Is Cybersecurity Risk Factor Disclosure Informative? Evidence from Disclosures Following a Data Breach

Abstract

By examining managers’ decisions about disclosing updated assessments of firms’ risks, we present evidence that the risk factor disclosures are informative. We use the setting of cybersecurity risk factor disclosures after a data breach because data breaches, especially severe breaches, serve as a natural experiment where an exogenous shock to managers’ assessment of their firm’s cybersecurity risks occurs. We analyze the topic from the perspective of two different theoretical lenses: the economic lens of optimal risk exposure and the ethical lens of stakeholder theory. Using a sample of firms experiencing data breaches, we find that firms experiencing a data breach increase the amount of cybersecurity risk factor disclosures compared to matched firms with no data breach. Further investigation reveals that the severity of data breaches affects the results; cybersecurity risk factor disclosures increase only after severe data breaches. While there is no significant market reaction if breached firms’ subsequent annual reports include increased cybersecurity risk factor disclosures, a significant negative market reaction occurs if breached firms decrease cybersecurity risk factor disclosures, regardless of the severity of the breach, implying that the market anticipates increased disclosures after data breaches.