Do Firms Under-Report Information on Cyber Attacks? Evidence from Capital Markets

Firms should disclose information on material cyber-attacks. However, because managers have incentives to withhold negative information, and investors cannot independently discover most cyber-attacks, firms may underreport cyber-attacks. Using data on cyber-attacks that were voluntary disclosed by firms and those that were withheld and later discovered by sources outside the firm, we estimate the extent to which firms withhold information on cyber-attacks. Our main hypothesis – firms will withhold information on the more severe cyber-attacks and voluntarily disclose the milder ones We find that withheld cyber-attacks are associated with a decline of approximately 2.6% in equity values in the month they are discovered, and disclosed attacks with a substantially lower decline of 0.6%. The evidence suggests that managers do not disclose negative information below a certain threshold, and withhold information on the more severe attacks. Using the market reactions to withheld and disclosed attacks, we estimate that managers disclose information on cyber-attacks when investors already suspect that in high likelihood (46%) an attack has occurred. Our results suggest there is underreporting of cyber-attacks, and imply that if regulators wish to ensure that information on attacks reaches investors, they should consider tightening mandatory disclosure requirements.