Implications of Enhanced Cybersecurity Risk Management Reporting and Independent Assurance

Cyberattacks damage firm value and reputation (Ettredge and Richardson 2003; Wang, Kannan, and Ulmer 2013; Center for Audit Quality (CAQ) 2016,, 2019). As the threat of cyberattacks grows, so do investors’ concerns about the impact cyberattacks could have on corporate sustainability. Eighty-five percent of nonprofessional investors claim they consider cybersecurity concerns when making investment decisions, and 81 percent believe it is one of the greatest risks to capital markets in the United States (CAQ 2016,, 2019). Thus, it is unsurprising that investors consider cybersecurity risk management as central to the environmental, social, and governance (ESG) analyses they carry out when making investment decisions (RBC Global Capital Management 2019; Sherman 2020; WEF 2022).

Currently, companies are only required to disclose a trivial amount of information about their cybersecurity risk management efforts (Securities and Exchange Commission (SEC) 2014; Newman 2018). Absent additional information, it may be difficult for nonprofessional investors to assess a company’s cybersecurity risk because they cannot directly observe management’s risk mitigation efforts. This can make raising capital more costly because investment attractiveness tends to decrease as the degree of uncertainty regarding a company’s ESG risks increases (Healy and Palepu 2001; Easley and O’Hara 2009,, 2010).

Companies could mitigate some of the investors’ uncertainty by voluntarily providing additional disclosures. In 2017, the American Institute of Certified Public Accountants (AICPA) developed a voluntary cybersecurity risk management reporting and assurance framework commonly referred to as System and Organizational Controls (SOC) for Cybersecurity (hereafter, the Framework). The Framework includes a report prepared by management (the management component) that provides a description of a company’s cybersecurity risk management program and assertions as to (1) whether the description complies with AICPA guidelines and (2) whether the related controls were effective (American Institute of Certified Public Accountants (AICPA) 2017a). The Framework includes a voluntary assurance report (the assurance component), which provides an auditor’s opinion on management’s description and assertions. Overall, about 29 percent of firms in the S&P 500 voluntarily adopt the Framework, representing $10.9 trillion in total market value (Schoenfeld 2022). As noted by Schoenfeld (2022, 3), “to put these results in perspective using other settings where management’s decision to receive an audit is not explicitly mandated by legislation, about 23–37 percent of private firms elect to receive financial statement audits depending on the sample.”

Given the costs to prepare the various components of the Framework, understanding the potential benefits may aid organizations in deciding whether to adopt it. This paper summarizes Frank et al. (2019), which examines one potential benefit. Specifically, it examines whether and how adopting the Framework influences investors’ perceptions of investment attractiveness and whether this influence varies if a company has (versus has not) disclosed a prior cyberattack. We discuss the study’s expectations, experiment, results, and implications below.

Frank et al. (2019) first examine the efficacy of adopting the management component of the Framework, absent assurance. Building on prior research (e.g., Hirst, Koonce, and Simko 1995; Hirst, Koonce, and Venkataraman 2007; Rennekamp 2012), the study predicts that the extent to which the management component increases investment attractiveness will depend on whether investors believe that the information included in the disclosure is reliable. Prior research suggests that investors tend to view unaudited, voluntary control disclosures as reliable because they believe managers face significant costs from asserting controls that are effective when, in fact, they are not (Deumes and Knechel 2008).¹ This research suggests that issuing the management component could increase investment attractiveness. However, other research suggests that this is less likely to be true when investors are aware that a company previously experienced a cyberattack. For example, Church and Schneider (2016) find that when investors are made aware of a prior control failure, they question management’s competence, character, and ability to exercise adequate oversight and, thus, the reliability of any subsequent voluntary disclosures (Mercer 2004). Consequently, Frank et al. (2019) predict that because of differences in perceived reliability, disclosing the management component by itself will have a greater positive effect on investment attractiveness when a company has not (versus has) disclosed a past cyberattack.

