Management Information Systems Quarterly
Abstract
This study examines how the mergers and acquisitions (M&As) of a firm influence its number of data breaches. Drawing from complexity theory and matching theory, we propose that M&As increase data breaches and this effect is contingent on M&A diversity (dissimilarity between the parent and target firms). Based on the 18-year panel data (2004-2021) of 5,072 public firms in the United States, we find that more M&As by a firm lead to more data breaches. Moreover, we reveal that the number of data breaches increases even more when the parent and target firms operate in different business domains. This finding is confirmed when we operationalize M&A diversity as size discrepancy or a strategic type difference between the parent firm and the target firm (vertical vs. horizontal M&A). Furthermore, based on routine activity theory, we explore two additional moderating mechanisms through which M&As influence data breaches: M&A media publicity and target vulnerability. Our analyses demonstrate that M&As with higher media publicity experience more data breaches than those with lower media publicity, but counterintuitively, M&As involving a more vulnerable target firm lead to fewer data breaches than those involving a less vulnerable target firm. This study not only confirms the impact of M&As on data breach recurrence but also unveils various underlying mechanisms of this impact, thus contributing to both research and practice in cybersecurity and information systems.
