Asymmetric Learning Effects of Chief Information Officer Outside Board Appointments: Cybersecurity Implications for Sender and Receiver Firms

As cybersecurity becomes a critical board-level concern, public companies increasingly appoint chief information officers (CIOs) from other firms to their boards to enhance organizational learning. Drawing on the board interlock literature, we examine two pathways through which such appointments influence a firm’s cybersecurity learning: (a) the receiver pathway, where a firm appoints a CIO from another company and gains external cybersecurity expertise; and (b) the sender pathway, where a firm’s own CIO serves on an outside board and potentially brings back valuable insights. We consider the conditions that enable or constrain learning in each pathway and how these affect a firm’s data breach risk. Leveraging a panel data set of 17,227 CIO-firm-year-level observations (2005–2022), we find that sender firms—those whose CIOs serve on external boards—experience a significant increase in breach probability. In contrast, receiver firms—those appointing outside CIOs—see a significant decrease in breach probability. Further mechanism analyses show that these outcomes are shaped by heterogeneity in the cybersecurity practices of both sender and receiver firms. Sender firms face increased breach risk when the receiver firm lacks strong cybersecurity emphasis or has a breach history. This risk is mitigated if the sender firm has a chief information security officer (CISO) on its top management team. Receiver firms benefit when the sender firm emphasizes cybersecurity, but also when it has had a past breach. This latter finding diverges from typical contagion effects in the interlock literature, suggesting that negative cybersecurity events may serve as valuable learning opportunities. We attribute these asymmetric effects to the CIO’s unique role in interlocks. Unlike other executives, CIOs often act as deeply engaged educators and hands-on problem solvers in cybersecurity on the boards they join. Their focus on knowledge dissemination over acquisition, alongside their ongoing operational responsibilities within their home firm, appears to negate potential sender-side learning benefits. Our findings inform firms on their decisions about recruiting outside CIOs to their boards, permitting internal CIOs to join external boards, and guide policymakers aiming to strengthen cybersecurity expertise on corporate boards.

History: Kenneth Hsing Cheng, Senior Editor; Ling Xue, Associate Editor.

Supplemental Material: The online appendix is available at https://doi.org/10.1287/isre.2024.1003.