrence.Such an approach not only increases the integrity and courage to cope with the aftermath of a crisis (Shrivastava, 1993) but also strengthens the legitimacy and fairness of the decisions made.Ulmer and Sellnow (2000) theorized that a crisis often leads to greater protection of internal stakeholders at the expense of external stakeholders.However, several experimental studies find that CSR can appease a multitude of stakeholders during a post-crisis period (Assiouras et al., 2013;Vassilikopoulou et al., 2009).In this way, CSR serves as an asset to expedite a firm's recovery from reputational damage suffered as a result of a crisis.Finally, the more reliant a firm's business model is on a particular group of stakeholders, the greater the need to address stakeholders effectively post-crisis.Therefore, we posit that: Hypothesis 3. Firms in high consumer-sensitive industries will take actions to enhance CSR performance to a greater degree in the aftermath of data breaches, in comparison with firms in low consumer-sensitive industries.

CSR data
In this study, we combine several data sets.First, to measure CSR activities, we employ the KLD Stats database constructed by KLD Research.The KLD database assesses a firm's corporate social performance within seven dimensions: community, diversity, employee relations, environment, human rights, product, and corporate governance.
Each of these dimensions includes several strength and concern subcategories that are rated either 0 (neutral) or 1 (strength/concern).We construct a CSR measure based on the first six categories (community, diversity, employee relations, environment, human rights, and product).Corporate governance is excluded from our primary measure as it is not directly related to a firm's CSR activities (Jian & Lee, 2015;Servaes & Tamayo, 2013); however, we later check for robustness to including corporate governance in the CSR score calculation in the acknowledgement of the recent growth in the popularity of the "ESG" movement.For each firm-year observation, we aggregate all strengths and concerns across the six dimensions and calculate the annual measure by subtracting a firm's total CSR concerns from its total CSR strengths.To test our hypothesis, we use the net CSR measure (and lagged values of this score) as our CSR measure.We supplement our calculated CSR scores with accounting data from Compustat and stock market data from CRSP.We follow Servaes and Tamayo (2013) by matching the concurrent CSR score to firms with a December fiscal year-end.For firms with a fiscal year-end prior to December, we match the KLD data from the previous year to make sure that CSR scores precede performance measures and firm-level controls.

Data breaches
To identify data breaches, we use the Privacy Rights Clearinghouse (PRC) database.PRC is a California-based nonprofit corporation that collects detailed information about cyber security breaches for businesses, nonprofits organizations, and government organizations in the United States.Each recorded breach is verified through media sources or government agencies.The adoption of Security Breach Notification Laws across the United States as well as increased media attention has driven the use of PRC data in empirical research (Eling & Jung, 2018;Higgs et al., 2016).
Examples of breaches classified by the PRC include incidents due to credit/debit card fraud; hacks by malware or a malicious outside party; malicious insiders; lost, discarded, or stolen physical devices, documents, laptops, smartphones, memory sticks, and hard-drives; and unintended disclosures of sensitive information.We restrict our sample to incidents that affect publicly traded firms.Finally, to avoid the influence of previous incidents, we include only the first cyber security breach for each firm in our sample.Using the PRC database, we identify 230 firms breached within the KLD database.

Variables
Our main performance measure is profitability, calculated as return on assets (ROA).This measure has been widely used to assess performance in relation to a firm's CSR activities (Jo & Harjoto, 2012;Petrenko et al., 2016;Servaes & Tamayo, 2013).Following Petrenko et al. (2016), we calculate ROA as net income divided by total assets.For robustness, we further calculate return on equity (ROE) and return on sales (ROS) (Jian & Lee, 2015;Servaes & Tamayo, 2013) to represent alternative short-term indicators, and Tobin's Q as a longer term profitability measure (Lenz et al., 2017;Mishra, 2017).
Size and market value are especially important control variables in relation to data breaches.Both large and valuable firms have greater visibility and attract more media attention.As a result, they are more likely to become targets for potential adversaries (Kamiya et al., 2021).We use the logarithms of size and market-to-book ratio to control for size and visibility effects (Kamiya et al., 2021).Acknowledging that firms producing highly specialized products and those in possession of trade secrets are more likely to be targeted by cyberattacks (Ettredge et al., 2018), we control for firm-level R&D expenses, and intangibles measured as 30% of selling, general and administrative expenses plus R&D expenses as per Peters and Taylor (2017).Stock return and risk control variables are calculated using daily stock returns and standard deviations for the firm's fiscal year.We further include an indicator variable equal to 1 if a firm pays a dividend.Finally, leverage is calculated as a firm's current liabilities plus long-term debt divided by total assets.Our final sample includes 5092 firm-year observations for 638 firms.Definitions of the variables used in our study are given in Table A1.

