The Impact of Cybersecurity Risk Management Examinations and Cybersecurity Incidents on Investor Perceptions and Decisions

Abstract

SUMMARYIn response to cybersecurity risk and demand for information about organizations' cybersecurity risk management programs, the American Institute of Certified Public Accountants (AICPA) recently released a cybersecurity risk management examination service. We examine the effect of joint or separate provisioning of this service on investors' perceptions and decisions, and whether these effects differ when a subsequent cybersecurity incident occurs. We find that the negative signal of a subsequent cybersecurity incident reverses investors' positive perceptions of auditor competence and increases investors' sensitivity to potential independence impairments when the cybersecurity is jointly provisioned, leading to lower perceptions of audit quality. We also find that investors are less willing to invest when the examination is jointly provisioned compared to separately provisioned. Our results provide important insights to the literature and to purchasers and regulators by examining an emerging non-audit service and how a signal of non-audit service quality can affect perceptions of audit quality.