The Impact of the Type of Cybersecurity Assurance Service and Cybersecurity Incidents on Investor Perceptions and Decisions

Abstract

SUMMARY Regulators, investors, and boards of directors are increasingly demanding information about organizations’ cybersecurity risk management. I examine the effect of the AICPA’s voluntary cybersecurity examination service on investor perceptions and decisions. Similar to a previous AICPA IT-related assurance service called WebTrust that failed in the marketplace, cybersecurity examinations face competition from less comprehensive and less costly assurance services in a nonstandardized assurance market, and it is unclear whether investors will recognize the value provided by the more comprehensive assurance service. I find that investors are more willing to invest when management disclosures describe a cybersecurity examination compared with a less comprehensive assurance service but only if the assurance is in response to a cybersecurity incident. I also find that this effect is mediated by investor perceptions of assurance quality. I, however, do not find support for these same effects when the assurance is disclosed in the absence of an incident.