Can Shareholders Benefit from Consumer Protection Disclosure Mandates? Evidence from Data Breach Disclosure Laws
研究发现,数据泄露披露法律通过促使管理者采取实际行动降低网络风险,平均降低了股东风险(以权益成本衡量),并在法律通过的关键日期产生正异常回报。
ABSTRACT Data breach disclosure laws are state-level disclosure mandates intended to protect individuals from the consequences of identity theft. However, we argue that the laws help reduce shareholder risk by encouraging managers to take real actions to reduce firms’ exposure to cyber risk. Consistent with this argument, we find an on-average decrease in shareholder risk, proxied by cost of equity, after the staggered passage of these laws. We also find the effect is attenuated for firms that already took real actions to manage cyber risk before the laws. Further, after these laws, firms are more likely to increase cybersecurity investments and have a cybersecurity officer. Finally, we observe positive abnormal returns on key dates related to the passage of these laws. Our collective evidence suggests that consumer protection disclosure mandates can benefit shareholders and, specifically, that regulators can use disclosure mandates to incentivize managers to reduce firms’ exposure to cyber risk. Data Availability: All data used in this study are publicly available. JEL Classifications: G120; G340.