IDEAS home Printed from https://ideas.repec.org/a/eee/reecon/v76y2022i2p131-140.html
   My bibliography  Save this article

The determinants of cybersecurity risk disclosure in firms’ financial reporting: Empirical evidence

Author

Listed:
  • Masoud, Najeb
  • Al-Utaibi, Ghassan

Abstract

This paper examines the relationship between cybersecurity risk disclosure and financial reporting deficiencies. Using a difference-in-difference approach based on a large, matched sample of breached and non-breached US firms for the period 2006 to 2016, a differential effect is seen between cybersecurity risk disclosures in pre- and post-Breach financial reporting related to cybersecurity incidents. The association between the cybersecurity risk disclosure and subsequent reported financial deficiencies is positive and significant, providing some evidence for regulators that more firm-specific disclosure may provide increased audit quality, to which the auditor responds by increasing audit effort. The empirical findings suggest that firms with prior cybersecurity risk disclosures are more likely to experience financial reporting deficiencies. The results obtained are robust to a variety of sensitivity checks.

Suggested Citation

  • Masoud, Najeb & Al-Utaibi, Ghassan, 2022. "The determinants of cybersecurity risk disclosure in firms’ financial reporting: Empirical evidence," Research in Economics, Elsevier, vol. 76(2), pages 131-140.
    • Handle: RePEc:eee:reecon:v:76:y:2022:i:2:p:131-140
    DOI: 10.1016/j.rie.2022.07.001
    as

    Download full text from publisher

    File URL: http://www.sciencedirect.com/science/article/pii/S1090944322000163
    Download Restriction: Full text for ScienceDirect subscribers only
    File URL: https://libkey.io/10.1016/j.rie.2022.07.001?utm_source=ideas
    LibKey link: if access is restricted and if your library uses this service, LibKey will redirect you to where you can use your library subscription to access this item
    ---><---

    As the access to this document is restricted, you may want to search for a different version of it.

