The impact of customer firm data breaches on the audit fees of their suppliers

This study investigates whether audit risks that accompany data breaches of major customer firms can spillover into the supply chain and affect audit fees of their suppliers. Based on the economic bond that exists between supplier firms and their major customers, we predict that data breach incidents of customer firms will lead to higher audit fees for their respective suppliers. Consistent with customer breaches increasing the audit risk to the supplier, we observe a positive association between breach disclosures made by major customers and audit fees of the supplier firm. This association exists for both internal and external data breaches. We further find that audit fees are increasing with the number of major customers disclosing a breach in a given year. Our results are robust to both a matched sample design and a difference-in-difference approach. Interestingly, we find that while supplier auditors appear to price the risks associated with customer breaches, the breaches do not appear to affect audit quality. The findings of this study are timely and relevant to academics, practitioners, and regulators as supply chains continue to become larger and more complex.     

Corporate Governance,Social Responsibility,and Data Breaches

We study whether corporate governance and social responsibility are related to data breaches. We find that socially responsible companies with smaller boards and greater financial expertise are less likely to be breached. The financial impact of a breach is visible in the long term. Specifically, data‐breach firms have –3.5% one‐year buy‐and‐hold abnormal returns. Additionally, banks with breaches have significant declines in deposits and nonbanks have significant declines in sales in the long run. Finally, we find that following a data breach, companies are more likely to replace their chief executive officer and chief technology officer as well as improve their governance and social responsibility.     

Changes in corporate cybersecurity risk disclosures after SEC comment letters

Gao et al. (2020) examined the content and linguistic characteristics of public companies' cybersecurity risk disclosure practices as well as factors that may drive disclosure trends. In this paper, we extend Gao et al. (2020) by exploring SEC comment letter practices related to cybersecurity risk disclosures and investigating how SEC comment letters lead to changes in companies’ cybersecurity risk disclosures. Coinciding with newly issued cybersecurity guidelines, SEC comment letters related to cybersecurity disclosure deficiencies spiked in 2011. On average, it takes about 26 days for a registrant to respond to a comment letter and only 10 percent of registrants respond within the recommended 10-day period. Most comment letters (75 percent) are resolved within one round of communication. Multiple rounds of communication are often required when deficiencies surround disclosure of a cyber breach. Though 81 percent of registrants respond to comment letters related to cybersecurity breaches by claiming that there was no need for disclosure as the breaches were not material, the SEC will likely reject that claim and require the registrant to provide the required detail. We find evidence that the SEC uses comment letters to signal that the staff wish to see an explicit statement in the registrant’s cybersecurity risk disclosures on whether or not the firm suffered security breaches during a reporting period. The SEC scrutinizes cybersecurity risk disclosures to verify they are sufficient subsequent to a published security breach. Firms change their disclosure behavior one year after receiving a comment letter. Specifically, the length of cybersecurity risk disclosures increases, specificity increases, and readability and clarity improve one year after a registrant receives a comment letter that points to deficiencies in the firm’s cybersecurity risk disclosures.     

Shareholder Litigation and Corporate Disclosure: Evidence from Derivative Lawsuits

Using the staggered adoption of universal demand (UD) laws in the United States, we study the effect of shareholder litigation risk on corporate disclosure. We find that disclosure significantly increases after UD laws make it more difficult to file derivative lawsuits. Specifically, firms issue more earnings forecasts and voluntary 8‐K filings, and increase the length of management discussion and analysis (MD&A) in their 10‐K filings. We further assess the direct and indirect channels through which UD laws affect firms' disclosure policies. We find that the effect of UD laws on corporate disclosure is driven by firms facing relatively higher ex ante derivative litigation risk and higher operating uncertainty, as well as firms for which shareholder litigation is a more important mechanism to discipline managers.     

Cyber-attacks and stock market activity

I study how financial markets react to unexpected corporate security breaches in the short and the long-term. The main results show that daily excess returns drop, trading volume increases due to selling pressure, and liquidity improves upon the public disclosure of first-time corporate hacking events. The evidence from the search frequency in Google suggests that such short-lived market reaction is due to increasing investors' attention. Cyber-attacks affect firms' policies in the long run, up to five years after the security breach announcement. These results are consistent with the hypothesis that security breaches represent unexpected negative shocks to firms' reputations.     

Does SEC FRR No. 48 disclosure communicate risk management effectiveness?

