Cyber-Security Incidents, External Monitoring and Probability of Restatements

Abstract

The number of cyber-security incidents has dramatically increased in the last few years as well as the costs they generate for the affected firms. The impact of such incidents on affected firms and individuals usually receives most of the attention of the media and researchers alike. However, cyber-security incidents represent main concerns also for regulators and for the external auditors of the affected firms. While regulators are mostly concerned about the impact on the general economy, external auditors face potential reputational damage if a security breach results in misleading financial results. In this paper, we investigate how regulators and external auditors react to cyber-security incidents in the two years following the breach. Using a sample of 4,764 US firms, we find that the breached firms are subject to increased scrutiny by both regulators and external auditors following a security breach; this results in a higher probability of receiving a SEC Comment Letter, higher audit quality, and lower probability of financial restatements. Our results show that cyber-security incidents represent high-profile events not only for the affected firms but also for regulators and external auditors who attempt to constrain the negative outcomes of these incidents through increased monitoring and enhanced controls.