Cyberattacks by nation states and other organized groups against the United States have continued to escalate in recent years with ever-increasing concerns about ransomware attacks and other cyberattacks on the public sector and critical infrastructures. Society is highly dependent upon these...

We develop a novel firm-level measure of cybersecurity risk using textual analysis of cybersecurity-risk disclosures in corporate filings. The measure successfully identifies firms extensively discussing cybersecurity risk in their 10-K, displays intuitive relations with quantitative measures of...

Bug bounty program is a business activity in which firms invite white-hat hackers around the world to identify vulnerabilities in their cyber systems. The paper proposes a model to quantify the normal cybersecurity spending with respect to the importance of information systems. An upper limit of...

The SEC has expressed concern that some emerging risks - most notably, cybersecurity risk - exhibit an insufficient level and quality of disclosure. Policymakers envision a board role in cybersecurity risk management, but whether that role would effectively improve risk disclosure is an open...

A firm's failure to protect and control confidential information is posited to affect its cost of debt. Using a sample of 199 cybersecurity breaches from 2005 to 2014, I find a positive association between a cybersecurity breach and a firm's cost of privately placed debt. Compared with loans...

The Consumer Finance Institute hosted a workshop in February 2017 featuring James Fox, partner and principal at PricewaterhouseCoopers (PwC) and a leading authority on cybersecurity in the financial services industry. He discussed the importance of measuring cyber risk, highlighted some...

Effective cyber risk management should include the use of insurance not only to transfer cyber risk but also to provide incentives for insured enterprises to invest in cyber self-protection. Research indicates that asymmetric information, correlated loss, and interdependent security issues make...

This study investigates how voluntary cybersecurity risk management (CyRM) assurance affects non-professional investors’ judgments and decisions. The study also examines how the value relevance of CyRM assurance is altered when having such assurance is expected/unexpected. Employing an...

We develop a novel firm-level measure of cybersecurity risk using textual analysis of cybersecurity-risk disclosures in corporate filings. The measure successfully identifies firms extensively discussing cybersecurity risk in their 10-K, displays intuitive relations with quantitative measures of...

Using textual analysis and comparing cybersecurity-risk disclosures of firms that were hacked to others that were not, we propose a novel firm-level measure of cybersecurity risk for all US-listed firms. We then examine whether cybersecurity risk is priced in the cross-section of stock returns....