Corporate Cybersecurity and the Impact of State-Level Cyber Laws
31 Pages Posted: 9 Jan 2025
Abstract
In the United States, laws at the federal level regarding cybersecurity have historically left cybersecurity protection primarily up to individual companies, with regulations focused more on disclosure of cyber events rather than on their prevention. Although the Federal approach to cybersecurity regulation is changing under the Biden administration, specific regulatory changes will take time to be developed and implemented. As a result of the approach to cybersecurity at the federal level, many states have passed their own cybersecurity laws. This paper explores how differences in corporate qualitative disclosures related to cybersecurity awareness impact how the market responds to passage of the laws. We argue that because the expected costs for companies to comply with the laws will vary according to the “business friendliness” of the state, the effect of law passage on market valuation will be stronger for democratic majority (“blue”) states since laws in these states are likely to address different aspects of cybersecurity and are more likely to be enforced. Results are consistent with our expectations, with a more positive valuation for firms with existing cyber mitigation and results focused in blue states.
Keywords: Cybersecurity awareness, Disclosure, Market valuations, State Laws.
Suggested Citation: Suggested Citation