Fortifying the Nonbreached: Auditors’ Role in Cybersecurity Risk Management
研究发现,经历过客户网络安全事件的审计师,对未受攻击的客户更可能出具内控重大缺陷意见,并改善网络安全风险披露,体现了跨客户的学习效应。
SUMMARY We examine how auditors’ experience with client cybersecurity breaches influences their oversight of nonbreached clients. We find that auditors with breach experience are more likely to issue internal control material weakness (ICMW) opinions, reflecting heightened sensitivity to control risks and improved detection of latent vulnerabilities, as these opinions are often issued to firms that subsequently experience breaches. Conversely, clean opinions issued by breach-experienced auditors are associated with fewer future breaches, suggesting stronger risk assessments. These auditors also enhance cybersecurity risk disclosures. Cross-sectional analyses show that these effects are shaped by auditor type, board independence, and the presence of IT-related weaknesses. Interview evidence further supports that breach exposure increases auditors’ attentiveness to cybersecurity risks and informs risk assessments for other clients. Collectively, our findings highlight how cybersecurity breach experience enhances auditors’ vigilance and oversight, providing evidence of cross-client learning and adaptive audit behavior in response to evolving digital risks. Data Availability: Data are available from public sources noted in the article.