We use ordinary least squares (OLS) regression and cluster-robust standard errors to estimate all equations. Cluster-robust standard errors are used in hypothesis testing to address the potential issues of within-cluster error correlation and heteroskedasticity (Xue et al. 2017). We cluster the standard errors by firm because financial performance in different time periods for the same organization is likely to be correlated. It is worth considering that clustering by industry might be an attractive alternative to clustering by firm. Romanosky (2016) reports that certain industries are more prone to data breaches while others are more prone to suffer higher costs per incident.5 This provides some support for correlations between firms within a given industry, in this context. However, if we were to cluster by industry there may be a small number of clusters since we eliminate a substantial number of firms from the original PRC database. This would not

13 Electronic copy available at: (Goldfarb and Tucker 2014). Since 169 firms in our dataset have multiple data breach incidents over our sample period and we observe 413 different firms, it appears reasonable to define clusters by firm. Furthermore, it is reasonable to conclude that observations belonging to the same organization are more likely to be correlated with each other compared to observations within the same industry.6 3.3 Variables Table 1 summarizes the definitions and data sources of the variables that we include in our empirical models. Table 1. Variable Definitions and Data Sources

Variable Name Profit Variable Construction/Definition Operating income before depreciation (OIBDP from Compustat), which is expressed in millions of dollars. Data Source Compustat Sales SALE from Compustat, which is expressed in millions of dollars. Compustat Operating Expenses Account Credential Data Breach Total Liabilities Retained Earnings Total operating expenses (XOPR from Compustat), which is expressed in millions of dollars. A dummy variable equal to 1 if account credentials are involved in the data breach, and 0 otherwise. See the explanation and the appendix for more details. Total liabilities (LT from Compustat), expressed in millions of dollars. Retained earnings (RE from Compustat), expressed in millions of dollars. Compustat PRC Compustat Compustat Equity Stockholder equity of the parent company (TEQ from Compustat), expressed in millions of dollars. Compustat

Firm Size The natural logarithm of one plus total assets (AT from Compustat). AT is first multiplied by 1 million so that we are working with the actual value of total assets. Compustat 6 When investigating the economic impacts of data breaches, Makridis and Dean (2018) cluster their standards errors at the firm-level as well. 14 Electronic copy available at: Industry Concentration The sum of the squares of the market shares of the four firms with the highest sales in that industry. Compustat Records An estimate of the number of compromised records from the incident. PRC Multiple Breach in a Year A dummy variable equal to 1 if the firm suffers multiple breaches in a year, and 0 if the firm only experiences one breach throughout the year. PRC