An Incentives-Based Mechanism for Corporate Cyber Governance Enforcement and Regulation

Abstract

A growing literature in finance examines the impact of cybercrime on equity markets and publicly traded corporations, with an emerging strand of this literature investigating the contagion channel from cybersecurity breaches against the publicly traded companies, to broader market volatility. The dominant responses by the corporations to these threats can be described as ‘test internally for internal vulnerabilities’, and the ‘insure and forget’ approach, both of which imply a lack of significant preventative actions by companies under the risk of an external cybersecurity attack. The evidence of growing adverse impact and risk of hacking events on firms’ market valuations is highlighted by (i) the rising cumulative abnormal returns impact of such events, (ii) the rising systemic contagion effects of hacks, and (iii) the lack of robust regulatory mechanisms for systematic prevention, mitigation, and enforcement of data security breaches. This supports our proposal that when acting under regulatory authority’s supervision from within a ring-fenced incentives system, ‘white knight’ hackers may provide the appropriate mechanism for discovery and deterrence of weak corporate cybersecurity practices and systems. This mechanism can help alleviate the systemic weaknesses in the existent mechanisms for cybersecurity oversight and enforcement in financial markets.