The Disclosure of Cybersecurity Risk

64 Pages Posted: 30 Nov 2017 Last revised: 25 Jun 2021

Date Written: June 25, 2021


Following a data breach, interlocking firms are more likely to disclose exposure to cybersecurity risk in their annual report. Firms connected by auditors, via economic rivalry, or along a supply chain do not show similar disclosure propagation. The evidence suggests that disclosure propagation over interlocking firms is driven by a director’s self-interests or by a behavioral response to cybersecurity risk saliency, rather than by an improved monitoring for risk exposure. This finding sheds insight into the expanding length of risk factor disclosures and suggests that not all of this growth may be in the best interests of shareholders.

Keywords: risk factor disclosure, corporate director, cybersecurity, data breach, corporate governance

JEL Classification: G34

Suggested Citation

Nordlund, James, The Disclosure of Cybersecurity Risk (June 25, 2021). Available at SSRN: or

James Nordlund (Contact Author)

Louisiana State University ( email )

2163 CEBA
Baton Rouge, LA 70803
United States

Do you have a job opening that you would like to promote on SSRN?

Paper statistics

Abstract Views
PlumX Metrics