Across the Pond: How U.S. Firms’ Boards of Directors Adapted to the Passage of the GDPR

51 Pages Posted: 28 Jul 2020 Last revised: 8 Sep 2022

See all articles by April Klein

April Klein

New York University (NYU) - Department of Accounting

Raffaele Manini

Universitat Pompeu Fabra

Yanting (Crystal) Shi

HEC Paris; New York University (NYU), Leonard N. Stern School of Business, Department of Accounting, Students

Date Written: June 29, 2020

Abstract

One of the prime responsibilities of the board of directors is to understand and oversee its firm’s risk profile. We exploit a recent European Union (EU) regulation, the General Data Protection Regulation (GDPR), as a quasi-exogenous shock to the cyber risk landscape to assess whether boards of U.S. firms changed their focus and governance structures to deal with this new challenge. Although an EU regulation, the GDPR applies to all American public firms with at least one EU user. Adopting a difference-in-differences methodology, we use firms previously regulated by the HIPAA as a control group, and find that boards of treated U.S. firms, on average, increase their focus on cyber risk, add more directors with cyber/IT expertise, and more frequently assign cyber risk oversight to the board or to a board committee. In cross-sectional tests, we show that these changes are positively associated with a firm’s ex ante cyber risk, but are unrelated to whether a firm had a large EU presence, suggesting a more global reaction to the GDPR. In addition, we examine some of the consequences of these board changes. We find boards that promptly responded by changing their board focus, expertise, and monitoring assignment of cyber risk around the passage of GDPR had fewer future cyber attack/data breaches and less related media attention. Our findings suggest that, on average, American corporate boards promptly responded to changes in the cyber risk environment.

Keywords: Board Resiliency, Corporate Governance, Corporations, GDPR

JEL Classification: G30

Suggested Citation

Klein, April and Manini, Raffaele and Shi, Yanting, Across the Pond: How U.S. Firms’ Boards of Directors Adapted to the Passage of the GDPR (June 29, 2020). NYU Stern School of Business, Available at SSRN: https://ssrn.com/abstract=3640515 or http://dx.doi.org/10.2139/ssrn.3640515

April Klein (Contact Author)

New York University (NYU) - Department of Accounting ( email )

Stern School of Business
44 West 4th Street
New York, NY 10012
United States

Raffaele Manini

Universitat Pompeu Fabra ( email )

Ramon Trias Fargas, 25-27
Barcelona, E-08005
Spain

Yanting Shi

HEC Paris ( email )

1 rue de la Liberation
Jouy-en-Josas Cedex, 78351
France

New York University (NYU), Leonard N. Stern School of Business, Department of Accounting, Students ( email )

40 West 4th Street
Suite 10-98
New York, NY 10012
United States

Do you have a job opening that you would like to promote on SSRN?

Paper statistics

Downloads
228
Abstract Views
1,206
Rank
214,088
PlumX Metrics