Study of companies that endure a hack.
Data breaches have become more common, more severe, and costlier to remedy over the past few decades. Accounting professors Jing Chen and Elaine Henry, with research associate Xi Jiang, consider whether and how public companies change their disclosure of cybersecurity risk factors after suffering a data breach. The sample set included 279 one-year periods in which a company suffered a data breach matched with 277 one-year control periods in which another company did not. Matching was based on the companies’
Standard Industrial Classification codes and amounts of total assets. The SEC began requiring risk-factor disclosure in Item 1A of Form 10-K on December 1, 2005 (as well as in 10-Qs), so all the one-year periods were between 2006 and 2018. Of the 205 breached companies, 154 (75.1%) had one breach, and 51 (24.9%) had more than one. Post-breach disclosure was measured by counting cybersecurity-risk key words on a list constructed by borrowing from and adding to earlier researchers’ lists. Breach severity was measured by stock-price fluctuations in the three days from the day before a company announced a breach to the day after.
Disclosure after breaches is a cut above.
The data support the authors’ initial hypothesis: Breached companies increased their disclosure of cybersecurity risk factors more than the matched, non-breached companies did. While the trend among all companies was to augment disclosure of risk factors, the disclosure by non-breached companies rose—but not substantially—from the pre-breach to the post-breach year of the matched, breached companies. The
data also support the authors’ second hypothesis: Breached companies increased their disclosure significantly more after a severe breach than after a slight one. Furthermore, the greater the media’s coverage of a breach, the greater the increase in disclosure was likely to be. The authors find that the SEC’s 2011 guidance on disclosing cybersecurity risk factors led to sharp increases in post-breach disclosure by both breached and matched, non-breached companies, although the disclosure disparity between them remained.
Angry investors tend to chop stock prices.
Another aspect of the study was whether the stock market punishes a company’s reduction in disclosure of cybersecurity risk factors. Investors did not substantially lower the stock price when a non-breached company reduced disclosure, the authors determine; however, they did respond when a breached company reduced it, because they expected more disclosure after a breach. While investors seem to take the severity of a breach into account when lowering the stock price at the time of the company’s announcement of
the breach, they do not seem to do so at the time of the company’s subsequent reduction in disclosure.
Issuers aim to pare the information deficit.
The authors considered three possible motivations for management to augment disclosure of cybersecurity risk factors after a data breach. They found no evidence that the motivation was to head off litigation by disgruntled stockholders. Instead, the predominant motivation was to increase transparency and therefore stockholders’ confidence in the information they received. The third motivation, which ranked between the other two in importance, was to discourage future hackers by indicating that management had implemented a dynamic cybersecurity strategy that would hike the cost of pulling off a data breach
To read the full article in Dimensions Vol. 2021, No. 2, click here.
Reach out to jump start a partnership that will bring speed, security, accuracy and efficiency to all of your complex content and communication requirements.
Abstracted from: Is Cybersecurity Risk Factor Disclosure Informative? Evidence From Disclosures
Following A Data Breach
By Prof. Jing Chen, Prof. Elaine Henry, and Xi Jiang
Stevens Institute of Technology
SSRN, February 18, 2021