Frank et al. (2019) also examine the incremental effect of obtaining a third-party opinion on management’s voluntary cybersecurity disclosures (i.e., issuing the assurance component alongside the management component). Research finds that investors believe audited financial disclosures are more reliable than unaudited disclosures (Leftwich 1983; Wallace 1987) and that assurance increases the perceived reliability of voluntary nonfinancial disclosures (Fargher and Gramling 1996; Coram, Monroe, and Woodliff 2009; Casey and Grenier 2015). However, the extent to which assurance enhances the perceived reliability of management’s disclosures depends on investors’ initial beliefs about those disclosures (Koonce and Mercer 2005; Coram et al. 2009; Wu and Tuttle 2014). If users have little reason to question a disclosure’s reliability, assurance provides relatively little incremental benefit. Conversely, the more skeptical investors are of management, the greater the benefit of assurance (Wu and Tuttle 2014). In light of this, the study predicts that relative to issuing the management component alone, issuing the assurance component together with the management component will increase investment attractiveness more when a company has (versus has not) disclosed a prior cyberattack.

Finally, the study examines the option of issuing only the assurance component.² Recall that the higher the degree of doubt regarding the efficacy of a company’s ESG risk management practices, the less attractive an investment in that company becomes (Healy and Palepu 2001; Easley and O’Hara 2009,, 2010). Given that assurance acts to reduce information asymmetry between management and investors (Smith, Schatzberg, and Waller 1987; Wallace 1987; Mercer 2004), disclosing an auditor’s opinion about the effectiveness of a company’s cybersecurity controls by itself may be sufficient to lessen this uncertainty. Therefore, Frank et al. (2019) predict that regardless of whether a company has disclosed a prior cyberattack, issuing the assurance component by itself will increase investment attractiveness relative to making no voluntary cybersecurity disclosures.

The authors recruited 547 experimental participants with investing experience from Amazon Mechanical Turk, an online labor market often used to recruit and proxy for nonprofessional investors (Rennekamp 2012; Krische 2019). Participants were told to assume that they were thinking about making an investment in a healthcare company.³ They were provided with an excerpt from the company’s 10-K filing that included general financial information and a disclosure stating that cybersecurity was a risk the company faced and that it had worked to manage this risk. Participants were told that the company always received an unqualified financial statement audit opinion and never had a restatement.

The study manipulated two factors. The first factor was the Framework components, if any, provided to the participant (no voluntary disclosure, management only, both the management and assurance components, or assurance only). In no voluntary disclosure, no information was provided about the company’s cybersecurity risk management program beyond what was included in the firm’s risk disclosure section of its annual 10-K filing. This condition served as a benchmark for comparison. In conditions where one or both parts of the Framework were provided, the reports provided were based on sample reports issued by the American Institute of Certified Public Accountants (AICPA) (2017b). The management component included an assertion that the company’s cybersecurity controls were effective, and the opinion included in the assurance component supported this assertion. The condition with only the assurance component provides an opinion from an audit firm that the firm’s cybersecurity controls were effective.

Second, the study manipulated whether participants were informed that the company was previously the victim of an immaterial cyberattack (no prior attack or prior attack). In no prior attack, the firm had never experienced a cyberattack, and the data within the company’s information technology systems had never been breached by an unauthorized person. In prior attack, the company experienced a cyberattack in the recent past in which an unauthorized individual successfully gained access to data within its information technology system. These participants were also told that the company provided appropriate notification to all affected individuals and regulatory agencies.

Participants were then asked to assess the company’s investment attractiveness on an 11-point scale (0 = not at all attractive; 10 = very attractive), the reliability of the disclosures provided by the company on an 11-point scale (0 = strongly disagree; 10 = strongly agree), and demographic and comprehension check questions.

