Abstract

Cybersecurity governance is usually framed as a desirable organizational response: firms should disclose cyber risks, protect customer data, and assign executive responsibility for data security (Gordon et al., 2010). But this positive framing hides an important question: How do institutional environments shape the costs of cybersecurity governance adaptation? We argue that cybersecurity governance is not only a protective mechanism, but also a form of organizational adaptation to technological risk. Adopting cyber governance requires firms to redesign routines, formalize accountability, introduce data-protection practices, invest in compliance systems, and redirect managerial attention (Nelson & Winter, 1982). These changes may generate short-run adjustment costs before longer-term benefits emerge. The insurance sector provides a compelling context, as firms are both highly exposed to cyber risk and deeply embedded in regulatory and governance regimes. The novelty of this research lies in shifting the perspective from “Does cybersecurity governance improve performance?” to “Under what institutional conditions do firms bear the costs of cyber-governance adaptation differently?” Institutions are treated as a mechanism: more harmonized regulatory environments may reduce uncertainty and lower adjustment costs, whereas less standardized environments may increase the load of adoption. Moreover, cybersecurity governance is conceptualized as a dynamic process, with effects that may be delayed, temporary, persistent, or gradually absorbed as firms learn and routinize new practices. The empirical analysis uses a panel of 277 insurance firms over 2015–2024. Cybersecurity governance is measured through data-security risk disclosure, customer data-protection policy, executive responsibility for data security, and a composite governance indicator. The empirical design combines fixed-effects models, post-treatment specifications, and event-study models to distinguish immediate, persistent, and dynamic effects. Preliminary findings suggest that governance adoption is associated with short-run costs, which are stronger outside the EU (so in North America), indicating that institutional environments shape both the magnitude and timing of adaptation. This study contributes to IS research by showing that the costs of cybersecurity governance adaptation are not uniform across firms, but are institutionally conditioned by regulatory environments, governance structures, and market expectations. The results also indicate how fast institutions adapt to new conditions after the implementation of cybersecurity policies. This reframes cybersecurity governance as a dynamic organizational process.

Download

Share

COinS