This article discusses a recent study titled “Do voluntary disclosures mitigate the cybersecurity beach contagion effect?” (Kelton and Pennington 2020). The study finds voluntary cybersecurity disclosures can provide firms protection from contagion effects, a phenomenon where the negative impact of a cybersecurity breach at an industry peer firm spills over to other bystander firms in the same industry. This article offers practical implications of the study for financial reporting executives, boards of directors, and auditors.
Cybersecurity incidents result in significant negative financial and reputational consequences for both breached firms and non-breached firms in the same industry, a phenomenon known as contagion effects.1 The rise in the frequency and costs of these incidents has made cybersecurity a top concern of the business community. Corporate executives and boards of directors are devoting significant resources toward managing cybersecurity risks (EY 2018) and reporting on risk management efforts (EY 2020). Auditors price cybersecurity incidents into audit fees (Li, No, and Boritz 2020) and consider cybersecurity risks during risk assessment (Hamm 2019). The AICPA (2017a) issued a voluntary disclosure framework to encourage firms to provide timely information to stakeholders about their cybersecurity risk management efforts.
A recent study, “Do voluntary disclosures mitigate the cybersecurity breach contagion effect?” (Kelton and Pennington 2020), investigates the impact of the AICPA's (2017a) framework on investor judgments. The study finds disclosures about cybersecurity risk management efforts provide firms protection from contagion effects. That is, when a breach occurs at an industry peer firm, investors view a non-breached firm that provides cybersecurity disclosures (either before or after the breach announcement) more positively than one that does not provide cybersecurity disclosures. The current article discusses this study and the practical implications for financial reporting executives, boards of directors, and auditors.
Cybersecurity is a key risk impacting the global economy (Center for Audit Quality 2017; EY 2019). Firms experiencing a cybersecurity breach suffer substantial financial and reputational losses (Ettredge and Richardson 2003; Wang, Kannan, and Ulmer 2013). In 2019, the average cost of a cybersecurity breach to a U.S. firm was $8.19 million (IBM Security 2019) and the total cost of cybercrimes is estimated to reach $6 trillion globally by 2025 (Cybersecurity Ventures 2017).
The negative consequences of a breach extend beyond the breached firm. For example, when Target Corporation announced its customer data breach in 2013, other retailers also experienced a significant loss in shareholder value (Kashmiri, Nicol, and Hsu 2017). This phenomenon is called a contagion effect, where the negative consequences of a crisis at a firm spillover to other firms in the same industry (Ettredge and Richardson 2003; Hinz, Nofer, Schiereck, and Trillig 2015; Kashmiri et al. 2017).
Investors view cybersecurity as one of the greatest threats to firms' strategic success. In response, firms are enhancing their cybersecurity disclosures to build stakeholder trust and to provide transparency around their abilities to detect and respond to cybersecurity incidents (EY 2020). To guide firms in these efforts, the AICPA (2017a) issued a voluntary cybersecurity risk management reporting framework that provides a “common language” and a “consistent, market-based mechanism” for communicating corporate cybersecurity risk management efforts (AICPA 2017b). The AICPA's (2017a) framework goes beyond the SEC's (2011, 2018) requirements that firms report material cybersecurity risks, incidents, and related controls.2 The AICPA framework suggests disclosure of: (1) a narrative description of the firm's cybersecurity risk management program,3 (2) management's assertion regarding the effectiveness of cybersecurity controls, and (3) the auditor's opinion on management's disclosures and the effectiveness of the firm's controls (AICPA 2017a). Cybersecurity disclosures should be provided if they “could reasonably be expected to influence users' decisions” (i.e., materiality; AICPA 2017a, par. 15).
Voluntary disclosures should help investors better understand firms' cybersecurity risk management efforts. However, the usefulness of these disclosures depends on factors such as the quality and relevance of the disclosures (Gordon, Loeb, and Sohail 2010), industry characteristics (Gordon et al. 2010), and whether the firm has suffered a cybersecurity incident (Frank, Grenier, and Pyzoha 2019). An important unanswered question is whether individual investors value cybersecurity disclosures provided by a non-breached firm when a firm in the same industry suffers a breach. In other words, can voluntary cybersecurity disclosures provide protection from contagion effects?
