The determinants of cybersecurity risk disclosure in firms’ financial reporting: Empirical evidence

Abstract

This paper examines the relationship between cybersecurity risk disclosure and financial reporting deficiencies. Using a difference-in-difference approach based on a large, matched sample of breached and non-breached US firms for the period 2006 to 2016, a differential effect is seen between cybersecurity risk disclosures in pre- and post-Breach financial reporting related to cybersecurity incidents. The association between the cybersecurity risk disclosure and subsequent reported financial deficiencies is positive and significant, providing some evidence for regulators that more firm-specific disclosure may provide increased audit quality, to which the auditor responds by increasing audit effort. The empirical findings suggest that firms with prior cybersecurity risk disclosures are more likely to experience financial reporting deficiencies. The results obtained are robust to a variety of sensitivity checks.