Abstract

This dissertation consists of three interrelated essays that examine the governance of cybersecurity. The first essay synthesizes the literature on the of cybersecurity risks and incidents to identify its drivers, informativeness, quality, theoretical perspectives, and future directions. The review identifies several drivers for cybersecurity disclosure, highlights that while the level of informativeness of such disclosure meets the usefulness expectations of regulators, its quality falls short, mostly lacks an explicit theoretical framework, and uses predominantly textual content analysis and event studies. The review identifies the need for research in both governance and management of cybersecurity disclosure, thus providing the motivation for the second and third essays. The second essay examines where cybersecurity risk oversight resides within a firm’s governance structure, what determines such positioning, and how it impacts the firm’s response to a cybersecurity breach. In proxy statements, breached firms explicitly disclose oversight assignment with a wide variation, ranging from full board to a named board committee - the audit committee being the most common. Results show that board connectedness and cyber competency are positively associated with oversight assignment, full board oversight is more likely with smaller boards, and boards’ shareholding and cyber competency steer oversight to the audit committee. In the event of a breach, the presence of oversight decreases the time firms take to announce and resolve the breach, as well as reduces the recurrence of breaches. While the audit committee cybersecurity oversight discloses and resolves the breach quicker, full board oversight leads to fewer recurrences. The increase of data breaches leads firms to adopt various risk management strategies, hence the third essay examines the relation between cyber insurance disclosure and a firm’s likelihood of being target of a future breach. Using textual analysis of the risk factors disclosed in 10-K filings and comparing cyber insurance disclosures of firms that are breached to those that are not, the evidence shows that firms disclosing cyber insurance have a significantly higher subsequent probability of being breached. Furthermore, it appears that disclosing cyber insurance leads to delayed public breach disclosure but more timely breach resolution, and higher breach recurrence.