XBRL reporting in firms with data breach incidents

Abstract

AbstractThe Securities and Exchange Commission (SEC) adopted new rules mandating that firms disclose cybersecurity incidents and risk management procedures for inline XBRL reporting, highlighting the regulator's concern about firms’ response to data breaches. In this study, we examine whether firms use XBRL strategically to hinder external stakeholders from understanding the impact of announced data breaches. We find that firm XBRL filing complexity increases following data breaches. Further investigation suggests that the increased XBRL complexity is concentrated on financial statement note tags instead of financial statement tags. The findings imply that firms with data breach incidents are likely to increase XBRL reporting complexity to mitigate stock market reactions. We also find that analysts following moderate the relationship between the data breach and XBRL reporting timeliness. These findings provide empirical evidence about XBRL reporting changes after data breach incidents and contribute to cybersecurity literature and XBRL filing regulation.