We hypothesize that the quality of market risk disclosure mandated by the U.S. Securities and Exchange Commission Financial Reporting Release No. 48 (FRR No. 48) provides useful information for assessing risk management effectiveness. Measuring risk disclosure quality as the degree of modification, we find that higher-than-expected disclosure modification is associated with lower future cash flow volatility. On average, an increase in risk disclosure modification from the lowest to the highest decile is associated with a 5.34 percent decrease in cash flow volatility. Given the significant impact of cash flow volatility on firm value and capital investment, our results highlight the importance of market risk disclosures and should be of interest to investors and analysts.     

The Effect of Data Breaches on Shareholder Wealth

Many companies face the risk of a data breach exposing stored personal information of customers and employees. The frequency of such incidents has been increasing over time and can result in significant costs for the affected firm. This article examines the stock market's assessment of the cost of data breaches at publicly traded companies in which personal information such as customer and/or employee data are exposed. Using event study methodology on a sample of 77 events between the beginning of 2004 and the end of 2006, we find that the overall effect of a data breach on shareholder wealth is negative and statistically significant. Based on a cross-sectional analysis of the cumulative abnormal returns, we find a negative association between market reaction and firms that are less forthcoming about the details of the breach. We also find that firms with higher market-to-book ratios experience greater negative abnormal returns associated with a data breach. Further, we find that firm size and subsidiary status mitigate the negative effect of a data breach on the firm's stock price and that the negative market reaction to a data breach is more significant in the most recent time periods of the sample.     

The relationship between a firm’s information environment and its cash holding decision

This study directly investigates the relationship between the firm’s information environment and its cash holding decision using two separate country-level events as proxies for a general improvement of the information environment: the initial enforcement of new insider trading laws and the mandatory adoption of International Financial Reporting Standards. Analysing a large international sample, we find that firms reduce their cash holdings after both exogenous information shocks. We also find that the reductions are greater for firms facing greater financing constraints and agency issues, and for those for which the informational shocks are stronger. Further analyses reveal a reduction in firms’ average cash savings rate, an increase in performance, an increase in the use of external debt, a decrease in abnormal investment, and an increase in the value of cash holdings. Taken together, our results suggest that an improvement in the information environment mitigates both the adverse selection and moral hazard problems thereby, leading to a reduction in cash reserves held for transaction and precautionary motives, and the likelihood of entrenched managers building large cash balances for private benefit.     

Managerial conservatism and corporate policies

This paper investigates how conservative managers make corporate decisions. Motivated by psychology research, we use handwritten signatures (i.e., emotionally restraint disclosure styles) as a proxy for CEO conservatism. We find that firms with conservative CEOs engage more with safer investments (capital expenditures), engage less with risky policies (Research & Development expenses and debt financing), hold more cash, are less likely to pay cash dividends, and more likely to use stock repurchase schemes. We use the same proxy for CFO conservatism. We find that CFO conservatism is a better determinant than CEO conservatism for cash holding and financing policies, but the reverse is true for investment policies. Conservative CFOs prefer long-term debt to short-term debt.     

Voluntary versus mandatory disclosure of liability insurance coverage limit

This article analyzes the disclosure of the liability insurance coverage limit and the impact of mandating disclosure of the coverage limit in a setting where voluntary disclosure of a firm’s cash flow information is subject to litigation risk and the firm has directors’ and officers’ (D&O) liability insurance. Disclosure of cash flow information is costly, but disclosure of the insurance coverage limit features no direct disclosure friction. We find that, when the litigation environment is weak, the usual unraveling argument applies, and the manager always voluntarily discloses the coverage limit in equilibrium. However, when the litigation environment is strong, either no coverage limit is disclosed or only sufficiently high coverage limits are disclosed in equilibrium. Further analysis shows that mandatory disclosure of the coverage limit increases the voluntary disclosure of cash flow information.     

Voluntary disclosure of financial information by French firms: Does the introduction of IFRS matter?

This paper addresses the relationship between mandatory and voluntary information. The introduction of IFRS in 2005 modified mandatory information requirements and influenced the content and level of the discretionary information disclosed by firms. This background allows us to test whether the complementary or substitution hypothesis dominates. A French firm data panel is used to empirically analyze the consequence of IFRS introduction. Referring to the 2003–2008 period gives a long-term perspective and allows us to identify discretionary communication policies by building a proprietary voluntary disclosure score. We find that voluntary disclosure policies experienced an upward swing with the introduction of IFRS, giving support to the complementary hypothesis. We also demonstrate a dynamic relationship between disclosure and the dispersion of analysts' earnings forecasts. The practical implication of the paper is to show that firms' discretionary communication policies follow both a long-term and a short-term component to meet analysts' demands for information. Our contribution is to refer to a long-term sample in one country where the environment and regulation context is homogenous. Our disclosure score index seems to be a good measure to outline that idiosyncratic communication policies are complex and strategic.     

