We found a match
Your institution may have access to this item. Find your institution then sign in to continue.
- Title
Is Cybersecurity Risk Factor Disclosure Informative? Evidence from Disclosures Following a Data Breach.
- Authors
Chen, Jing; Henry, Elaine; Jiang, Xi
- Abstract
By examining managers' decisions about disclosing updated assessments of firms' risks, we present evidence that the risk factor disclosures are informative. We use the setting of cybersecurity risk factor disclosures after a data breach because data breaches, especially severe breaches, serve as a natural experiment where an exogenous shock to managers' assessment of their firm's cybersecurity risks occurs. We analyze the topic from the perspective of two different theoretical lenses: the economic lens of optimal risk exposure and the ethical lens of stakeholder theory. Using a sample of firms experiencing data breaches, we find that firms experiencing a data breach increase the amount of cybersecurity risk factor disclosures compared to matched firms with no data breach. Further investigation reveals that the severity of data breaches affects the results; cybersecurity risk factor disclosures increase only after severe data breaches. While there is no significant market reaction if breached firms' subsequent annual reports include increased cybersecurity risk factor disclosures, a significant negative market reaction occurs if breached firms decrease cybersecurity risk factor disclosures, regardless of the severity of the breach, implying that the market anticipates increased disclosures after data breaches.
- Subjects
INTERNET security; DISCLOSURE; DATA security failures; RISK; BUSINESS enterprises; ECONOMICS; PROFESSIONAL ethics; STAKEHOLDER theory; CORPORATION reports
- Publication
Journal of Business Ethics, 2023, Vol 187, Issue 1, p199
- ISSN
0167-4544
- Publication type
Article
- DOI
10.1007/s10551-022-05107-z