Data breaches and CSR
In the first step of our analysis, in line with the first hypothesis (H1), we test the insurance-like capabilities of CSR in relation to data breaches.We estimate the following model: (1) Our outcome variable Profitability i,t is defined as a firm's return on assets at time t for firm i.Data_breach i,t−1 is a dummy variable equal to 1 if a firm suffered a data breach in year t − 1 and CSR_score i,t−1 is a firm's CSR score at time t − 1.All right-hand-side variables are lagged by one period to account for the fact that we employ balance sheet data throughout our analysis.The variable of interest is the interaction term Data_breach i,t−1 × CSR_score i,t−1 .The interaction term captures the effect of a data breach in relation to a firm's CSR score.To control for important firm characteristics, known to impact a firm's profitability, we further include a vector of time-varying control variables (X), as well as vectors of industry (δ) and time (λ) dummies.

Data breaches, CSR, and consumer-sensitive industries
In the second step of our analysis, we are interested in the importance of consumer sensitivity in relation to the ability of CSR to serve as an insurance-like mechanism.We follow Lev et al. (2010) and define consumer-sensitive industries as those that fall into either of the two classifications, consumer goods or finance. 5oughly 67% of the 638 firms in our sample are classified as consumer-sensitive.Panel C of Table 1 further outlines that 3423 (153) firm-year observations (data breaches) are classified as consumer-sensitive with 1669 (77) firm-year observations (data breaches) deemed to be non-consumersensitive industries.We re-estimate Equation 1 to include an indicator variable, Consumer-sensitive_industry i , that is equal to 1 if a firm operates in a consumer-sensitive industry, and 0 otherwise: (2) The variable of interest in this second model is the following interaction term: Data_breach i,t−1 × CSR_score i,t−1 × Consumer-sensitive_industry i .This interaction term captures the insurance-like capabilities of CSR in relation to data breaches for firms operating in consumer-sensitive industries.As we did in Equation 1, we control for important firm characteristics, known to impact a firm's profitability (X), as well as vectors of industry (δ) and time dummies (λ).

3.4.3
Post-breach CSR and consumer-sensitive industries Finally, we examine how firms adjust their CSR activities in the aftermath of a breach, with a particular focus on firms that operate in a consumer-sensitive business environment.Our outcome variable, CSR_score i,t , is the CSR score for firm i at time t.To capture the contemporaneous and subsequent impacts of a data breach, we include three different versions of the indicator variables Data_breach/Post_breach. First, to capture the contemporaneous impact of the breach, we estimate the following regression model, where Data_breach i,t is equal 1 if the firm experienced a breach in that year: The variable of interest here is the interaction term Data_breach i,t × Consumer-sensitive_industry i .
Second, we focus on the impact of the breach one period after it has occurred, where Post_breach i,t+1 is equal to 1 if the firm experienced a breach one year previously: Again, the variable of interest here is the interaction term, in this case, Post_breach i,t+1 × Consumer-sensitive_industry i .
Finally, we look at the impact of the breach in the t+1 to t+2 period, where Post_breach i,t+2 is equal to 1 if the firm experienced a breach 1-2 years previously: (5) Again, the variable of interest here is the interaction term, in this case, Post_breach i,t+2 × Consumer-sensitive_industry i .
As per previous specifications, we include an indicator variable that is equal to 1 if a firm operates in a consumersensitive industry, Consumer-sensitive_industry i , and zero otherwise.We also control for firm-level differences as well as differences across industries (δ) and time (λ).

Distribution, summary statistics, and correlation analysis
The distribution of data breaches in our sample is given in Table 1.Panel A presents the distribution across years, Panel B presents the distribution across industries (Fama-French 12 Industry Classification), and finally, in Panel C we provide a breakdown by a consumer-sensitive industry.Table 2 presents summary statistics for all the main variables.Finally, a correlation matrix is provided in Table 3.Our final sample includes 5092 observations across 638 firms with 230 identified data breaches.The data breaches are relatively equally dispersed throughout the sample period.In terms of distribution across industries, the concentration is highest for companies operating in telephone and television transmission.Overall, we find that approximately 4% of firms in our sample have suffered a data breach with the majority of them, roughly 67%, classified as operating in consumer-sensitive industries.Furthermore, the correlation analysis reveals that total assets as an indicator of firm size and visibility are most strongly correlated (0.313) with a firm suffering a breach.

