Cyber-Risk Disclosure: Who Cares?
59 Pages Posted: 17 Oct 2016
Date Written: October 14, 2016
Cyber-risks have generated considerable interest in the media and in the public. Perhaps as a response, regulators are devoting an increasing amount of resources to improving corporate disclosure related to these risks. In contrast, we find that, despite this increased focus, cyber risk disclosures by publicly listed firms remain scant. Moreover, a qualitative analysis of five major cases as well as a systematic analysis of security price reactions upon the announcement of breaches shows that the effect on stock prices is very limited. We do not observe strong reactions after the breaches. A “Diff-in-Diff” analysis reveals that the change in operational performance, in executive departure likelihood, in shareholder clientele or in the amount of disclosure does not differ from the changes in a matched sample of firms that were not breached. This lack of reaction is inconsistent with a market or regulatory failure associated with the poor disclosure on cyber-risk.
Keywords: cyber-security, privacy, disclosure
Suggested Citation: Suggested Citation