Timely Cybersecurity Disclosure and Information Manipulation
研究发现部分公司为推迟披露网络安全事件而操纵发现日期,表现为在报告发现日期前内部人交易激增,且操纵行为在内部控制薄弱、诉讼风险低、披露期限压力大时更常见。
Regulators have increasingly mandated firms to promptly disclose material cybersecurity incidents upon discovering these incidents. We find suggestive evidence indicating that some firms manipulate the discovery date (“misreport”) of a cybersecurity incident to postpone the disclosure of the incident, as evidenced by a pronounced spike in insider sales before the reported discovery date. We also find that misreporting is more prevalent among firms with weak internal control systems, when firms face low litigation risk, and when firms have greater pressure to meet a disclosure deadline. Further, firms suspected of misreporting tend to disclose their remedial actions and assert the restoration of business, mitigating negative market reactions upon disclosure of incidents. Collectively, our results suggest that firms might strategically misreport information about a cybersecurity incident to delay disclosure to gain additional time for remedial actions, which helps them prevent exposing vulnerabilities to malicious actors and alleviate stakeholder anxiety. This paper was accepted by Eric So, accounting. Supplemental Material: The online appendix and data files are available at https://doi.org/10.1287/mnsc.2023.01058 .