Cybersecurity Awareness and Market Valuations
45 Pages Posted: 30 May 2018 Last revised: 17 Jul 2019
Date Written: August 28, 2018
This paper introduces a measure of firm-specific cybersecurity awareness that can be used in empirical research exploring cyber-related issues facing corporations. It extends and updates Gordon, Loeb, and Sohail (2010), who develop an indicator capturing the existence of disclosures related to “information security,” and show a positive association between market valuation and their measure. Since publication of their paper, cyber-related events have become more frequent and salient, and disclosure of cybersecurity issues has become more extensive. Increased disclosure is largely due to a 2011 requirement by the Securities and Exchange Commission, which provides guidance for disclosure of cyber-related issues in 10-K filings. Based upon this mandatory disclosure, we develop a new measure that captures the extent and relevance of cyber disclosures and show that the market positively values cybersecurity awareness. We also show that a more negative tone in cyber disclosures is associated with lower market values. Our results are robust to inclusion of measures of IT governance and controlling for the firm’s overall disclosure characteristics.
Keywords: Cybersecurity, Cybersecurity awareness; Cyber breaches; Cyber risks; IT governance; Market valuations; Intangible assets
Suggested Citation: Suggested Citation