Advertisement

Review of Accounting Studies

, Volume 23, Issue 3, pp 1177–1206 | Cite as

Do firms underreport information on cyber-attacks? Evidence from capital markets

  • Eli Amir
  • Shai Levi
  • Tsafrir Livne
Article
  • 637 Downloads

Abstract

Firms should disclose information on material cyber-attacks. However, because managers have incentives to withhold negative information, and investors cannot discover most cyber-attacks independently, firms may underreport them. Using data on cyber-attacks that firms voluntarily disclosed, and those that were withheld and later discovered by sources outside the firm, we estimate the extent to which firms withhold information on cyber-attacks. We find withheld cyber-attacks are associated with a decline of approximately 3.6% in equity values in the month the attack is discovered, and disclosed attacks with a substantially lower decline of 0.7%. The evidence is consistent with managers not disclosing negative information below a certain threshold and withholding information on the more severe attacks. Using the market reactions to withheld and disclosed attacks, we estimate that managers disclose information on cyber-attacks when investors already suspect a high likelihood (40%) of an attack.

Keywords

Cyber attacks Data breaches Disclosure 

Jel classification

M41 G14 

Notes

Acknowledgments

We thank Peter Easton (Editor), Eti Einhorn, Tsahi Versano, two anonymous referees, and seminar participants at the 2017 American Accounting Association annual meeting in San Diego, 2017 European Accounting Association annual meeting in Valencia, Bar Ilan University, Ben Gurion University, ESSEC, Exeter University, Hebrew University of Jerusalem, INSEAD, University of Padua, and Tel Aviv University for useful comments. We also thank the Blavatnik Interdisciplinary Cyber Research Center, the Jeremy Coller Foundation, and Henry Crown Institute of Business Research for financial support.

