Firm Use of Cybersecurity Risk Disclosures

What is it about?

In an ever-connected world, increasing reliance on information technology can inadvertently increase firm cybersecurity risks. One way that firms can communicate cybersecurity uncertainties with external stakeholders is through cybersecurity risk disclosures. This paper examines whether and how firms change their cybersecurity risk disclosure behavior following a cybersecurity breach event. We find that firms increase their cybersecurity risk disclosure after the initial breach event, and the disclosure also increments with subsequent breaches. Further analysis indicates that Negative market reactions result in an increase in disclosure after an initial breach; otherwise, multiple breach events appear to promote additional disclosure. This result may imply that firms use cybersecurity risk disclosure as a remedial strategy to mitigate the long-term negative market effect of breaches. In addition, we find that industry characteristics and firm attributes could also impact firms' disclosure strategies.

Featured Image

Photo by Dan Nelson on Unsplash

Photo by Dan Nelson on Unsplash

Why is it important?

Cybersecurity risk disclosure is increasingly crucial to the accounting profession. Our findings contribute to understanding firms' post-breach responses and the role of cybersecurity risk disclosures. Additional disclosures could be used as an effective post-breach approach to remediate negative reputational concerns and reduce information asymmetry about underlying cybersecurity risks. We further clarify the role of market reactions surrounding breach events in the firm's post-breach disclosure strategies. Overall, our study provides practical implications for regulators, firms, and external stakeholders.

Perspectives