CSR as insurance: The case of data breaches
In the first part of our empirical analysis, we test the insurance-like characteristics of a firm's CSR activities in relation to data breaches.The insurance argument predicts that CSR can protect firms from negative consequences after an event or shock.We apply the same rationale to data breaches and evaluate their impact on firm financial performance.
TA B L E 2 Summary statistics.This table reports summary statistics.In particular, the table reports the number of observations for all the variables used throughout our regression analysis.Furthermore, the table reports the mean and median value of each variable, its standard deviation as well as the 10th (P10) and 90th (P90) percentile of the distribution Table 4 presents OLS regression results based on Equation 1 for a number of lagged firm variables on our outcome variable, ROA.We employ a variety of specifications.First, in columns (1), (3), and (5), we capture the knowledge-based investment of a firm using a firm's R&D expenditure.Second, in columns (2), (4), and (6), we include a measure of intangibles to also capture some of the innate organizational capital of a firm (Lev & Radhakrishnan, 2005).We also control for year effects in columns (1) and ( 2) and year and industry effects in columns (3-6).As corporate governance may also be included in decisions made by investors regarding CSR, columns (5) and ( 6) adopt an alternative calculation for the CSR score that includes the corporate governance category.

Summary
In line with our expectations, we find that data breaches have a negative impact on firm profitability.The negative effect ranges from 0.9% to 2.5% across our regression specifications.While, as in prior studies, we find an insignificant coefficient for the CSR variable capturing the direct relationship between CSR and performance, we do reveal an indirect relationship.We find that the interaction term is significant and positive across all specifications, indicating that CSR (calculated with or without the corporate governance dimension) lessens the negative impact of a data breach, thus providing support for our first hypothesis (H1).Overall, our results support the view that CSR can shield firms against negative performance implications arising from data breaches.For robustness, we also consider alternative firm performance specifications, namely short-term (ROE and ROS) and long-term profitability measures (Tobin's Q).
Table A2 presents the results of this analysis.Again, focusing on the key interaction term between a data breach and the CSR score, we find that these alternative profitability specifications also broadly support our first hypothesis (H1).Similar to Table 4, the widespread significance of the interaction term suggests that CSR can protect firms against the financial impact of data breaches.

CSR as insurance: The case of data breaches in consumer-sensitive industries
While the empirical evidence of the insurance provision of CSR is growing (Koh et al., 2014;Shiu & Yang, 2017), the existing research predominantly focuses on the type of event and the way it may affect firms.So far, existing research has placed little emphasis on the stakeholder group most affected by the examined negative firm-specific event, the customers.While we acknowledge that firm heterogeneity within sectors can result in significant variation (Welburn & Strong, 2022), to address our second set of hypotheses, we concentrate on examining financial performance effects for breached firms operating in consumer-sensitive industries.Results are reported in columns (1-6) of Table 5.We include the same set of control variables as in Table 4.However, for the sake of brevity, we do not report each control variable individually.As in Table 4, we control for year effects in columns (1) and ( 2), and year and industry fixed-effects in columns (3-6).

TA B L E 3
Correlation matrix.This table reports the correlation coefficients between the main variables used throughout this study.The reported coefficients are for the full sample (N  First, we observe that the negative impact of data breaches on firm profitability is centered around firms operating in consumer-sensitive industries (H2a).This is an important finding as it provides the first explicit evidence to link the negative consequences of an event (in this case data breaches) to the reaction of a particular stakeholder group.Most importantly, however, we find that the insurance provision of CSR is also concentrated around firms that operate in a consumersensitive environment (H2b).In comparison with Table 4, the potential of CSR to provide insurance-type provisions in times of crisis is stronger once the consumer-sensitivity of the firm's business environment has been accounted for.Again, this result is robust to the inclusion of corporate governance in the CSR score calculation as shown in columns ( 5) and (6).In line with our previous results, we observe no significant relationship between CSR and firm performance, showing that the potential for CSR to impact performance is constrained to its insurance provision.

