In almost every industry or sector of the economy, data breaches and cyber attacks are an everyday reality. Until recently, most companies attempted to keep these cyber attacks private, and disclosed relatively very little about the unique cyber threats they faced or the risk management controls in place to deal with them. However, companies are better off being transparent about their cyber efforts, especially if they are trying to quell the anxiety that some investors have about investing in industries hard hit by cyber attacks. According to a new research paper from accounting professors Andrea Seaton Kelton of Middle Tennessee State University and Robin Pennington of North Carolina State University’s Poole School of Management, voluntary disclosures about cybersecurity risk can help to mitigate the “contagion effect” that often impacts companies in an industry that has just been the victim of a major cyber breach.
Mitigating the “contagion effect” with voluntary disclosure
One of the most well documented effects within the investment world is the “contagion effect,” in which bad news about one company tends to impact the way investors view all companies within an industry. For example, if a major financial services provider has just experienced a major data breach, there is reason for concern that other financial services companies might also be at risk of a data breach or cyber attack. In some part, this reflects the way that threat actors think and behave – once they’ve identified a soft target or a security vulnerability, they will keep exploiting that opportunity until the proper cyber defenses have been put into place to dissuade such an attack.
Given that framework, what can companies do in order to prevent being “contaminated” with the fallout from a major data security breach? One solution says Robin Pennington, co-author of the paper published in Journal of Information Systems (“Do Voluntary Disclosures Mitigate the Cybersecurity Breach Contagion Effect?”), is to become completely transparent about cybersecurity risk. This means voluntary disclosure of risk factors, a frank discussion of management controls in place, and honest analysis of threat scenarios facing the company. What the two researchers found was that early, pre-breach disclosure of cybersecurity risk could go a long way towards mitigating the contagion effect. Moreover, additional transparency after the breach has taken place can also help to insulate a company from the contagion effect.
Two frameworks for disclosing cybersecurity risk
Currently, companies have an option of two major frameworks for disclosing cybersecurity risk and becoming more attractive to investors. The first of these can be thought of as the “SEC model,” since the SEC (Securities and Exchange Commission) is one of the primary regulators of publicly traded corporations. According to SEC guidelines, companies must already make a full disclosure of all risk factors facing them, as well as a discussion of the possibility and potential magnitude of “significant” or “material” risk scenarios. In the past, of course, companies tended to focus on economic and financial risk factors. If they did business overseas, they might have mentioned some geopolitical risk factors (such as a Western oil company doing business in the Middle East). But now, companies must also be giving a full and voluntary disclosure of the cybersecurity risks facing them.
The second framework for disclosing cybersecurity risk can be thought of as the “AICPA model,” since the AICPA (American Institute of Certified Public Accountants) has produced a set of voluntary guidelines for risk management reporting. When auditors “sign off” on the financial statements or risk management reports of a company, they typically have a checklist of items to look for. If a company has all those items on the checklist, they get a clean bill of health. And now that checklist should include items such as “cybersecurity risk management program,” “cybersecurity risk management efforts,” and “cyber threat reporting.” In other words, is senior management getting a regular readout of cyber risks facing the company or industry?
Leveraging “competition effects” via voluntary disclosure
There is another important benefit of beefing up voluntary disclosure of cybersecurity risk – it helps a company benefit from “competition effects” with some investors. These effects occur if investors are fleeing to safe investments, and are looking for a safe harbor. In this scenario, “bad news” for one company might actually be “good news” for another company. For example, say that Company A and Company B are similar in almost every regard except one: Company A has suffered a massive data breach but Company B has not. Wouldn’t it make sense that investors would flee Company A (which is facing a decline in attractiveness) and invest all their money with Company B (which is experiencing a boost in attractiveness after the breach)?
This happens all the time in the real world. Think of companies in the travel and hospitality industry (i.e. hotels, airlines, online travel e-commerce) – as soon as one company suffers a data breach (such as stolen passport data or stolen customer records), it’s only natural for one “trusted name” in the industry to benefit. And the way that you signal that your company is the “trusted name” is by voluntary disclosure of cybersecurity risk. That way, when disaster strikes a competitor, your company will stand to benefit. In a base case scenario, voluntary disclosures mitigate any harmful effects of a breach.
Transparency is the new buzzword
Overall, say the researchers, contagion effects far outweigh competition effects. And voluntary disclosure of cybersecurity risk is most powerful when it is done both before and after a massive data breach. For example, before a data breach occurs, companies could include a discussion of cyber risk factors in every SEC filing. And then, after a data breach occurs, they can send out a press release calling attention to their overall cyber risk posture. A company that discloses its cybersecurity risk early and often can boost its overall attractiveness to investors.
While this might sound like a practical thing to do in order to mitigate the fallout from a cybersecurity breach, many companies might not have embraced this sort of total transparency in the past. They might have privately worried that disclosing too much about their cybersecurity risk profile might scare off investors or, even worse, encourage hackers. Or, quite simply, they might have lacked the internal expertise to even know how to talk about cyber risks facing the company.
In the current risk environment, however, transparency needs to become the new buzzword. Disclosures mitigate the cybersecurity breach contagion effect. Not only is voluntary disclosure of cybersecurity risk the right course of action to preserve shareholder value, it is also the right course of action to protect the valuable data and personal information of customers, partners and other stakeholders in the business.