Cyber-Risk Disclosure: Who Cares?

Cyber-risks have generated considerable interest in the media and in the public. Perhaps as a response, regulators are devoting an increasing amount of resources to improving corporate disclosure related to these risks. In contrast, we find that, despite this increased focus, cyber risk disclosures by publicly listed firms remain scant. Moreover, a qualitative analysis of five major cases as well as a systematic analysis of security price reactions upon the announcement of breaches shows that the effect on stock prices is very limited. We do not observe strong reactions after the breaches. A “Diff-in-Diff” analysis reveals that the change in operational performance, in executive departure likelihood, in shareholder clientele or in the amount of disclosure does not differ from the changes in a matched sample of firms that were not breached. This lack of reaction is inconsistent with a market or regulatory failure associated with the poor disclosure on cyber-risk.

[1]  Huseyin Cavusoglu,et al.  The Effect of Internet Security Breach Announcements on Market Value: Capital Market Reactions for Breached Firms and Internet Security Developers , 2004, Int. J. Electron. Commer..

[2]  Jackie Rees Ulmer,et al.  Market Reactions to Information Security Breach Announcements: An Empirical Analysis , 2007, Int. J. Electron. Commer..

[3]  Alessandro Acquisti,et al.  Is There a Cost to Privacy Breaches? An Event Study , 2006, WEIS.

[4]  Brian J. Bushee Do Institutional Investors Prefer Near-Term Earnings Over Long-Run Value? , 1999 .

[5]  Lei Zhou,et al.  The impact of information security breaches: Has there been a downward shift in costs? , 2011, J. Comput. Secur..

[6]  W. S. Krasker The ‘peso problem’ in testing the efficiency of forward exchange markets , 1980 .

[7]  D. Segal,et al.  Are managers strategic in reporting non-earnings news? Evidence on timing and news bundling , 2015 .

[8]  Coffee,et al.  Market Failure and the Economic Case for a Mandatory Disclosure System , 1984 .

[9]  Alessandro Acquisti,et al.  Empirical Analysis of Data Breach Litigation , 2013, WEIS.

[10]  Tim Loughran,et al.  Uniformly Least Powerful Tests of Market Efficiency , 1999 .

[11]  Brad M. Barber,et al.  Improved Methods for Tests of Long-Run Abnormal Stock Returns , 1999 .

[12]  Lei Zhou,et al.  The Economic Cost of Publicly Announced Information Security Breaches: Empirical Evidence from the Stock Market , 2003, J. Comput. Secur..

[13]  Brad M. Barber,et al.  Detecting Long-Run Abnormal Stock Returns: The Empirical Power and Specification of Test Statistics , 1997 .

[14]  胡盛昌,et al.  《The influence of institutional investors on myopic R&D investment behavior》述评 , 2012 .