    References listed on IDEAS

    as
    1. Chris E. Hogan & Michael S. Wilkins, 2008. "Evidence on the Audit Risk Model: Do Auditors Increase Audit Fees in the Presence of Internal Control Deficiencies?," Contemporary Accounting Research, John Wiley & Sons, vol. 25(1), pages 219-242, March.
    2. Benaroch, Michel & Chernobai, Anna & Goldstein, James, 2012. "An internal control perspective on the market value consequences of IT operational risk events," International Journal of Accounting Information Systems, Elsevier, vol. 13(4), pages 357-381.
    3. John Ziyang Zhang & Yangxin Yu, 2016. "Does Board Independence Affect Audit Fees? Evidence from Recent Regulatory Reforms," European Accounting Review, Taylor & Francis Journals, vol. 25(4), pages 793-814, October.
    4. Md. Shariful Islam & Nusrat Farah & Thomas F. Stafford, 2018. "Factors associated with security/cybersecurity audit by internal audit function," Managerial Auditing Journal, Emerald Group Publishing Limited, vol. 33(4), pages 377-409, April.
    5. Austen, Lizabeth A. & Eilifsen, Aasmund & Messier Jr., William F., 2004. "Auditor Detected Misstatements and the Effect of Information Technology," Discussion Papers 2004/1, Norwegian School of Economics, Department of Business and Management Science.
    6. Esther Gal-Or & Anindya Ghose, 2005. "The Economic Incentives for Sharing Security Information," Information Systems Research, INFORMS, vol. 16(2), pages 186-208, June.
    7. Chernobai, Anna & Jorion, Philippe & Yu, Fan, 2011. "The Determinants of Operational Risk in U.S. Financial Institutions," Journal of Financial and Quantitative Analysis, Cambridge University Press, vol. 46(6), pages 1683-1725, December.
    8. Saini Das & Arunabha Mukhopadhyay & Manoj Anand, 2012. "Stock Market Response to Information Security Breach: A Study Using Firm and Attack Characteristics," Journal of Information Privacy and Security, Taylor & Francis Journals, vol. 8(4), pages 27-55, October.
    9. Hausken, Kjell, 2006. "Income, interdependence, and substitution effects affecting incentives for security investment," Journal of Accounting and Public Policy, Elsevier, vol. 25(6), pages 629-665.
    10. Doyle, Jeffrey & Ge, Weili & McVay, Sarah, 2007. "Determinants of weaknesses in internal control over financial reporting," Journal of Accounting and Economics, Elsevier, vol. 44(1-2), pages 193-223, September.
    11. Eli Amir & Shai Levi & Tsafrir Livne, 2018. "Do firms underreport information on cyber-attacks? Evidence from capital markets," Review of Accounting Studies, Springer, vol. 23(3), pages 1177-1206, September.
    12. Gordon, Lawrence A. & Loeb, Martin P. & Lucyshyn, William & Sohail, Tashfeen, 2006. "The impact of the Sarbanes-Oxley Act on the corporate disclosures of information security activities," Journal of Accounting and Public Policy, Elsevier, vol. 25(5), pages 503-530.
    13. Rick Johnston & Reining Petacchi, 2017. "Regulatory Oversight of Financial Reporting: Securities and Exchange Commission Comment Letters," Contemporary Accounting Research, John Wiley & Sons, vol. 34(2), pages 1128-1155, June.
    14. Pierangelo Rosati & Fabian Gogolin & Theo Lynn, 2019. "Audit Firm Assessments of Cyber-Security Risk: Evidence from Audit Fees and SEC Comment Letters," The International Journal of Accounting (TIJA), World Scientific Publishing Co. Pte. Ltd., vol. 54(03), pages 1-56, September.
    15. Anat Hovav & John D'Arcy, 2003. "The Impact of Denial‐of‐Service Attack Announcements on the Market Value of Firms," Risk Management and Insurance Review, American Risk and Insurance Association, vol. 6(2), pages 97-121, September.
    16. Xue Wang, 2010. "Increased Disclosure Requirements and Corporate Governance Decisions: Evidence from Chief Financial Officers in the Pre‐ and Post–Sarbanes‐Oxley Periods," Journal of Accounting Research, Wiley Blackwell, vol. 48(4), pages 885-920, September.
    17. Rosati, Pierangelo & Deeney, Peter & Cummins, Mark & van der Werff, Lisa & Lynn, Theo, 2019. "Social media and stock price reaction to data breach announcements: Evidence from US listed companies," Research in International Business and Finance, Elsevier, vol. 47(C), pages 458-469.
    18. Tawei Wang & Karthik N. Kannan & Jackie Rees Ulmer, 2013. "The Association Between the Disclosure and the Realization of Information Security Risk Factors," Information Systems Research, INFORMS, vol. 24(2), pages 201-218, June.
    19. Wang, Tawei & Hsu, Carol, 2013. "Board composition and operational risk events of financial institutions," Journal of Banking & Finance, Elsevier, vol. 37(6), pages 2042-2051.
    20. Carol Hsu & Jae-Nam Lee & Detmar W. Straub, 2012. "Institutional Influences on Information Systems Security Innovations," Information Systems Research, INFORMS, vol. 23(3-part-2), pages 918-939, September.
    21. repec:cup:jfinqa:v:46:y:2011:i:06:p:1683-1725_00 is not listed on IDEAS
    22. Gordon, Lawrence A. & Loeb, Martin P. & Lucyshyn, William, 2003. "Sharing information on computer systems security: An economic analysis," Journal of Accounting and Public Policy, Elsevier, vol. 22(6), pages 461-485.
    23. Paul Hribar & D. Craig Nichols, 2007. "The Use of Unsigned Earnings Quality Measures in Tests of Earnings Management," Journal of Accounting Research, Wiley Blackwell, vol. 45(5), pages 1017-1053, December.
    24. Xia Chen & Qiang Cheng & Alvis K. Lo, 2013. "Accounting Restatements and External Financing Choices," Contemporary Accounting Research, John Wiley & Sons, vol. 30(2), pages 750-779, June.
    25. Palmrose, Zoe-Vonna & Richardson, Vernon J. & Scholz, Susan, 2004. "Determinants of market reactions to restatement announcements," Journal of Accounting and Economics, Elsevier, vol. 37(1), pages 59-89, February.
    26. DeAngelo, Linda Elizabeth, 1981. "Auditor size and audit quality," Journal of Accounting and Economics, Elsevier, vol. 3(3), pages 183-199, December.
    27. Ilia D. Dichev & Douglas J. Skinner, 2002. "Large–Sample Evidence on the Debt Covenant Hypothesis," Journal of Accounting Research, Wiley Blackwell, vol. 40(4), pages 1091-1123, September.
    28. DeFond, Mark L. & Jiambalvo, James, 1994. "Debt covenant violation and manipulation of accruals," Journal of Accounting and Economics, Elsevier, vol. 17(1-2), pages 145-176, January.
    29. Li, He & No, Won Gyun & Wang, Tawei, 2018. "SEC's cybersecurity disclosure guidance and disclosed cybersecurity risk factors," International Journal of Accounting Information Systems, Elsevier, vol. 30(C), pages 40-55.
    30. Mark L. Defond & Clive S. Lennox, 2017. "Do PCAOB Inspections Improve the Quality of Internal Control Audits?," Journal of Accounting Research, Wiley Blackwell, vol. 55(3), pages 591-627, June.
    31. Miles B. Gietzmann & Angela K. Pettinicchio, 2014. "External Auditor Reassessment of Client Business Risk Following the Issuance of a Comment Letter by the SEC," European Accounting Review, Taylor & Francis Journals, vol. 23(1), pages 57-85, May.
    Full references (including those not matched with items on IDEAS)

