Companies are better off being transparent on cybersecurity efforts
In any industry, a cybersecurity breach nearly always results in negative press or lost of attraction. To mitigate such adversities, a new study suggests companies are better off being transparent on cybersecurity efforts, according to researchers at North Carolina State University. The findings appeared in the Journal of Information Systems.
During a cybersecurity breach, companies within a similar field experience less attraction to investors, resulting in contagion effects. The contagion effects were explored through a series of experiments with 120 non-professional investors.
As part of the experiments, researchers gave the participants a briefing on what they labeled as Company A. In the experiments, the participants were notified of Company A’s cybersecurity risk management program and instructed to assess any attractiveness for investment of purchasing stock.
Thereafter, researchers detailed of a cybersecurity breach occurring against peers of Company A. The participants received a press release of the breach and a final assessment to estimate for any possibility in purchasing stock.
From the findings, it could be determined that companies who were transparent of their cybersecurity efforts, before and after a breach, were better off compared to companies with no such disclosure.
Andrea Kelton, the study’s corresponding author, wrote: “Using an experiment with nonprofessional investors, we provide strong evidence of investment contagion effects.”
“Cybersecurity disclosures provided subsequent to the breach announcement can reduce the magnitude of investment contagion effects,” Kelton explains. “Our study informs standard setters and firms as we find some evidence that voluntary disclosures are effective in lessening investment contagion effects.”
Robin Pennington, co-author of the study, added: “We not only confirmed the contagion effect, but found that there are clear steps companies can take to reduce its impact. Specifically, companies would be well advised to implement the voluntary reporting guidelines from the AICPA on disclosing cybersecurity efforts.”