As shown in Figure 1, issuing the management component increases investment attractiveness for a firm that has not disclosed a prior attack, but it has no effect when a prior attack is disclosed.⁴ Results further show that issuing the management component benefits companies that have not disclosed a prior cyberattack because it enhances the perceived reliability of information regarding the company’s cybersecurity risk management efforts. However, when a company has disclosed a prior cyberattack, issuing the management component by itself did little to improve investment attractiveness because investors were more likely to question the reliability of that disclosure.⁵

Issuing the assurance component with the management component increased investment attractiveness, but only for companies that disclosed a prior cyberattack. As shown in Figure 1, the incremental effect of issuing the assurance component in addition to the management component is greater if the firm disclosed a prior attack. In fact, assurance does little to increase investment attractiveness when a company has not disclosed a prior attack. Additional analyses reveal that perceptions of reliability drive the effects. If a company discloses a prior cyberattack, it must provide assurance for nonprofessional investors to feel confident that they can rely on management’s subsequent cybersecurity risk management disclosures. Conversely, if no prior attack is disclosed, then nonprofessional investors will perceive the management component on its own as reliable, and the added benefit of issuing the assurance component will dissipate.

Lastly, results suggest that the assurance component by itself is sufficient to increase investment attractiveness. Regardless of whether a firm disclosed a prior cyberattack, investment attractiveness was significantly greater when investors received the assurance component than with no additional cybersecurity disclosures. Further, the increase in investment attractiveness from issuing the assurance component alone was equal to the increase achieved when both components of the Framework were issued, suggesting that an auditor’s opinion alone may be a substitute for additional voluntary management disclosures.⁶

Investors increasingly view cybersecurity as a central component of companies’ ESG efforts and are demanding more information. Investors are concerned about cybersecurity because the market reacts negatively to cyberattacks, and companies experience substantial financial and reputational losses, including adverse impacts on operations and liquidity (Ettredge and Richardson 2003; Wang et al. 2013; CAQ 2016; PricewaterhouseCoopers 2016; Palmer 2018; Ponemon 2017). However, preparing cybersecurity disclosures and purchasing assurance services is costly. The study by Frank et al. (2019) provides important insights for managers and audit committee members trying to determine the conditions under which these costs are likely to benefit their companies. If a company has disclosed a prior cyberattack, nonprofessional investors are likely to question the reliability of their cybersecurity disclosures, and thus, obtaining independent assurance is critical. On the other hand, if a company has not disclosed a prior cyberattack, nonprofessional investors are less likely to question the reliability of management’s voluntary cybersecurity disclosures, and the benefits of obtaining assurance become less clear.

The findings from Frank et al. (2019) have important implications for audit firms and regulators. To mitigate the enhanced litigation and audit risk after a prior attack, the study’s findings suggest that audit firms should be performing more testing and assurance over cyber controls. Furthermore, the study suggests benefits from assurance and lends support to the Public Company Accounting Oversight Board’s assertion that external auditors could be doing more to properly evaluate the types of cyber control deficiencies related to internal controls over financial reporting (Tremblay 2021). These findings highlight the need for audit firms to hire and train auditors that not only understand accounting and auditing but also have a solid understanding of ESG risks, including risks and governance related to cybersecurity. Furthermore, audit firms can use the findings to better market their cybersecurity assurance offerings by targeting customers who have the most to gain from these services, such as those who have experienced or are at risk of an attack. These findings have important implications for the SEC, which is moving quickly toward substantially overhauling and mandating ESG disclosures (Bloomberg Law 2022). Specifically, the study informs the ongoing debate regarding whether ESG disclosures impact capital markets (Serafeim and Yoon 2022). The results of Frank et al. (2019) suggest that investors do incorporate voluntary cybersecurity disclosures into their decision-making process, consistent with the assertion that ESG information influences investor choice when it is likely to be financially material for an organization.

Finally, the study has important implications for academics because it extends a critical line of cybersecurity research. For example, recent studies have explored the influence of cybersecurity disclosures on the contagion effect in which cybersecurity breaches at one company subsequently impact an industry peer (Kelton and Pennington 2020), the impact of governance mechanisms on cybersecurity risk (Hartmann and Carmenate 2021), and how accountants can provide advisory and assurance services to positively influence cybersecurity risk management (Eaton, Grenier, and Layman 2019). While much of this research focuses on cybersecurity outcomes, Frank et al. (2019) focus on how disclosures influence investment attractiveness. The study also creates the potential for future research. For example, the study focuses on a prior immaterial cyberattack. Additional research is needed to examine whether the effects of a prior cyberattack documented in Frank et al. (2019) depend on the nature or type of the prior attack.