Are External Auditors Concerned about Cyber Incidents?
Evidence from Audit Fees
ABSTRACT
Firms and regulators alike have recognized the importance of addressing cyber risks
and cyber incidents. In this paper, we investigate whether external auditors respond to
cyber incidents by charging higher audit fees and whether they price material cyber risk
before the actual event happens when there is no explicit requirement from the regulators.
Based on the analysis of 140 cybersecurity breached firms and 29,627 non-breached firms,
we find a significant positive relationship between increases in audit fees and cyber
incidents. Increases in audit fees are smaller for those with prior cyber risk disclosure,
implying that auditors price material cyber risk prior to the cyber-attacks. In addition, we
demonstrate that firms with repeated cyber incidents or cyber incidents that involve
intellectual property experience the larger increases in audit fees. However, auditor’s
concern over cyber incidents is mitigated by monitoring from large and sophisticated
external stakeholders. Collectively, evidence in this paper suggests that auditors both price
material cyber risk ex-ante and respond to cyber incident ex-post, alleviating regulator’s
concern that auditors are not taking cybersecurity seriously.
Keywords: Cyber incident, Hacking, Cyber risk disclosure, Audit fees
1
I.
INTRODUCTION
Cybersecurity issues have attracted much attention in recent years, especially after
several high-profile cybercrimes such as the data breach at Target Corporation1 and the
hacking attack at Sony Pictures Entertainment2. PricewaterhouseCoopers (2016) reports
that the average number of detected cyber incidents increased 38 percent and the theft of
“hard” intellectual property increased 56 percent in 2015 compared with 2014. To respond
to the increasing cybersecurity threats, the Securities and Exchange Commission (SEC)
held a roundtable discussion regarding cybersecurity and related issues, challenges it raises
for market participants and public firms, and how to address those issues and challenges
(SEC, 2014). Also, the Standing Advisory Group of the Public Company Accounting
Oversight Board (PCAOB) assembled a panel discussion on cybersecurity issues and
potential implications for financial reporting and auditing (PCAOB, 2014).
While there is still no formal disclosure requirement by the SEC or PCAOB
regarding cybersecurity, the issuance of Guidance on Disclosing Cybersecurity Risks by
the SEC’s Division of Corporation Finance demonstrates that regulators are concerned
about the impact of cybersecurity on firms and investors (SEC, 2011). The speech by the
SEC commissioner, Luis Aguilar, at the New York Stock Exchange reveals such concern:
“… the impact of cyberattacks may extend far beyond the direct costs associated with the
immediate response to an attack. Beyond the unacceptable damage to consumers, these
In later 2013, hackers gained access to millions of people’s credit card data and personal information by
exploring
vulnerabilities
in
Target’s
Point
of
Sale
(POS)
systems.
See
http://www.wsj.com/articles/SB10001424052702303754404579312232546392464.
1
2
On November 24, 2014, a hacker group released confidential data from Sony Pictures Entertainment that
include personal information about employees and their families, e-mails between employees, information
about executive salaries at the company, copies of then-unreleased Sony films, and other information. See
https://en.wikipedia.org/wiki/Sony_Pictures_Entertainment_hack.
2
secondary effects include reputational harm that significantly affects a company’s bottom
line” (Aguilar 2014).
Abundant literature demonstrates the negative impact of cyber incidents on
breached firms’ stock prices and various contingency factors that may mitigate or deepen
the market reaction (Campbell, Gordon, Loeb, and Zhou 2003, Gatzlaff and McCullough
2010, Yayla and Hu 2011, Gordon, Loeb, and Zhou 2011, Cavusoglu, Mishra, and
Raghunathan 2004, Goel and Shawky 2009, Hinz, Nofer, Schiereck, and Trillig 2015,
Ettredge and Richardson 2003). Prior studies also show the role of board members, top
executives, and internal auditors in addressing cyber risks and cyber incidents (Zafar, Ko,
and Osei-Bryson 2015, Higgs, Pinsker, Smith, and Young 2014, Kwon, Ulmer, and Wang
2013, Steinbart, Raschke, Gal, and Dilla 2013, Steinbart, Raschke, Gal, and Dilla 2016).
