Do firms underreport information on cyber-attacks? Evidence from capital markets
- 452 Downloads
Firms should disclose information on material cyber-attacks. However, because managers have incentives to withhold negative information, and investors cannot discover most cyber-attacks independently, firms may underreport them. Using data on cyber-attacks that firms voluntarily disclosed, and those that were withheld and later discovered by sources outside the firm, we estimate the extent to which firms withhold information on cyber-attacks. We find withheld cyber-attacks are associated with a decline of approximately 3.6% in equity values in the month the attack is discovered, and disclosed attacks with a substantially lower decline of 0.7%. The evidence is consistent with managers not disclosing negative information below a certain threshold and withholding information on the more severe attacks. Using the market reactions to withheld and disclosed attacks, we estimate that managers disclose information on cyber-attacks when investors already suspect a high likelihood (40%) of an attack.
KeywordsCyber attacks Data breaches Disclosure
Jel classificationM41 G14
We thank Peter Easton (Editor), Eti Einhorn, Tsahi Versano, two anonymous referees, and seminar participants at the 2017 American Accounting Association annual meeting in San Diego, 2017 European Accounting Association annual meeting in Valencia, Bar Ilan University, Ben Gurion University, ESSEC, Exeter University, Hebrew University of Jerusalem, INSEAD, University of Padua, and Tel Aviv University for useful comments. We also thank the Blavatnik Interdisciplinary Cyber Research Center, the Jeremy Coller Foundation, and Henry Crown Institute of Business Research for financial support.
- Daniel, K., Grinblatt, M., Titman, S., & Wermers, R. (1997). Measuring mutual fund performance with characteristic‐based benchmarks. Journal of Finance, 52(3), 1035–1058.Google Scholar
- Fama, E., & French, K. (1996). The CAPM is wanted, dead or alive. Journal of Finance, 51(5), 1947–1958.Google Scholar
- Grossman, S. (1981). The informational role of warranties and private disclosure about product quality. Journal of Law and Economics, 24(3), 461–483.Google Scholar
- Grossman, S., & Hart, O. (1980). Disclosure laws and takeover bids. Journal of Finance, 35(2), 323–334.Google Scholar
- Hilary, G., Segal, B., & Zhang, M. (2016). Cyber-risk disclosure: Who cares? Georgetown McDonough School of Business Research Paper No. 2852519, p. 59.Google Scholar
- Kasznik, R., & Lev, B. (1995). To warn or not to warn: Management disclosures in the face of an earnings surprise. Accounting Review, 70(1), 113–134.Google Scholar
- Kvochko, E., & Pant, R. (2015). Why data breaches don’t hurt stock prices. Harvard Business Review, March, 31, 2015.Google Scholar
- Levitt, A. (1998). The numbers game. The CPA Journal, 68(12), 14–19.Google Scholar
- Rosenblatt, B. (1999). Principles of jurisdiction. Harvard University, Berkman Klein Center for Internet & Society. Retrieved from https://cyber.harvard.edu.
- Securities and Exchange Commission (2011). Division of corporation finance, CF disclosure guidance, Topic no. 2 – Cybersecurity, October 13, 2011. Securities and Exchange Commission. Retrieved from http://www.sec.gov.
- Securities and Exchange Commission (2018). Commission statement and guidance on public company cybersecurity disclosures, February 26, 2018. Securities and Exchange Commission. Retrieved from http://www.sec.gov.
- Southwell, A., Vandevelde, E., Bergsieker, R., & Bisnar-Maute, J. (2017). Gibson Dunn Reviews U.S. Cybersecurity and Data Privacy, February 3, 2017. The CLS Blue Sky Blog, Columbia Law School. Retrieved from http://clsbluesky.law.columbia.edu.
- Verizon Enterprise Solutions (2015). Verizon 2015 Data Breach Investigations Report. Verizon Enterprise Solutions. Retrieved from http://www.verizonenterprise.com.
- White, M. J. (2014). Opening Statement at SEC Roundtable on Cybersecurity, March 26, 2014. Securities and Exchange Commission. Retrieved from http://www.sec.gov.