Journal of the Association for Information Systems


Cybersecurity disclosures in reports filed with the US Securities and Exchange Commission (SEC) inform investors about firms’ cybersecurity incidents, risks, and related risk management efforts. Firms have traditionally chosen to communicate such information on a quarterly or annual basis, if at all, and prior research on the topic has largely focused on regulatory factors as driving forces. In this paper, we focus on timely disclosures (via 8-K filings) and derive hypotheses regarding the influences of two alternate forms of pressure as drivers of cybersecurity disclosures—(1) public pressure following a firm’s data breach and (2) pressure arising from the breaches of industry peers, which we cast as “institutional pressure.” We also theorize on how the source of the breach (internal or external) influences these forms of pressure. Our results suggest that firms’ cybersecurity disclosure practices are influenced by public pressure following a data breach and that this pressure is more acute for external breaches than for internal breaches. By contrast, breaches by industry peers, as a form of institutional pressure, appear to prompt fewer cybersecurity disclosures, except when the focal firm suffers its own external breach. From a theoretical perspective, our study supports a nuanced application of legitimacy theory in the cybersecurity disclosure context, especially in the midst of public and institutional pressure, such that the source of a data breach determines whether firms attempt to address the resultant legitimacy gap. From a practical perspective, our results may be viewed as alarming in that firms are not reacting to internal breaches with the same degree of communicative effort about cybersecurity as for external breaches, at least in terms of the timely disclosures we consider in this study. Our findings also point to certain levers that can promote timely cybersecurity disclosures, and thus have important policy implications.





When commenting on articles, please be friendly, welcoming, respectful and abide by the AIS eLibrary Discussion Thread Code of Conduct posted here.