    Citations

    Citations are extracted by the CitEc Project, subscribe to its RSS feed for this item.
    as


    Cited by:

    1. Agbodoh-Falschau, Kouassi Raymond & Ravaonorohanta, Bako Harinivo, 2023. "Investigating the influence of governance determinants on reporting cybersecurity incidents to police: Evidence from Canadian organizations’ perspectives," Technology in Society, Elsevier, vol. 74(C).

    Most related items

    These are the items that most often cite the same works as this one and are cited by the same works as this one.
    1. Lin, Zhaoxin & Sapp, Travis R.A. & Ulmer, Jackie Rees & Parsa, Rahul, 2020. "Insider trading ahead of cyber breach announcements," Journal of Financial Markets, Elsevier, vol. 50(C).
    2. Oliver Henk, 2020. "Internal control through the lens of institutional work: a systematic literature review," Journal of Management Control: Zeitschrift für Planung und Unternehmenssteuerung, Springer, vol. 31(3), pages 239-273, September.
    3. Dechow, Patricia & Ge, Weili & Schrand, Catherine, 2010. "Understanding earnings quality: A review of the proxies, their determinants and their consequences," Journal of Accounting and Economics, Elsevier, vol. 50(2-3), pages 344-401, December.
    4. Casey, Ryan J. & Kaplan, Steven E. & Pinello, Arianna Spina, 2015. "Do auditors constrain benchmark beating behavior to a greater extent in the fourth versus interim quarters?," Advances in accounting, Elsevier, vol. 31(1), pages 1-10.
    5. Levitin, Gregory & Hausken, Kjell & Taboada, Heidi A. & Coit, David W., 2012. "Data survivability vs. security in information systems," Reliability Engineering and System Safety, Elsevier, vol. 100(C), pages 19-27.
    6. Syed Emad Azhar Ali & Fong-Woon Lai & Rohail Hassan & Muhammad Kashif Shad, 2021. "The Long-Run Impact of Information Security Breach Announcements on Investors’ Confidence: The Context of Efficient Market Hypothesis," Sustainability, MDPI, vol. 13(3), pages 1-27, January.
    7. Matthew Notbohm & Katherine Campbell & Adam R. Smedema & Tianming Zhang, 2019. "Management’s personal ideology and financial reporting quality," Review of Quantitative Finance and Accounting, Springer, vol. 52(2), pages 521-571, February.
    8. Michael McShane & Trung Nguyen, 2020. "Time-varying effects of cyberattacks on firm value," The Geneva Papers on Risk and Insurance - Issues and Practice, Palgrave Macmillan;The Geneva Association, vol. 45(4), pages 580-615, October.
    9. Kjell Hausken, 2017. "Security Investment, Hacking, and Information Sharing between Firms and between Hackers," Games, MDPI, vol. 8(2), pages 1-23, May.
    10. Xing Gao & Weijun Zhong & Shue Mei, 2014. "A game-theoretic analysis of information sharing and security investment for complementary firms," Journal of the Operational Research Society, Palgrave Macmillan;The OR Society, vol. 65(11), pages 1682-1691, November.
    11. Mohamed Khalil & Aydin Ozkan, 2016. "Board Independence, Audit Quality and Earnings Management: Evidence from Egypt," Journal of Emerging Market Finance, Institute for Financial Management and Research, vol. 15(1), pages 84-118, April.
    12. Fung, Simon Y.K. & Goodwin, John, 2013. "Short-term debt maturity, monitoring and accruals-based earnings management," Journal of Contemporary Accounting and Economics, Elsevier, vol. 9(1), pages 67-82.
    13. Chantziaras, Antonios & Koulikidou, Kleopatra & Leventis, Stergios, 2021. "The power of words in capital markets: SEC comment letters on foreign issuers and the impact of home country enforcement," Journal of International Accounting, Auditing and Taxation, Elsevier, vol. 42(C).
    14. Li, He & No, Won Gyun & Wang, Tawei, 2018. "SEC's cybersecurity disclosure guidance and disclosed cybersecurity risk factors," International Journal of Accounting Information Systems, Elsevier, vol. 30(C), pages 40-55.
    15. Jian Cao & Feng Chen & Julia L. Higgs, 2016. "Late for a very important date: financial reporting and audit implications of late 10-K filings," Review of Accounting Studies, Springer, vol. 21(2), pages 633-671, June.
    16. Lu Wei & Jianping Li & Xiaoqian Zhu, 2018. "Operational Loss Data Collection: A Literature Review," Annals of Data Science, Springer, vol. 5(3), pages 313-337, September.
    17. Gil S. Bae & Seung UK Choi & Phillip T. Lamoreaux & Jae Eun Lee, 2021. "Auditors' Fee Premiums and Low‐Quality Internal Controls," Contemporary Accounting Research, John Wiley & Sons, vol. 38(1), pages 586-620, March.
    18. Todd D. Kravet & Sarah E. McVay & David P. Weber, 2018. "Costs and benefits of internal control audits: evidence from M&A transactions," Review of Accounting Studies, Springer, vol. 23(4), pages 1389-1423, December.
    19. Xing Gao & Weijun Zhong, 2016. "A differential game approach to security investment and information sharing in a competitive environment," IISE Transactions, Taylor & Francis Journals, vol. 48(6), pages 511-526, June.
    20. Wanyi Chen & Ning Hu & Xiangfang Zhao, 2022. "Information asymmetry, regulatory inquiry, and company mergers and acquisitions: evidence from Shenzhen Stock Exchange comment letters," Accounting and Finance, Accounting and Finance Association of Australia and New Zealand, vol. 62(2), pages 2497-2542, June.

