Is Prevention Better Than Cure? Effects of Cyber Risk Disclosures on Shareholder Response to Breaches

The rising digitalization of corporations has exposed shareholders to a significant financial downfall if a cyber risk materializes. Consequently, corporations are increasingly expected to disclose more information about these risks. Although such disclosures provide greater transparency into the firms’ management of cyber risks and are often viewed favorably, strategy literature suggests they can also shape how shareholders respond to subsequent failures in firms’ cyber risk management. As such, this study examines how the disclosure of preventive and mitigative cyber risk management strategies influences shareholder responses to subsequent breach incidents. Conflicting theoretical perspectives explaining these effects emerge from agency theory and prospect theory. Based on an event analysis of 1,912 breaches affecting public corporations, we find robust support for the shareholders’ loss aversion explanation offered by the prospect theory. Our baseline findings indicate that breach incidents negatively affect firms’ stock returns. More importantly, a prior emphasis on preventive cyber risk management strategies reduces these negative effects, whereas an emphasis on mitigative strategies increases them. Additional analyses exploring the underlying theoretical mechanism, boundary conditions, and endurance of these effects reveal that (i) these findings indeed stem from shareholders’ loss aversion, (ii) the effects diminish when disclosures show strong signs of impression management, and (iii) the effects are fairly durable over a one-year horizon. Overall, our research demonstrates that cyber risk disclosures not only enhance corporate transparency but also hold significant strategic value, enabling managers to mitigate the adverse economic impact of breaches, which deprives affected firms of crucial capital resources at a time when those resources are most needed.

History: Olivia Sheng, Senior Editor; Jianqing Chen, Associate Editor.

Funding: This work was supported by the Scotia Bank and the Social Sciences and Humanities Research Council of Canada.

Supplemental Material: The online appendix is available at https://doi.org/10.1287/isre.2022.0405.