Abstract
High-profile cybersecurity breaches have raised concerns regarding how organizations disclose security management information to the public. The American Institute of Certified Public Accountants (AICPA) developed a cybersecurity risk management (CSRM) reporting framework to better help organizations convey their cybersecurity programs to the public. In this article, we attempt to provide evidence of how cybersecurity disclosures, as developed by AICPA, affect investment decisions. Our findings suggest that nonprofessional investors are less likely to invest in breached firms with the disclosure of CSRM reports alone. Disclosing the risk management report with an independent assurance report does not result in the mitigation of the negative impact of security breach news. We discuss the corresponding implications.
Sign-in/Register to access full text options 
Free) 
Talk to us
Join us for a 30 min session where you can share your feedback and ask us any queries you have
Schedule a call
