Resumen de How Disclosing a Prior Cyberattack Influences the Efficacy of Cybersecurity Risk Management Reporting and Independent Assurance.

Michele L. Frank, Jonathan H. Grenier, Jonathan S. Pyzoha

• This paper provides evidence that the efficacy of voluntary cybersecurity risk management reporting and independent assurance, in terms of enhancing investment attractiveness, depends on whether a company has disclosed a prior cyberattack. Based on the voluntary disclosure literature, we predict and find that issuing the management component of the AICPA's cybersecurity reporting framework absent assurance is more effective when a company has not (versus has) disclosed a prior cyberattack, as nonprofessional investors are less likely to question the reliability of management's reporting. However, obtaining third party assurance of management's report provides a greater benefit for companies that have (versus have not) disclosed a prior cyberattack, as these companies benefit more from the reliability enhancement of assurance. Finally, we find it may be possible to enhance a company's investment attractiveness by issuing the independent assurance report by itself. Our results have implications for companies' cybersecurity risk management reporting and assurance decisions. Data Availability: Data are available upon request. [ABSTRACT FROM AUTHOR]