The Impact of Cybersecurity Risk Management Examinations and Cybersecurity Incidents on Investor Perceptions

Abstract

In response to increased cybersecurity risk and demand for information about organizations’ cybersecurity risk management programs, the American Institute of Certified Public Accountants (AICPA) recently released a cybersecurity risk management examination service. We examine the effect of how this attestation service is provisioned on investors’ perceptions and valuation judgments. We also examine how these effects differ depending on whether a subsequent cybersecurity incident has occurred. The results of our experiment show that joint provisioning has a negative effect on investors’ perceptions of independence, without a corresponding positive effect on perceptions of cybersecurity examination competence or audit competence. We also find that the effect of an incident on audit competence is significantly more negative for joint compared to separate provisioning. The results also show that cybersecurity examination quality attenuates the negative effect of an incident on investors’ willingness to invest. This study highlights important implications of how cybersecurity examinations are provisioned.