Voluntary disclosure,mandatory disclosure and the cost of capital

We examine the association between a firm's cost of capital and its voluntary and mandatory disclosures. We include two types of mandatory disclosure: those that are a function of periodic reports that are realizations of ex‐ante reporting systems and those that arise due to specific corporate events. To capture a firm's voluntary and event‐driven mandatory disclosures, we use information the firm provides via 8K filings. To capture periodic mandatory disclosures, we use earnings quality measures derived from the literature. Consistent with endogenous relations predicted by theory, we find that voluntary disclosure and both types of mandatory disclosure are correlated, although only event‐driven mandatory disclosures are significant in models that explain voluntary disclosure. We also find that the cost of capital is generally influenced by each of these disclosure types. We also find that controlling for periodic mandatory disclosure does not affect the relationship between voluntary disclosure and the cost of capital, while controlling for event‐driven mandatory disclosure sometimes affects the relationship depending on the measures used. Our study suggests that a firm's disclosure environment includes the three types of disclosure examined, although the inclusion of mandatory disclosures does not affect the measured association between voluntary disclosure and the cost of capital.     

The consequences of deviating from financial reporting industry norms: Evidence from the disclosure of foreign cash

This study examines how investors respond to firms’ disclosure practices that deviate from the majority of industry peers (i.e., industry norms). The SEC has made repeated calls for the disclosure of foreign cash in order for investors to have more information in determining firms’ liquidity positions. We examine the association between firm value and the non-disclosure of foreign cash in industries where the majority of firms choose to disclose foreign cash. We define partial disclosure as disclosing permanently reinvested earnings (PRE), but withholding the disclosure of foreign cash, and find that when the majority of industry peers disclose foreign cash, investors discount the firm-specific partial disclosure of foreign operations. This finding suggests that investors have similar information demands as the SEC, and that withholding foreign cash results in a valuation discount. We also find that this discount is more pronounced for firms predicted to have higher levels of foreign cash and higher levels of PRE. The discount in firm value is also concentrated among firms with managers who have more career concerns, suggesting that managers shift the cost of partial disclosure to shareholders instead of bearing the personal reputational cost of full disclosure. Our results are robust to multiple matched samples and entropy balancing. While previous literature has considered the valuation implications of foreign cash disclosures, we reveal the consequences of opting to withhold the disclosure of foreign cash. Our findings should be of interest to both managers and policy-setters in forming their disclosure protocols.     

半强制股利政策与股权融资成本

在一些国家,强制股利支付是改善公司治理和弥补法律保护不足的重要手段,我国自2001年起陆续出台了类似的半强制股利系列政策。然而现有部分研究却发现,半强制股利政策可能会产生监管“悖论”。那么,事实是否如此？以往这些研究主要从监管成本角度来分析,可能忽视了监管带来的收益,我们认为虽然半强制股利政策提高了融资门槛,但也可能实现股东之间的利益共享,并有利于投资者形成稳定的股利预期,从而实现治理的“溢价”。本文利用2008年监管政策提供的良好自然实验机会,主要从半强制股利政策的治理效应角度来评估政策产生的经济后果。研究发现,从总体平均意义上看,半强制股利政策有助于降低受影响公司的股权融资成本。进一步研究发现,在代理成本高的公司,半强制股利政策的治理作用更为明显,存在一定的治理“溢价”。当然,半强制股利政策也存在一定的局限性,在公司的信息披露质量差和外部融资约束较大的公司,半强制股利政策的治理效应被削弱。     

How creditor rights affect the value of cash: A cross-country study

We examine how legal protection of creditors affects the value of cash across countries. We find that the marginal value of cash is considerably higher in countries with weak creditor rights. Creditor rights are at least as relevant as shareholder rights, which other studies have found to be an important factor affecting various corporate policies. In addition, we find that marginal investment is more valuable for firms in countries with weak creditor rights. This combines the findings of previous studies that weak creditor protection makes firms financially constrained and that cash is more valuable for financially constrained firms. Subsample analysis suggests that financial constraints generated by weak creditor rights create underinvestment among cash starved firms but alleviate agency conflicts among cash rich firms. Further analysis reveals that good country governance complements laws protecting creditors in cash valuation.     

