Investors’ Judgment and Decisions after a Cybersecurity Breach: Understanding the Value Relevance of Cybersecurity Risk Management Assurance

Abstract

This study investigates how voluntary cybersecurity risk management (CyRM) assurance affects non-professional investors’ judgments and decisions. The study also examines how the value relevance of CyRM assurance is altered when having such assurance is expected/unexpected. Employing an experimental approach, we find that after a cyber-breach occurs, companies previously engaging in voluntary CyRM assurance receive more favorable investor assessments of management credibility and, in turn, higher stock valuations. We also find that investors’ assessments of management credibility and stock valuations are more extreme for companies that engage (do not engage) in CyRM assurance in industries where such assurance is not (is) the norm. This study begins to address the question of whether there is a demand for CyRM assurance offered by audit firms, particularly given lingering concerns in research and practice as to the viability of IT-related assurance services. Our research reinforces the profession’s position that management and boards need to recognize that cyber risk will differ by industry and that investors will react to violations of implicit industry standards for cyber risk management. The results also demonstrate the value to management credibility of having prior CyRM assurance after a cyber-breach; the reputation and damage control is important for both management and the company.