Understanding individual investors' reactions to cybersecurity disclosures is important for several reasons. Extant contagion effects research investigates reactions of the market as a whole, which includes professional and individual (nonprofessional) investors (Ettredge and Richardson 2003; Hinz et al. 2015; Kashmiri et al. 2017). A recent survey of individual investors reports cybersecurity matters are important to them, with 84 percent saying that cybersecurity incidents influence their investment decisions (Center for Audit Quality 2017). Additionally, regulators frequently note their goals of better understanding individual investor decision making and providing investor protections (Cox 2005; White 2014). Many of the recent disclosure reforms are thus focused on improving the information environment for individual investors. However, research suggests individual investors often disregard firms' disclosures (Pennington and Kelton 2016). Accordingly, investigating individual investor reactions to cybersecurity disclosures is an important area of academic research.
Contagion effects occur when the consequences of a negative event at one firm, such as a cybersecurity breach, spillover to bystander firms in the same industry (Ettredge and Richardson 2003; Hinz et al. 2015; Kashmiri et al. 2017). Investors punish bystander firms for the negative event because they believe they are “guilty by association” (Lange, Lee, and Dai 2011, 181) and/or the event is an industry-wide problem (Paruchuri and Misangyi 2015), making it likely that bystander firms will suffer similar outcomes (Kashmiri et al. 2017).
Even though there is evidence of contagion effects following a breach (Ettredge and Richardson 2003; Hinz et al. 2015; Kashmiri et al. 2017), recent research suggests the opposite effect may occur—bystander firms may benefit from a breach at an industry peer firm. Jeong, Lee, and Lim (2019) report competition effects—a phenomenon where non-breached firms are viewed more positively by investors following a breach (because they did not suffer the same fate as the breached firm) and are thus able to gain market power from the breached firm. Accordingly, Kelton and Pennington (2020) first investigate whether a cybersecurity breach at an industry peer firm will lead to investment contagion effects.
Potential strategies to minimize contagion effects are thus an important consideration for bystander firms. One such strategy is to differentiate themselves in some way from the breached firm. For example, firms that distinguish themselves with stronger governance and self-regulatory structures (Kang 2008; Paruchuri and Misangyi 2015) or by having CIOs in their top management teams (Kashmiri et al. 2017) experience smaller contagion effects than other firms. Higgs, Pinsker, Smith, and Young (2016) suggest a board-level technology committee signals to investors that the firm is well-positioned to detect and respond to security breaches. Consistent with this idea, Higgs et al. (2016) find the negative market reaction to a breach is less severe for firms with technology committees than for those without. Given the increased emphasis on cybersecurity disclosure mentioned above, Kelton and Pennington (2020) investigate whether such disclosures help protect firms from contagion effects.
According to signaling theory, firms can use voluntary disclosures to signal important, yet typically unobservable, information to stakeholders and to differentiate themselves from other firms (Healy and Palepu 2001). Based on this notion, Kelton and Pennington (2020) propose that a company can use voluntary disclosures to signal to investors that it has effective cybersecurity controls in place. This signal will provide protection from contagion effects when a breach occurs at an industry peer firm. According to Wang et al. (2013, 213): “There is a general consensus that breaches cannot be completely prevented. Given that, investors should have greater confidence in firms that take preventative action.” Kelton and Pennington (2020) next investigate whether cybersecurity disclosures will reduce the investment contagion effects experienced by a non-breached firm.
It is also important to consider whether the timing of cybersecurity disclosures matters. That is, will disclosures provided after the breach announcement also mitigate contagion effects? Following a crisis, companies often use communication strategies to restore trust and temper negative reactions to the event (Lee, Hutton, and Shu 2015). Thus, Kelton and Pennington (2020) also investigate whether cybersecurity disclosures provided after a breach announcement by an industry peer firm will reduce the investment contagion effects experienced by a non-breached firm.
The study conducted an experiment where 120 nonprofessional investor participants assumed the role of a potential investor in Advanced Tech, a hypothetical company in the mobile media devices industry. Participants were recruited using Amazon Mechanical Turk (MTurk).4 Prior research finds MTurk participants are demographically similar to the population of nonprofessional investors and appropriate participants for accounting research on investor decision making (e.g., Frank et al. 2019; Owens and Hawkins 2019). Participants were prescreened and only those who were 18 years of age or older, consider themselves native English speakers, and have experience purchasing stock in individual companies could complete the study. Participants reported average professional work experience of 10.42 years. Participants also reported average experience investing and conducting financial statement analyses of 55.37 and 51.61, respectively, using 101-point scales anchored by (0) “no experience” and (100) “a lot of experience.” Thus, participants possessed the necessary knowledge and experience to complete an experimental task involving financial investment decisions.
