How Disclosing a Prior Cyberattack Influences the Efficacy of Cybersecurity Risk Management Reporting and Independent Assurance

Frank, Michele L.; Grenier, Jonathan H.; Pyzoha, Jonathan S.

doi:10.2308/isys-52374

Cited by 31 publications

(37 citation statements)

References 47 publications

Supporting

Mentioning

Contrasting

Unclassified

Order By: Relevance

“…Thus, companies like Target, Home Depot, and the countless others that have experienced prior cybersecurity incidents should consider external cybersecurity reporting such as the AICPA Framework. In fact, Frank et al (2019) find that external cybersecurity reporting also promotes investor confidence for firms that have not experienced cybersecurity incidents. These results demonstrate the value of external cyberse-4 See SEC (2018) for recent interpretative guidance on required SEC disclosures regarding cybersecurity risk management.…”

Section: External Cybersecurity Reportingmentioning

confidence: 99%

“…With respect to companies who have experienced cybersecurity incidents, recent research suggests that external cybersecurity reporting can help restore investor confidence when coupled with assurance (see next section; Frank et al 2019). Thus, companies like Target, Home Depot, and the countless others that have experienced prior cybersecurity incidents should consider external cybersecurity reporting such as the AICPA Framework.…”

Section: External Cybersecurity Reportingmentioning

confidence: 99%

“…As mentioned above, when a firm has experienced a prior cybersecurity incident, research indicates that independent assurance is necessary for external cybersecurity reporting to improve investor confidence (Frank et al 2019). Thus, firms that have experienced cybersecurity incidents should be cautious of investing in external cybersecurity reporting without the enhanced credibility from independent assurance.…”

Section: Assurance On External Cybersecurity Reportingmentioning

confidence: 99%

“…Beyond the need to protect organizational data, recent academic research suggests numerous benefits of cybersecurity disclosures for client firms. Two of the key benefits are that cybersecurity disclosures can be informative to investors (e.g., Ettredge and Richardson 2003;Gordon, Loeb and Sohail 2010;Frank, Grenier, and Pyzoha 2019) and can help mitigate the negative impacts of a subsequent breach (e.g., Wang, Kannan, and Ulmer 2013). 1 However, despite the recommendations of regulatory bodies and the findings of recent research, firms often fail to provide disclosures regarding cyber issues (Amir, Levi, and Livne 2018;Rubin 2019).…”

Section: Introductionmentioning

confidence: 99%

See 3 more Smart Citations

Accounting and Cybersecurity Risk Management

Eaton

Grenier

Layman

2019

Current Issues in Auditing

Self Cite

View full text Add to dashboard Cite

SUMMARY As the number of cybersecurity incidents continue to rise and stakeholders are becoming increasingly concerned, companies are devoting considerable resources to their cybersecurity risk management efforts and related cybersecurity disclosures. This paper describes how accountants are uniquely positioned to assist companies with these efforts in advisory and assurance capacities. We present a model of effective cybersecurity risk management and discuss how accountants' core competencies can add significant value in each of the model's five stages. In addition, we use several recent high-profile cybersecurity incidents as illustrative examples in each of the five stages. We conclude by discussing implications for accountants.

show abstract

Section: External Cybersecurity Reportingmentioning

confidence: 99%

Section: External Cybersecurity Reportingmentioning

confidence: 99%

Section: Assurance On External Cybersecurity Reportingmentioning

confidence: 99%

Section: Introductionmentioning

confidence: 99%

See 2 more Smart Citations

Accounting and Cybersecurity Risk Management

Eaton

Grenier

Layman

2019

Current Issues in Auditing

Self Cite

View full text Add to dashboard Cite

show abstract

“…Results indicate that, on average, the economic consequences of privacy breaches on firms' cumulative abnormal returns, future accounting measures of performance such as sale growth return on sales and operating expense, higher audit and other fees, and future SOX 404 reports of material internal control weaknesses are generally very small. Frank et al (2019) examine whether a prior cyberattack influences the efficacy of cybersecurity risk management reporting and independent assurance. The authors design an experiment to capture how disclosures proposed by AICPA may influence nonprofessional investors' perceptions.…”

Section: Theme Issue: Implications Of Cybersecuritymentioning

confidence: 99%

Implications of Cybersecurity on Accounting Information

Janvrin

Wang

2019

Journal of Information Systems

View full text Add to dashboard Cite

Implications of Cybersecurity on Accounting Information I. INTRODUCTION R ecent high-profile cybersecurity incidents, such as Equifax, Sony, and Target, have increased professional and regulatory attention. For example, organizations are under pressure to demonstrate that they are managing cybersecurity threats, and that they have effective processes and controls in place to detect, respond to, mitigate, and recover from breaches and other security events. Cybersecurity risk management involves not only improving internal controls, but also includes a wide range of factors from strategy, IT management, investment decisions, human behavior, disaster recovery/business continuity, and technical solutions to actual implementation and practices. From the regulatory perspective, the PCAOB explicitly included the assessment of cybersecurity risks in its 2018-2022 strategic plan (PCAOB 2018). Further, the Securities and Exchange Commission (SEC) recently issued reporting guidelines on cybersecurity risk disclosures (SEC 2018), while the AICPA proposed an assurance framework for auditors to use to evaluate an organization's cybersecurity risk management policies and procedures (AICPA 2017). Accounting information systems (AIS) researchers, who stand at the intersection between information systems and accounting, can contribute to understanding the impact of cybersecurity on accounting information from different theoretical or empirical perspectives. For example, our emphasis on understanding how behavior impacts action may provide insight to managers as they develop and implement cybersecurity policies and work to prevent and detect cybersecurity breaches. Further, our knowledge of how financial and nonfinancial information impacts organizational value may be helpful to investigate how investors and auditors react to disclosed data security breaches. Finally, we offer this special-theme issue to encourage cybersecurity research by the broader accounting community. To illustrate, Banker and Feng (2019) and Richardson, Smith, and Watson (2019) demonstrate how archival financial methodology can be used to examine important cybersecurity issues. Accounting behavioral researchers are encouraged to follow the lead of Cheng and Walton (2019) and Frank, Grenier, and Pyzoha (2019) in using experiments to provide insights into cybersecurity challenges. Further, managerial researchers may find Curry, Marshall, Correia, and Crossler's (2019) work helpful in generating ideas on how applicable theories and skills can be applied to this important topic.

show abstract

Board of directors’ attributes and aspects of cybersecurity disclosure

Héroux

Fortin

2022

J Manag Gov

View full text Add to dashboard Cite

How Disclosing a Prior Cyberattack Influences the Efficacy of Cybersecurity Risk Management Reporting and Independent Assurance

Cited by 31 publications

References 47 publications

Accounting and Cybersecurity Risk Management

Accounting and Cybersecurity Risk Management

Implications of Cybersecurity on Accounting Information

Board of directors’ attributes and aspects of cybersecurity disclosure

Contact Info

Product

Resources

About