Academic research, however, remains silent on whether external auditors respond
to cybersecurity incidents experienced by their clients, and whether they consider cyber
risks prior to the materialization of the risk. This gap is surprising given the increased
attention from regulators on cybersecurity. In 2014, the Center for Audit Quality (CAQ)
issued an alert regarding cybersecurity to summarize the responsibilities of independent
external auditors with respect to cybersecurity matters (CAQ, 2014). For example, it
suggests that the auditor should be responsible for evaluating the firm’s accounting for
cybersecurity-related losses, for assessing the impact on the firm’s financial statements and
disclosures, and for examining the firm’s controls related to timely recording and
disclosing the necessary information in the financial statements. Recent staff inspection
reports also indicate that the inspections staff of PCAOB is examining how engagement
teams evaluate the risks of material misstatement and related controls associated with
3
cybersecurity and will continue to monitor auditors’ practices regarding cybersecurity
(PCAOB, 2015, PCAOB, 2016). Furthermore, the SEC has issued comment letters to
encourage and request more disclosures on cyber incidents and has recently engaged in
multiple active enforcement investigations involving data breach events concerning two
aspects: disclosures and controls (Schubert, Cedarbaum, and Schloss 2015). Some have
argued that the SEC’s cybersecurity disclosure guidance on cybersecurity will become a
requirement and could be interpreted as an expansion of the scope of the integrated audit
of internal control over financial reporting and the financial statements (Grant and Grant
2014).
However, counter arguments point out that despite regulators’ concern about
cybersecurity risks, there is no mandatory regulatory requirement for auditors to address
cybersecurity risks. In the absence of such requirements, auditors would be averse to
addressing cybersecurity risks beyond those affecting financial statements as doing so
could needlessly expose them to liability and costs that would be difficult to recover. Also,
the negative effect of cyber incidents on financial statements taken as a whole is sometimes
quantitatively immaterial. For example, in the well-known Home Depot breach incident,
the pretax net expense relating to the cyber incident was $119 million for the first three
quarters of 2015, which is less than 1 percent of earnings before taxes.3 Accordingly, it
would be rather hard for auditors to justify additional audit work, and thus increase audit
fees to recover costs incurred due to investigating cyber incidents. It is also possible that
3
See http://www.auditanalytics.com/blog/when-is-a-cybersecurity-incident-material/. That said, it is
important to recognize that cyber incidents can result in consequences such as reputational damage, loss of
intellectual property, disruption of key business operations, fines and penalties assessed by governments
litigation and remediation costs and exclusion from strategic markets that could be qualitatively material
(AICPA, 2016)
4
auditors may not have the expertise to investigate cyber incident. Moreover, some believe
that all firms operating in cyberspace will suffer a security event or breach at some point
in time4 , and that investors anticipate and price protect themselves against such risks,
particularly if other firms that they monitor or pay attention to have experienced a cyber
incident (Ettredge and Richardson 2003). In addition, prior studies argue that there is a
decline in market reaction following cyber incident (Gordon, Loeb, and Zhou 2011). To
sum up, it is an empirical question whether external auditors respond to cyber incidents in
practice by noticeably extending their audit procedures and charging and successfully
collecting higher fees for doing so.
The main objective of this study is to investigate whether external auditors respond
to cyber incidents by expanding their audit effort, resulting in higher audit fees, and
whether external auditors are pricing material cyber risks even before the actual adverse
event happens. Using a change model specification, we find a significant positive
relationship between increases in audit fees and cyber incidents. Furthermore, using firm’s
cyber risk disclosure as the proxy for ex-ante material cyber risk, we show that following
cyber incidents, increases in audit fees are smaller for those with prior cyber risk disclosure,
implying that auditors price material cyber risk prior to the cyber-attacks and thus are
responding less severely (are less surprised) when the actual event happens. In addition,
we demonstrate that compared with firms that experience a cyber incident for the first time,
firms with repeated cyber incidents are punished more severely by auditors as reflected in
4
ASEC Cybersecurity Working Group Initiative; see
http://www.aicpa.org/InterestAreas/FRC/AssuranceAdvisoryServices/Pages/AICPACybersecurityInitiative.
aspx
5
audit fees. Further, auditors increase audit fees most to respond to cyber incidents that
involve intellectual property, the type of cyber incidents that threatens firm’s core value.
Finally, we reveal that external monitoring, as measured by the percentage of institutional
holdings and number of block holders, can mitigate auditor’s concern over cyber incidents.
Overall, the findings of this study provide several contributions to the existing
literature. First, we fill the gap in prior literature by establishing the association between
external audit activity and cyber incidents, suggesting that regulators’ concerns about
cybersecurity issues are shared by external auditors. As regulators keep emphasizing that
the impact of cyber incidents may go beyond the initial costs addressing the issues and can
have further implications for financial reporting, our evidence that auditors are expanding
their procedures following the incident provides some relief to the regulators and investors
as auditors provide additional assurance for the quality of financial statements and internal
controls.
Second, the finding that auditors are taking material cyber risks into consideration
before the actual cyber event happens indicate that they are proactively considering
operational risks. Lawrence, Minutti-Meza, and Vyas (2016) point out that operational
control risks can be indicative of financial control risks and urge stakeholders to consider
operational control risks. While we cannot address the question whether auditors price
material cyber risks to cover additional work or just price protect them against the risks,
the fact that they are taking material cyber risks into consideration is consistent with the
emphases on operational risks.