References

  1. Amir, E., & Ziv, A. (1997). Recognize, disclose or delay; Timing the adoption of SFAS No. 106. Journal of Accounting Research, 35(Spring), 61–81.CrossRefGoogle Scholar
  2. Baginski, S. P., Campbell, J. L., Hinson, L. A., & Koo, D. S. (2018). Do career concerns affect the delay of bad news disclosure? The Accounting Review, 93(2), 61–95.CrossRefGoogle Scholar
  3. Bebchuk, L., Cohen, A., & Ferrell, A. (2009). What matters in corporate governance? Review of Financial Studies, 22(2), 783–827.CrossRefGoogle Scholar
  4. Campbell, K., Gordon, L., Loeb, M., & Zhou, L. (2003). The economic cost of publicly announced information security breaches: Empirical evidence from the stock market. Journal of Computer Security, 11, 431–448.CrossRefGoogle Scholar
  5. Cavusoglu, H., Mishra, B., & Raghunathan, S. (2004). The effect of internet security breach announcements on market value: Capital market reactions for breached firms and internet security developers. International Journal of Electronic Commerce, 9, 69–104.CrossRefGoogle Scholar
  6. Chambers, A., & Penman, S. (1984). Timeliness of reporting and the stock price reaction to earnings announcements. Journal of Accounting Research, 22(1), 21–47.CrossRefGoogle Scholar
  7. Chernick, M. (2007). Bootstrap methods: A guide for practitioners and researchers (2nd ed.). New York: Wiley.CrossRefGoogle Scholar
  8. Coles, J. L., Daniel, N. D., & Naveen, L. (2006). Managerial incentives and risk-taking. Journal of Financial Economics, 79, 431–468.CrossRefGoogle Scholar
  9. Daniel, K., Grinblatt, M., Titman, S., & Wermers, R. (1997). Measuring mutual fund performance with characteristic‐based benchmarks. Journal of Finance, 52(3), 1035–1058.Google Scholar
  10. Dye, R. (1985). Disclosure of nonproprietary information. Journal of Accounting Research, 23(1), 123–145.CrossRefGoogle Scholar
  11. Ettredge, M., & Richardson, V. (2003). Information transfer among internet firms: The case of acker attacks. Journal of Information Systems, 17, 71–82.CrossRefGoogle Scholar
  12. Fama, E., & French, K. (1996). The CAPM is wanted, dead or alive. Journal of Finance, 51(5), 1947–1958.Google Scholar
  13. Ge, W., & McVay, S. (2005). The disclosure of material weaknesses in internal control after the Sarbanes-Oxley Act. Accounting Horizons, 19(3), 137–158.CrossRefGoogle Scholar
  14. Gordon, L. A., Loeb, M. P., & Sohail, T. (2010). Market value of voluntary disclosures concerning information security. MIS Quarterly, 34, 567–594.CrossRefGoogle Scholar
  15. Gordon, L., Loeb, M., & Zhou, L. (2011). The impact of information security breaches: Has there been a downward shift in costs? Journal of Computer Security, 19, 33–56.CrossRefGoogle Scholar
  16. Grossman, S. (1981). The informational role of warranties and private disclosure about product quality. Journal of Law and Economics, 24(3), 461–483.Google Scholar
  17. Grossman, S., & Hart, O. (1980). Disclosure laws and takeover bids. Journal of Finance, 35(2), 323–334.Google Scholar
  18. Heckman, J. (1979). Sample selection bias as a specification error. Econometrica, 47(1), 153–161.CrossRefGoogle Scholar
  19. Hilary, G., Segal, B., & Zhang, M. (2016). Cyber-risk disclosure: Who cares? Georgetown McDonough School of Business Research Paper No. 2852519, p. 59.Google Scholar
  20. Hovav, A., & D’Arcy, J. (2003). The impact of denial-of-service attack announcements on the market value of firms. Risk Management and Insurance Review, 6, 97–121.CrossRefGoogle Scholar
  21. Jung, W., & Kwon, Y. (1988). Disclosure when the market is unsure of information endowment of managers. Journal of Accounting Research, 26(1), 146–153.CrossRefGoogle Scholar
  22. Kannan, A., Rees, J., & Shridhar, S. (2007). Market reactions to information security breach announcements: An empirical analysis. International Journal of Electronic Commerce, 12, 69–91.CrossRefGoogle Scholar
  23. Kasznik, R., & Lev, B. (1995). To warn or not to warn: Management disclosures in the face of an earnings surprise. Accounting Review, 70(1), 113–134.Google Scholar
  24. Kothari, S. P., Shu, S., & Wysocki, P. (2009). Do managers withhold bad news? Journal of Accounting Research, 47(1), 241–276.CrossRefGoogle Scholar
  25. Kvochko, E., & Pant, R. (2015). Why data breaches don’t hurt stock prices. Harvard Business Review, March, 31, 2015.Google Scholar
  26. Levitt, A. (1998). The numbers game. The CPA Journal, 68(12), 14–19.Google Scholar
  27. Rosenblatt, B. (1999). Principles of jurisdiction. Harvard University, Berkman Klein Center for Internet & Society. Retrieved from https://cyber.harvard.edu.
  28. Securities and Exchange Commission (2011). Division of corporation finance, CF disclosure guidance, Topic no. 2 – Cybersecurity, October 13, 2011. Securities and Exchange Commission. Retrieved from http://www.sec.gov.
  29. Securities and Exchange Commission (2018). Commission statement and guidance on public company cybersecurity disclosures, February 26, 2018. Securities and Exchange Commission. Retrieved from http://www.sec.gov.
  30. Skinner, D. (1994). Why firms voluntarily disclose bad news? Journal of Accounting Research, 32(1), 38–60.CrossRefGoogle Scholar
  31. Skinner, D. (1997). Earnings disclosures and stockholder lawsuits. Journal of Accounting and Economics, 23, 249–282.CrossRefGoogle Scholar
  32. Southwell, A., Vandevelde, E., Bergsieker, R., & Bisnar-Maute, J. (2017). Gibson Dunn Reviews U.S. Cybersecurity and Data Privacy, February 3, 2017. The CLS Blue Sky Blog, Columbia Law School. Retrieved from http://clsbluesky.law.columbia.edu.
  33. Spanos, G., & Angelis, L. (2016). The impact of information security events on the stock market: A systematic literature review. Computers & Security, 58, 216–229.CrossRefGoogle Scholar
  34. Verizon Enterprise Solutions (2015). Verizon 2015 Data Breach Investigations Report. Verizon Enterprise Solutions. Retrieved from http://www.verizonenterprise.com.
  35. White, M. J. (2014). Opening Statement at SEC Roundtable on Cybersecurity, March 26, 2014. Securities and Exchange Commission. Retrieved from http://www.sec.gov.

Copyright information

© Springer Science+Business Media, LLC, part of Springer Nature 2018

Authors and Affiliations

  1. 1.Coller School of ManagementTel Aviv UniversityTel AvivIsrael
  2. 2.Kenan-Flagler Business SchoolUniversity of North CarolinaChapel HillUnited States

Personalised recommendations