Participants reviewed background information about the industry and excerpts from Advanced Tech's audited financial statements, which included cybersecurity disclosures in the financial statement footnotes.5 Participants then rated the attractiveness and likelihood of purchasing the stock of Advanced Tech (initial measures). Next, participants viewed a press release about a cybersecurity breach at an industry peer firm and again rated the attractiveness and likelihood of purchasing the stock of Advanced Tech (revised measures). Finally, participants received a press release from Advanced Tech responding to the breach at the peer firm, which contained information similar to the cybersecurity footnote disclosure, and provided a final rating of the attractiveness and likelihood of purchasing the stock of Advanced Tech (final measures).
The study varied the content of the cybersecurity disclosures at three levels consistent with the AICPA (2017a) framework: no cybersecurity disclosures (“no disclosure”); a description of the firm's cybersecurity risk management program (“disclosure only”); and the same cybersecurity risk management program description plus management's assertion cybersecurity controls were effective (“assertion”).6
The study finds evidence of both contagion effects and competition effects. Results show 46 percent (37 percent) of participants revised their attractiveness ratings (purchase intentions) upward (i.e., competition effects) following the breach announcement.
Figure 1 presents a summary graphical representation by contagion effects (negative news group) and competition effects (positive news group). The revised attractiveness and purchase measures (made after the breach announcement) were significantly lower (less positive) than the initial measures (made before the breach announcement). This result is found in all three disclosure conditions and provides strong evidence of investment contagion effects. As shown in Figure 1, the contagion effect was stronger than the competition effect—i.e., both graphs show a greater change (steeper slope) from the initial to the revised measure for the negative news group than the positive news group.
In addition, cybersecurity footnote disclosures provided prior to the breach announcement lessen the contagion effect. For the negative news group, participants in the no disclosure condition demonstrated larger contagion effects than those in the disclosure only and assertion conditions. For the positive news group, there was minimal variation across disclosure conditions. Thus, cybersecurity disclosures provided prior to the breach announcement have little impact on competition effects.
Finally, results show cybersecurity disclosures in a press release issued after the breach announcement also lessen the contagion effect. For the negative news group, the final measures are higher (i.e., more positive) than the revised measures across the majority of the disclosure conditions. That is, investors revised their judgments upward after receiving the press release. This provides some evidence of a rebound effect due to the cybersecurity disclosures in the press release. For the positive news group, there was minimal variation across disclosure conditions due to the press release. Thus, cybersecurity disclosures provided after the breach announcement have little impact on competition effects.
Kelton and Pennington (2020) provide experimental evidence companies are susceptible to contagion effects. That is, individual investors view non-breached firms in a less positive light after an industry peer firm experiences a cybersecurity breach. Importantly, firms can protect themselves from contagion effects by providing voluntary cybersecurity disclosures. The study's results show that disclosures provided prior to and after the breach announcement mitigate contagion effects. Interestingly, the study finds contagion effects are not a foregone conclusion. Some investors actually found the breach announcement to be positive news for the non-breached firm. However, voluntary cybersecurity disclosures are less informative for these investors.
Firms have expressed concern with providing detailed cybersecurity disclosures in that they may provide a “roadmap” for potential attackers and lead to more breaches in the future (SEC 2018). The study's results provide an alternate viewpoint such that cybersecurity disclosures provide protection from negative events—specifically investment contagion effects.
A recent study of a sample of Fortune 100 firms found firms are enhancing their cybersecurity disclosures. For example, 92 percent of sample firms disclosed efforts used to mitigate cybersecurity risks and 62 percent disclosed information about cybersecurity response readiness (EY 2020). According to EY (2020), these disclosures “demonstrate accountability and engagement on this issue, and build stakeholder trust around how cybersecurity is prioritized, managed and overseen as a critical enterprise risk and strategy opportunity.” The study's results are consistent with this conclusion in that individual investors view a non-breached firm more positively when they provide enhanced cybersecurity disclosures. Firms should consider adopting the AICPA's (2017a) disclosure framework for these reasons.
