Public company investors rely on the Big 4 audit firms to provide assurance over internal controls and financial reporting. What, then, would happen if one of these very assurance providers suffered its own cybersecurity breach? We examine such an event in the major data breach of Deloitte in 2017. Using U.S. data from 2014 to 2019, we find Deloitte suffered significant reputational damage postbreach. Specifically, audit clients and existing shareholders became less likely to approve of Deloitte as the company’s auditor. Deloitte also charged lower audit fees after the incident. Furthermore, Deloitte’s audit clients suffered significant negative market reactions postbreach. Our results suggest pervasive implications of cyberattacks on auditor reputation and support recent congressional efforts to expand regulation in this area.

You do not currently have access to this content.