Watch that tone! How company disclosures on cyber incidents influence investor decisions
Our researchers
- Nithara Godewatta (PhD candidate)
- Soon-Yeow Phang
- Ashna Prasad
- Xinning Xiao
Overview
Research from Monash Business School’s Department of Accounting shows how investors who may not have a strong understanding of IT issues are more likely to invest following a positively worded company disclosure statement revealing the incidence of a cybersecurity breach.
Conversely, the opposite applies for IT-savvy investors. The study reveals those investors are more likely to be turned off a company that tries to gloss over a cyber-security incident instead of using more factual language.
“This study stems from the tension between the need for transparency in cyber security risk disclosure and companies’ reluctance to reveal sensitive information that could further expose them to reputational or financial harm,” says study co-author and Monash Business School Associate Professor Soon-Yeow Phang.
This research finding is particularly relevant amid the rising incidence of cybersecurity breaches, which come at significant cost to the corporate sector.
These costs are not just contained to system downtime or loss of revenue but extend to reputational risk.
“Investors often perceive firms affected by cybersecurity incidents as riskier which can impact investment decisions,” A/Prof Phang says.
Cybersecurity information is also now part of companies’ obligations under sustainability reporting. They are also required to disclose materially detrimental cyberattacks on a business.
Takeaways for companies and regulators
- This study shows that the tone a company chooses to adopt in its company disclosures pertaining to cyber security breaches is critical to how it is received among different investor groups. IT-savvy investors prefer analytical clarity over optimism. Even when the content may seem unfavourable, informed stakeholders prefer detailed, issue-specific disclosures.
- The study also reveals how the use of a required Critical Audit Matter (CAM) by the company’s auditor can act as a signal to read between the lines. IT savvy investors are more likely to invest in companies when disclosure statements revealing the incidence of a cybersecurity breach are written in a neutral tone and a relevant CAM is present. Whereas investors who have a low level of awareness of IT issues are more likely to invest when the disclosure statement is written in a positive tone and a CAM is absent.
- The findings have important implications for accounting standard setters as they work to enhance cybersecurity disclosure to ensure that all investors have access to timely and meaningful information about companies’ risks.
- The study also has implications for regulators. Regulators aim for investors not to be swayed by contextual cues. The finding that using a positive tone in disclosure statements about cybersecurity breaches can influence investor judgment when the investor is less knowledgeable about the area, runs counter to the aim that investors receive unbiased information. Going forward regulators may need to set out rules for written disclosures to curb the strategic downplaying of a cybersecurity threat.
Implications for research
- Previous studies argue that CAMs fail to provide value to shareholders, particularly when they are overly technical or reiterate known information. This study shows that investors well versed in IT systems place significant value on these CAMs relating to cybersecurity incidents.
- This research contributes an experimental methodology, rather than relying on archival data, to reveal how cybersecurity disclosure can influence retail investor’s judgment and decision-making processes.
Want to know more?
- Godewatta, N., Phang, S. Y., Prasad, A., & Xiao, X. (2024). Investors’ Reactions to Cybersecurity Incidents: The Joint Effects of Disclosure Tone, Critical Audit Matters, and IT Knowledge. European Accounting Review, Forthcoming, 1-26.