Seminario di Eli Amir

ore 12.30 Sala Seminari – I° piano, Palazzo Levi Cases, Via del Santo 33

22.07.2016

Seminario di Eli Amir, Tel Aviv University and City University of London

Do firms under-report information on cyber-attacks? Evidence from capital markets

Firms should disclose information on material cyber-attacks. However, because managers have incentives to withhold negative information, and investors cannot independently discover most cyber-attacks, firms may underreport cyber-attacks. Using data on cyberattacks that were voluntary disclosed by firms and those that were withheld and later discovered by sources outside the firm, we estimate the extent to which firms withhold information on cyber-attacks. We find that withheld cyber-attacks are associated with a decline of approximately 2.6% in equity values in the month they are discovered, and disclosed attacks with a substantially lower decline of 0.6%. The evidence suggests that managers do not disclose negative information below a certain threshold, and withhold information on the more severe attacks. Using the market reactions to withheld and disclosed attacks, we estimate that managers disclose information on cyber-attacks only when there is 46% chance that investors already know of the attack. Our results suggest there is underreporting of cyber-attacks, and imply that if regulators wish to ensure that information on attacks reaches investors, they should consider tightening mandatory disclosure requirements.