Cybersecurity awareness and market valuations

This paper introduces a measure of firm-specific cybersecurity awareness that can be used in empirical research exploring cyber-related issues facing corporations. It extends and updates Gordon et al. (2010), who develop an indicator capturing the existence of disclosures related to “information security” and show a positive association between market valuation and their measure. Since publication of their paper, cyber-related events have become more frequent and salient, and disclosure of cybersecurity issues has become more extensive. Increased disclosure is largely due to a 2011 requirement by the Securities and Exchange Commission, which provides guidance for disclosure of cyber-related issues in 10-K filings. Based upon this post-guidance disclosure, we develop a new measure that captures the extent and relevance of cyber disclosures and show that the market positively values cybersecurity awareness. We also show that a more negative tone in cyber disclosures is associated with lower market values. Our results are robust to inclusion of measures of IT governance and controlling for the firm’s overall disclosure characteristics.