Talk too much? The Impact of Cybersecurity Disclosures on Investment Decisions
Xu Cheng, Carol Hsu, Tawei Wang
Abstract
High-profile cybersecurity breaches have raised concerns regarding how organizations disclose security management information to the public. The American Institute of Certified Public Accountants (AICPA) developed a cybersecurity risk management (CSRM) reporting framework to better help organizations convey their cybersecurity programs to the public. In this article, we attempt to provide evidence of how cybersecurity disclosures, as developed by AICPA, affect investment decisions. Our findings suggest that nonprofessional investors are less likely to invest in breached firms with the disclosure of CSRM reports alone. Disclosing the risk management report with an independent assurance report does not result in the mitigation of the negative impact of security breach news. We discuss the corresponding implications.