This paper provides evidence that the efficacy of voluntary cybersecurity risk management reporting and independent assurance, in terms of enhancing investment attractiveness, depends on whether a company has disclosed a prior cyberattack. Based on the voluntary disclosure literature, we predict and find that issuing the management component of the AICPA's cybersecurity reporting framework absent assurance is more effective when a company has not (versus has) disclosed a prior cyberattack, as nonprofessional investors are less likely to question the reliability of management's reporting. However, obtaining third party assurance of management's report provides a greater benefit for companies that have (versus have not) disclosed a prior cyberattack, as these companies benefit more from the reliability enhancement of assurance. Finally, we find it may be possible to enhance a company's investment attractiveness by issuing the independent assurance report by itself. Our results have implications for companies' cybersecurity risk management reporting and assurance decisions.

Data Availability: Data are available upon request.

You do not currently have access to this content.