Timely Cybersecurity Disclosure and Information Manipulation

Regulators have increasingly mandated firms to promptly disclose material cybersecurity incidents upon discovering these incidents. We find suggestive evidence indicating that some firms manipulate the discovery date (“misreport”) of a cybersecurity incident to postpone the disclosure of the incident, as evidenced by a pronounced spike in insider sales before the reported discovery date. We also find that misreporting is more prevalent among firms with weak internal control systems, when firms face low litigation risk, and when firms have greater pressure to meet a disclosure deadline. Further, firms suspected of misreporting tend to disclose their remedial actions and assert the restoration of business, mitigating negative market reactions upon disclosure of incidents. Collectively, our results suggest that firms might strategically misreport information about a cybersecurity incident to delay disclosure to gain additional time for remedial actions, which helps them prevent exposing vulnerabilities to malicious actors and alleviate stakeholder anxiety.

This paper was accepted by Eric So, accounting.

Supplemental Material: The online appendix and data files are available at https://doi.org/10.1287/mnsc.2023.01058.