Post-breach CSR in consumer-sensitive industries
In the final stage of our empirical analysis, we examine changes in CSR activities due to a data breach for consumer-sensitive firms.We expect that firms increase their CSR activity to repair stakeholder trust and positively alter stakeholder evaluations after a crisis.For this analysis our TA B L E 5 Data breaches, corporate social responsibility (CSR), and firm profitability in consumer-sensitive industries.This table reports the results of a linear regression model with Profitability (return on assets, ROA) as the dependent variable.Data_breach is an indicator variable equal to 1 if the firm suffered a data breach and 0 otherwise.CSR_score is the firm's CSR score computed based on KLD data, with CSR_score(Gov) incorporating the corporate governance dimension when calculating the CSR measure.We further define an indicator variable Consumer-sensitive_industry if a firm operates in a consumer-sensitive industry.The variable of interest is the interaction term Data_breach×CSR_score×Consumer-sensitive_industry (3) (4) (5) ( 6) dependent variable is now CSR_score.Again, we include two measures of innate organizational capital: (i) R&D and (ii) intangible assets (Lev & Radhakrishnan, 2005).We control for all previously employed firm-level control variables, as well as year and industry dummies.The results are presented in Table 6.We report three different specifications: (i) contemporaneous changes in CSR are reported in Panel A, (ii) changes in the year after the breach (t + 1) are reported in Panel B, and finally (iii) changes in 2 years after the breach (t + 1 to t + 2) are reported in Panel C.
We find evidence that firms operating in consumersensitive industries increase their CSR activities after a data breach.Based on the interaction term in each panel, there is no evidence that a firm will increase its CSR score in the year of the breach.Rather, we predominantly observe an increase in the CSR score in the year following the breach (H3).Our results imply that firms deal with the immediate consequences of a breach in the year it occurs (Panel A) but are able to shift focus towards appeasing stakeholders and regaining trust in subsequent years (Panels B and C).Moreover, TA B L E 6 Post-breach corporate social responsibility (CSR).This table reports the results of a linear regression model with CSR_score as the dependent variable.Data_breach is an indicator variable that is equal to one in the year of the data breach.Post_breach is an indicator variable that specifies two time periods after a firm suffered a data breach: (i) the year after the data breach, Post_breach (t+1) , and (ii) the second year subsequent to the data breach, Post_breach (t+2) we observe generally lower CSR scores across consumersensitive industries.Although not reported, it is noteworthy to add that firm size and R&D are positively related to CSR, whereas we observe a negative association with risk and leverage.

DISCUSSION
Our study adds to the recent literature highlighting the insurance provision of CSR (Luo et al., 2018;Shiu & Yang, 2017) in relation to cyber security incidents.Motivated by the rapidly increasing threats posed to businesses worldwide, we provide novel insights regarding the context dependency of the insurance mechanism provided by CSR.In particular, we show that data breaches have important negative ramifications for breached firms in the year after a breach.We observe a significant reduction in firm profitability.However, our results indicate that CSR can play an important role in mitigating these negative consequences.
As they are associated with an increased reservoir of goodwill, a strong CSR profile can alleviate the negative implications of threatening events such as data breaches.Indeed, we show that low CSR firms suffer more severely from data breaches than firms with high CSR scores.The latter tend to enjoy higher performance (profitability) in the aftermath of a breach, indicating the value of CSR as a risk management strategy.We conclude that as data breaches become more prevalent, the need to focus on CSR, particularly in consumer-sensitive industries, also increases.
We further assess why firms might seek to adjust their CSR strategy in the post-crisis period.We posit that increasing CSR activities can help positively alter a stakeholder's assessment, especially if a crisis is seen as external, temporary, and outside of the control of the firm (Klein & Dawar, 2004;Koh et al., 2014).We provide evidence that firms utilize CSR as a remediation tool and observe that firms increase their CSR engagement after a data breach.
We further argue that industries with close consumer ties (Lev et al., 2010) are not only better structured to inhibit misconduct but are also more attuned to the implications resulting from a breach.Indeed, we reveal that data breaches do not carry uniform performance implications across firms.We find that firms that operate in consumer-sensitive industries are most affected by a breach.Our results support the view that in highly consumer-centric business environments, key stakeholders, in this case consumers, determine the insurance provision of CSR.In the context of cyber security and data protection, the negative performance implications could result from a heightened demand for trust extended to firms handling consumer information, resulting in a stronger reaction once this consumer trust is violated.
Our results further indicate that firms in consumer-centric environments actively address the loss in stakeholder trust by increasing CSR investment in the years following a data breach.Our results are in line with related studies showing that firms try to rebuild damaged stakeholder relations (Assiouras et al., 2013;Vassilikopoulou et al., 2009).Addressing stakeholders also allows the firm to portray the incident as temporary, external and outside the firm's control (Minor & Morgan, 2011;Klein & Dawar, 2004;Koh et al., 2014), reinforcing stakeholder belief that the incident does not present a threat to the survival of the firm or its long-term performance.

