The Impact of Country Institutional Factors on Firm Disclosure: Cybersecurity Disclosures in Chinese Cross-Listed Firms

Abstract

Protection of intellectual property and sensitive data on customers pose significant challenges in the current economy. The institutional setting for cybersecurity differs tremendously by country. In China, the government plays a central role in overseeing cybersecurity. In the US, however, cybersecurity protection has been primarily left up to individual companies, with regulations focused more on disclosure of cyber events rather than on their prevention. This paper explores differences in qualitative disclosures reflecting cybersecurity awareness between Chinese firms that cross-list in the US and their US domestic counterparts. We argue that the Chinese firms frame disclosures based upon the context of the Chinese institutional setting. Consistent with the strong regulatory framework in China externalizing cybersecurity and thus reducing the need to disclose individual company cybersecurity awareness, we find that Chinese firms have lower levels of cybersecurity disclosure. Market valuation of this qualitative disclosure is higher for Chinese cross-listed firms than for US firms, suggesting that the market favorably views Chinese firm disclosures that communicate a greater level of internalized cybersecurity awareness. To further explore the effect of institutional setting on market valuation of cybersecurity awareness, we perform an event study for the time period surrounding arrest of Huawei’s CFO. This event potentially challenged the effectiveness of Chinese cybersecurity policies since cybersecurity weaknesses at the company were highlighted. We find a negative stock market reaction to the event, but only for Chinese companies. Our results thus provide evidence that the market’s view of company cybersecurity awareness is sensitive to changes in perceptions of the company’s institutional setting.