Information Security Risk and Costs of Capital: Evidence from Taiwan Semiconductor Companies

The paper investigates whether firms’ exposure to information security risk influences firms’ costs of capital. Most IT firms highly rely on computer systems and network appliances; it may cause disasters if firms are involved in great information security risk. In the sample of Taiwan’s semiconductor firms during 2005–2016, we show that ISO 27001-certified firms (a well-known information security certificate) have lower costs of debt, but whether firms are ISO 27001-certified is not associated with firms’ costs of equity. Our findings are consistent with modern financial theories: debt holders, as put writers to firms’ value, benefit from firms’ lower information security risk, and better corporate governance, and thus lower firms’ costs of debt. On the other hand, equity holders should hold efficient portfolio through diversification and thus firms’ costs of equity should not be influenced by firms’ information security risk, which belongs to idiosyncratic risk in the portfolio theory.