    More about this item

    Keywords

    Cybersecurity; Cybersecurity risk disclosure; Financial reporting; Data breaches;
    All these keywords.

    JEL classification:

    • G14 - Financial Economics - - General Financial Markets - - - Information and Market Efficiency; Event Studies; Insider Trading
    • G15 - Financial Economics - - General Financial Markets - - - International Financial Markets
    • G31 - Financial Economics - - Corporate Finance and Governance - - - Capital Budgeting; Fixed Investment and Inventory Studies
    • C52 - Mathematical and Quantitative Methods - - Econometric Modeling - - - Model Evaluation, Validation, and Selection

    Statistics

    Access and download statistics

    Corrections

    All material on this site has been provided by the respective publishers and authors. You can help correct errors and omissions. When requesting a correction, please mention this item's handle: RePEc:eee:reecon:v:76:y:2022:i:2:p:131-140. See general information about how to correct material in RePEc.

    If you have authored this item and are not yet registered with RePEc, we encourage you to do it here. This allows to link your profile to this item. It also allows you to accept potential citations to this item that we are uncertain about.

    If CitEc recognized a bibliographic reference but did not link an item in RePEc to it, you can help with this form .

    If you know of missing items citing this one, you can help us creating those links by adding the relevant references in the same way as above, for each refering item. If you are a registered author of this item, you may also want to check the "citations" tab in your RePEc Author Service profile, as there may be some citations waiting for confirmation.

    For technical questions regarding this item, or to correct its authors, title, abstract, bibliographic or download information, contact: Catherine Liu (email available below). General contact details of provider: http://www.elsevier.com/locate/inca/622941 .

    Please note that corrections may take a couple of weeks to filter through the various RePEc services.

    IDEAS is a RePEc service. RePEc uses bibliographic data supplied by the respective publishers.