The Disclosure of Cybersecurity Risk

64 Pages Posted: 30 Nov 2017 Last revised: 25 Jun 2021

See all articles by James Nordlund

James Nordlund

affiliation not provided to SSRN

Date Written: June 25, 2021


Following a data breach, interlocking firms are more likely to disclose exposure to cybersecurity risk in their annual report. Firms connected by auditors, via economic rivalry, or along a supply chain do not show similar disclosure propagation. The evidence suggests that disclosure propagation over interlocking firms is driven by a director’s self-interests or by a behavioral response to cybersecurity risk saliency, rather than by an improved monitoring for risk exposure. This finding sheds insight into the expanding length of risk factor disclosures and suggests that not all of this growth may be in the best interests of shareholders.

Keywords: risk factor disclosure, corporate director, cybersecurity, data breach, corporate governance

JEL Classification: G34

Suggested Citation

Nordlund, James, The Disclosure of Cybersecurity Risk (June 25, 2021). Available at SSRN: or

James Nordlund (Contact Author)

affiliation not provided to SSRN

Do you have a job opening that you would like to promote on SSRN?

Paper statistics

Abstract Views
PlumX Metrics