CONCLUSION
Previous literature has highlighted a selection of benefits of incorporating ethical considerations into risk analysis frameworks (Hansson & Aven, 2014;Rozell, 2018;Ruckelshaus, 1984).In this study, we contribute to the literature by highlighting the industry-specific nature of CSR and corporate financial performance (CSR-CFP) in relation to a critical firm-specific event, a cyber security breach.Using a large cross-section of US firms affected by a total of 230 data breaches, we find evidence in support of the insurance provision of CSR in preserving corporate reputation and ultimately firm financial performance.We specifically observe that firms with a stronger CSR profile can better alleviate the negative implications of such a threatening event.High CSR scores result in firms being less scrutinized by stakeholders over negative firm-specific events.We further observe an industry-specific provision of the CSR insurance hypothesis.More specifically, we find that in consumer-sensitive industries, high levels of CSR activities are paramount for preserving firm reputation and performance.Furthermore, we observe a tendency for firms in high consumer-sensitive industries to increase CSR activities in the aftermath of a data breach.We interpret this as an attempt to recover goodwill and alter the perception of the firm.In light of these results, while acknowledging that complete protection against all internal and external cyber threats is unrealistic (Mazzoccoli & Naldi, 2020;Paté-Cornell et al., 2018;Zheng & Albert, 2019), we conclude that managers should increase their focus on CSR as data breaches become more prevalent.This is particularly important in consumer-sensitive industries and in stakeholder scenarios where the data breach is seen as external, temporary, and outside of the control of the firm (Koh et al., 2014).
In future work, scholars could focus on the impact of a cyber security breach in related insurance-like contexts (Godfrey et al., 2009;Klein & Dawar, 2004;Li et al., 2019), by studying if CSR can reduce the public outcry and reputational backlash caused by a cyber security breach, or if corporate political activity can also limit the fallout of the breach (Hadani et al., 2019).Furthermore, given the current lack of unified disclosure requirements, the different regulatory environments across US states also offer an interesting setting to shed light on the interplay between disclosure, shareholder, or consumer reactions and the importance firms assign to cyber-related risks.In particular, consumer-level responses to data breaches could offer a rich empirical setting for policy-and legislation-relevant research, with a key question being whether or not consumers would benefit from disclosure requirements at the national level.
TA B L E A 2 Data breaches, CSR, and alternative profitability measures.This table reports the results of linear regression models using various profitability measures as the dependent variable (ROE, ROS, and Tobins_Q).Data_breach is an indicator variable equal to 1 if the firm suffered a data breach and 0 otherwise.CSR_score is the firm's CSR score computed based on KLD data.The variable of interest is the interaction term Data_breach × CSR_score.All explanatory variables are lagged by one time period
Sample distribution.This table reports the distribution of our sample across three dimensions.Panel A reports the distribution of observations and data breaches per year, Panel B provides an industry breakdown of the sample (Fama-French 12 Industry Classification), and Panel C shows the observations and data breaches for firms operating in consumer-sensitive industries TA B L E 1

TA B L E 4
Data breaches, corporate social responsibility (CSR), and firm profitability.This table reports the results of a linear regression model with Profitability (return on assets, ROA) as the dependent variable.Data_breach is an indicator variable equal to 1 if the firm suffered a data breach and 0 otherwise.CSR_score is the firm's CSR score computed based on KLD data, with CSR_score(Gov) incorporating the corporate governance category when calculating the CSR measure.The variable of interest is the interaction term Data_breach×CSR_score All explanatory variables are lagged by one time period.t-Statistics given in parentheses are based on standard errors corrected for heteroskedasticity and firm-level clustering.Asterisks ***, **, and * indicate statistical significance at 1%, 5%, and 10% levels, respectively. Note: All time-dependent explanatory variables are lagged by one time period.t-Statistics given in parentheses are based on standard errors corrected for heteroskedasticity and firm-level clustering.Asterisks ***, **, and * indicate statistical significance at 1%, 5%, and 10% levels, respectively. Note: