Implications of Enhanced Cybersecurity Risk Management Reporting and Independent Assurance

According to the World Economic Forum (WEF) (2022), cybersecurity risk is the most immediate and financially material sustainability risk that organizations face. Companies experience significant financial and reputational losses in the market after a cyberattack. However, companies are only required to disclose a trivial amount of information about their cybersecurity risk management efforts (SEC 2014; Newman 2018). This paper summarizes Frank, Grenier, and Pyzoha (2019), which examines whether voluntarily providing additional disclosures regarding a company's cybersecurity efforts, with or without assurance, increases investment attractiveness. Absent assurance, voluntary disclosures about the nature and effectiveness of cybersecurity efforts are sufficient to increase investment attractiveness for companies that have not (versus have) disclosed a prior cyberattack, as investors are less likely to question the disclosure's reliability. Assurance provides a greater benefit to companies that have (versus have not) disclosed a prior cyberattack, as they benefit more from the reliability enhancement of assurance.