Is Cybersecurity Risk Factor Disclosure Informative? Evidence from Disclosures Following a Data Breach
Journal of Business Ethics, Forthcoming
62 Pages Posted: 18 Feb 2021 Last revised: 22 Feb 2022
Date Written: February 20, 2022
By examining managers’ decisions about disclosing updated assessments of firms’ risks, we present evidence that the risk factor disclosures are informative. We use the setting of cybersecurity risk factor disclosures after a data breach because data breaches, especially severe breaches, serve as a natural experiment where an exogenous shock to managers’ assessment of their firm’s cybersecurity risks occurs. We analyze the topic from the perspective of two different theoretical lenses: the economic lens of optimal risk exposure and the ethical lens of stakeholder theory. Using a sample of firms experiencing data breaches, we find that firms experiencing a data breach increase the amount of cybersecurity risk factor disclosures compared to matched firms with no data breach. Further investigation reveals that the severity of data breaches affects the results; cybersecurity risk factor disclosures increase only after severe data breaches. While there is no significant market reaction if breached firms’ subsequent annual reports include increased cybersecurity risk factor disclosures, a significant negative market reaction occurs if breached firms decrease cybersecurity risk factor disclosures, regardless of the severity of the breach, implying that the market anticipates increased disclosures after data breaches.
Keywords: Cybersecurity risk factor disclosures, cyber business ethics, data breach
JEL Classification: G14, G32, M41
Suggested Citation: Suggested Citation