The impact of CIO characteristics on data breaches

The exponential rate of increase in IT security breach incidents has led governments, regulators, and practitioners to respond by introducing standards and frameworks for the disclosure and management of organizational cybersecurity risk exposure. Cybersecurity, which is a part of IT risk management, is affected by the capability and the ability of senior leadership responsible for IT-related decisions. This paper uses hand-collected data related to the Chief Information Officer (CIO) for S&P 500 firms and explores whether the presence of a CIO role, human capital characteristics of the CIO, and structural capital characteristics of the firm and the CIO are related to a firm’s cybersecurity risk exposure. This study finds that firms disclosing the presence of a CIO are more likely to be breached, even after matching on the likelihood of a breach and controlling for the likelihood that a firm would choose to disclose a CIO. This study also finds predictable variations in the likelihood of a breach among CIOs based on various human capital dimensions (including past technology experience, external board memberships, firm tenure, and CIO tenure) and structural capital dimensions (including a recognized commitment to IT and charging the CIO with multiple responsibilities). Finally, this study finds evidence that the observed associations depend on both the source of the breach (external vs. internal) as well as the type of data compromised by the breach (e.g. financial, personal, etc.). The results of this study contribute to the growing body of academic breach literature, while also informing practitioners as they evaluate the costs and benefits of various methods for combating breaches.     

The effects of mandatory ESG disclosure on price discovery efficiency around the world

We examine the effect of mandatory environmental, social and governance (ESG) disclosure on firms' price discovery efficiency around the world. Using data from 45 countries between 2000 and 2020 and a difference-in-differences method, we find that mandatory ESG disclosure increases firm-level stock price non-synchronicity and timeliness of price discovery, suggesting more firm-specific information is incorporated into stock prices in a more timely manner. Mandatory ESG disclosure improves price discovery efficiency more in countries with strong demands for ESG information and in firms with poor disclosure incentives. Mandatory ESG disclosure also leads to other real market changes, such as lower stock returns, greater changes in institutional ownership and higher firm valuation.     

Does financial reporting regulation influence the value of cash holdings?

We investigate how the value of cash holdings changes following the mandatory adoption of International Financial Reporting Standards (IFRS), which is viewed as an exogenous shock to information asymmetry between firms and outside investors. Using firm-level data from 47 countries, we find that mandatory IFRS adoption has a negative and significant impact on the value of cash holdings. This result suggests that investors reduce their valuation of cash holdings when firms can have access to external financing at a lower cost under IFRS. The negative effect of IFRS is concentrated among financially constrained firms. Furthermore, we show that the effect is more pronounced in countries with strong legal enforcement. Overall, our evidence highlights that financial reporting regulation can have a significant effect on how outside investors value corporate cash holdings across countries.     

The Impact of Mandated Cash Flow Disclosure on Bid‐Ask Spreads

Abstract:   This study provides evidence that mandatory cash flow disclosure required by Approved Australian Accounting Standard AASB 1026, Statement of Cash Flows (June 1992) was associated with a decline in bid‐ask spreads following the introduction of the regulation, even after controlling for changes in trading volume and price volatility. More pronounced decreases in bid‐ask spreads were associated with firms having lower correlations between reported CFO and estimates of CFO using balance sheet reconstructions. We conclude that mandatory cash flow disclosure reduces information asymmetry across market participants.     

The Effect of Managerial Litigation Risk on Earnings Warnings: Evidence from a Natural Experiment

We examine the causal effect of managerial litigation risk on managers’ disclosure of earnings warnings in the face of large earnings shortfalls. Exploring the staggered adoption of universal demand (UD) laws as an exogenous decrease in litigation risk, we find that the adoption leads to a decrease in managers’ issuance of earnings warnings, especially among firms facing a higher litigation risk prior to the adoption. In contrast, we find no change in managers’ tendency to alert investors of impending large positive earnings surprises. Collectively, our results provide causal evidence that higher litigation risk incentivizes managers to issue more earnings warnings. Our results differ from Bourveau et al.’s finding of an increase in the frequency of management earnings forecasts after the adoption of UD laws. We reconcile our findings with theirs by demonstrating that the effect of adopting UD laws on management earnings forecasts depends critically on forecast horizon: The adoption increases long-horizon forecasts, but decreases short-horizon forecasts.