Boards play an important role in overseeing management of cybersecurity issues, including determining disclosure strategies (Center for Audit Quality 2018; SEC 2018; EY 2020). Despite the requirements of the SEC (2011, 2018), many firms fail to provide timely disclosure of cybersecurity incidents (Amir, Levi, and Livne 2018). Of the 82 cybersecurity incidents occurring at public companies in 2017, only four companies made an 8-K disclosure of the incident (Jackson 2018). In 2019, 140 public companies disclosed a cybersecurity incident, but it took these firms on average 49 days to disclose the breach (Audit Analytics 2020). SEC Commissioner Robert J. Jackson, Jr. noted concerns related to the SEC (2011, 2018) guidance: “relies heavily on the judgments of corporate counsel to make sure investors get the information they need. I worry that these judgements have, too often, erred on the side of nondisclosure, leaving investors in the dark—and putting companies at risk” (Jackson 2018). Boards, in fulfilling their roles in cybersecurity oversight, should be interested in the economic value (i.e., protection from contagion effects) of the voluntary cybersecurity disclosures recommended by the AICPA (2017a) and should encourage their firms to provide these disclosures in a timely manner.
In a 2019 speech, PCAOB board member Kathleen Hamm encouraged auditors to consider cybersecurity risks and their related impacts on the financial statements during risk assessment (Hamm 2019). Additionally, in the Inspection Outlook for 2019 (PCAOB 2018), the PCAOB stated they will continue to evaluate the processes auditors use to identify cybersecurity risks. Auditors should thus consider cybersecurity risks when planning and performing the audit and can use their client's cybersecurity disclosures to better understand these risks (Li et al. 2020). Service organization controls (SOC) reports, or similar reports, may also provide insights to auditors regarding cybersecurity risks. Accordingly, auditors should recommend their issuer-clients adopt the AICPA's (2017a) disclosure framework.
Li, No, and Boritz (2020, 153) define cybersecurity incidents as “cyber-attacks that are initiated by hackers to steal, tamper with, or destroy sensitive information in the cyber realm.” Data breaches may also result from issues unrelated to external cybersecurity concerns, such as stolen laptops or mobile devices, stolen stationary devices (e.g., servers), unintentional breaches, and physical loss (Higgs, Pinsker, Smith, and Young 2016).
Specifically, the SEC (2011) states companies should include cybersecurity risks in their risk factor disclosures “if these issues are among the most significant factors that make an investment in the company speculative or risky.” Further, MD&A disclosure of cybersecurity matters is required if “the costs or other consequences associated with one or more known incidents or the risk of potential incidents represent a material event, trend, or uncertainty that is reasonably likely to have a material effect on the registrant's results of operations, liquidity, or financial condition or would cause reported financial information not to be necessarily indicative of future operating results or financial condition” (SEC 2011). The interpretive guidance (SEC 2018) also requires disclosure of any material cybersecurity matters, such as material cybersecurity risks and/or incidents, controls used to manage cybersecurity risks, and any litigation and remediation costs associated with prior cybersecurity incidents.
A cybersecurity risk management program is “the set of policies, processes, and controls designed to protect information and systems from security events that could compromise the achievement of the entity's cybersecurity objectives” (AICPA 2017a, 1).
Participants were compensated $2.00 for completing the study. Approval was granted from the university's Institutional Review Board.
The content of the cybersecurity disclosures was based on the AICPA's (2017a) reporting framework. The AICPA (2017a) does not provide explicit guidance about the recommended location of cybersecurity disclosures. The experimental materials included the disclosures in the financial statement footnotes to ensure investor participants found the disclosures familiar and relatively easy to acquire (since such disclosures are presumably new to this group of novice investors).
Kelton and Pennington (2020) did not provide participants with the auditor's opinion on management's cybersecurity disclosures. Although an expanded auditor report should improve the credibility of management's disclosures (Frank et al. 2019), and potentially provide additional mitigating effects, this is a matter for future research.
I thank Robin Pennington as co-author of the original research study. I also appreciate helpful feedback from the editor and two anonymous reviewers, Tammy Waymire, and Ya-wen Yang.
Andrea Seaton Kelton, Middle Tennessee State University, Jennings A. Jones College of Business, Department of Accounting, Murfreesboro, TN, USA.
Editor's note: Accepted by Denise Dickins.