Is Cybersecurity Risk Factor Disclosure Informative? Evidence from Disclosures Following a Data Breach

Journal of Business Ethics, Forthcoming

62 Pages Posted: 18 Feb 2021 Last revised: 22 Feb 2022

See all articles by Jing Chen

Jing Chen

Stevens Institute of Technology - School of Business

Elaine Henry

Stevens Institute of Technology - School of Business

Xi Jiang

Stevens Institute of Technology

Date Written: February 20, 2022

Abstract

By examining managers’ decisions about disclosing updated assessments of firms’ risks, we present evidence that the risk factor disclosures are informative. We use the setting of cybersecurity risk factor disclosures after a data breach because data breaches, especially severe breaches, serve as a natural experiment where an exogenous shock to managers’ assessment of their firm’s cybersecurity risks occurs. We analyze the topic from the perspective of two different theoretical lenses: the economic lens of optimal risk exposure and the ethical lens of stakeholder theory. Using a sample of firms experiencing data breaches, we find that firms experiencing a data breach increase the amount of cybersecurity risk factor disclosures compared to matched firms with no data breach. Further investigation reveals that the severity of data breaches affects the results; cybersecurity risk factor disclosures increase only after severe data breaches. While there is no significant market reaction if breached firms’ subsequent annual reports include increased cybersecurity risk factor disclosures, a significant negative market reaction occurs if breached firms decrease cybersecurity risk factor disclosures, regardless of the severity of the breach, implying that the market anticipates increased disclosures after data breaches.

Keywords: Cybersecurity risk factor disclosures, cyber business ethics, data breach

JEL Classification: G14, G32, M41

Suggested Citation

Chen, Jing and Henry, Elaine and Jiang, Xi, Is Cybersecurity Risk Factor Disclosure Informative? Evidence from Disclosures Following a Data Breach (February 20, 2022). Journal of Business Ethics, Forthcoming, Available at SSRN: https://ssrn.com/abstract=3780388 or http://dx.doi.org/10.2139/ssrn.3780388

Jing Chen (Contact Author)

Stevens Institute of Technology - School of Business ( email )

Hoboken, NJ 07030
United States

Elaine Henry

Stevens Institute of Technology - School of Business ( email )

Hoboken, NJ 07030
United States

Xi Jiang

Stevens Institute of Technology ( email )

Hoboken, NJ 07030
United States

Do you have a job opening that you would like to promote on SSRN?

Paper statistics

Downloads
240
Abstract Views
865
rank
186,784
PlumX Metrics