Data breach disclosure laws are state-level disclosure mandates intended to protect individuals from the consequences of identity theft. However, we argue that the laws help reduce shareholder risk by encouraging managers to take real actions to reduce firms’ exposure to cyber risk. Consistent with this argument, we find an on-average decrease in shareholder risk, proxied by cost of equity, after the staggered passage of these laws. We also find the effect is attenuated for firms that already took real actions to manage cyber risk before the laws. Further, after these laws, firms are more likely to increase cybersecurity investments and have a cybersecurity officer. Finally, we observe positive abnormal returns on key dates related to the passage of these laws. Our collective evidence suggests that consumer protection disclosure mandates can benefit shareholders and, specifically, that regulators can use disclosure mandates to incentivize managers to reduce firms’ exposure to cyber risk.

Data Availability: All data used in this study are publicly available.

JEL Classifications: G120; G340.

You do not currently have access to this content.