The Disclosure of Cybersecurity Risk
64 Pages Posted: 30 Nov 2017 Last revised: 25 Jun 2021
Date Written: June 25, 2021
Abstract
Following a data breach, interlocking firms are more likely to disclose exposure to cybersecurity risk in their annual report. Firms connected by auditors, via economic rivalry, or along a supply chain do not show similar disclosure propagation. The evidence suggests that disclosure propagation over interlocking firms is driven by a director’s self-interests or by a behavioral response to cybersecurity risk saliency, rather than by an improved monitoring for risk exposure. This finding sheds insight into the expanding length of risk factor disclosures and suggests that not all of this growth may be in the best interests of shareholders.
Keywords: risk factor disclosure, corporate director, cybersecurity, data breach, corporate governance
JEL Classification: G34
Suggested Citation: Suggested Citation