Third, our results suggest that auditors are not simply reacting to cyber incidents
due to public pressure. Instead, they are most concerned about cyber incidents involving
6
intellectual property, a type of incident that has the least exposure in the public compared
with hacking of customer personal information and credit card. The evidence indicates that
auditors are, at least in part, rational in evaluating cyber incidents, rather than just
protecting themselves from public criticism.
Fourth, we extend research in the IT domain, particularly research on the
consequences of cyber incidents. Prior research exclusively focuses on market reaction and
firm performance after cyber incidents. We empirically show another consequence:
increased audit fees. The finding should alert both practitioners and researchers that the
impact of cyber incidents could be far more than anticipated and could concern various
types of stakeholders.
Finally, we contribute to the audit fees literature by showing an additional factor
that is valued by external auditors when setting audit fees. The magnitude of impact is
larger than the impact of merger activities and more than half of the impact of material
weakness in internal controls on audit fees, providing economic significance. The finding
in this paper suggests that future audit fees model may need to consider operational risk
that is overlooked in prior audit literature.
From a practical point of view, this study provides evidence that may potentially
alleviate regulator’s concerns about the aftermath of cyber incidents by suggesting that
external auditors address such incidents even in the absence of regulatory requirements to
do so. We argue that regulators carefully consider the status quo before introducing
potential legislative rules for auditors on cybersecurity, as it appears in our study that
auditors are reacting rationally based on the nature of the cyber incidents.
The remainder of this paper proceeds as follows. The next section presents research
7
background and introduces hypotheses. The third section addresses research design and
sample selection procedure. The fourth section discusses results and describes additional
tests. The last section concludes this paper.
II.
BACKGROUND AND HYPOTHESIS DEVELOPMMENT
Cybersecurity
Cybersecurity and information security are often used interchangeably. 5 The
Cybersecurity Working Group of the AICPA Assurance Services Executive Committee
defines cybersecurity as “the process of implementing and operating controls and other risk
management activities to protect information and systems from security events that could
compromise them and, when security events are not prevented, to detect, respond to,
mitigate against, and recover from those events in a timely manner.” The committee further
defines cybersecurity compromise as “a loss of confidentiality, integrity, or availability of
information, including any resultant impairment of (1) processing integrity or availability
of systems or (2) the integrity or availability of system inputs or outputs, which have a
negative effect on the achievement of the entity’s business objectives and commitments
(including cybersecurity commitments), as well as the laws and regulations related to
cybersecurity risks and the cybersecurity program.” The underlying premise is that “all
firms that operate in cyberspace will suffer a security event or breach at some point in
time.” The assumption is supported by Ransbotham and Mitra (2009), who provide
empirical evidence that all systems are potential victims of cyber-attacks. Firms not
5
Cybersecurity and information security are different in the sense that cybersecurity pertains to security risks
related to cyberattacks while information security considers security of information and information systems
regardless of the realm.
8
intrinsically attractive to attackers are not immune from attacks. For this study, we define
cyber incidents as “cyber-attacks that are initiated by hackers to steal or destroy sensitive
information in the cyber realm.”. Therefore, we are not interested in data breaches that are
not related to cybersecurity, such as stolen laptop.
Although cybersecurity issues have been examined by multiple disciplines, there
are two dominant streams of research. The first one is cybersecurity governance.
Cybersecurity was traditionally viewed as purely a technical issue that should be handled
by the IT department. Both practitioners and researchers have recently realized that
cybersecurity should be considered from a managerial perspective and addressed at the
highest level of the firm (Von Solms 2005, ISACA 2006, PricewaterhouseCoopers 2016,
Soomro, Shah, and Ahmed 2016).6 It has been shown that management has a critical role
in encouraging cybersecurity policy compliance (Bulgurcu, Cavusoglu, and Benbasat 2010,
Ifinedo 2014, Hu, Dinev, Hart, and Cooke 2012). More recent literature focuses on specific
roles. For instance, Kwon, Ulmer, and Wang (2013) find that putting IT executives in the
top management team is negatively associated with the possibility of future cyber incidents,
while Zafar, Ko, and Osei-Bryson (2015) report that firms that have the CIO (or other top
IT executive) in the top management team can recover damages or losses from cyber
incidents quicker than the firms that do not. Because effective governance requires both
monitoring and audit of performance, the internal audit function is also examined in
relation to cybersecurity. Ideally, the feedback provided by internal audit can be used to
improve the overall effectiveness of the firm’s information security (Steinbart, Raschke,
6
A recent senate bill under review is suggesting that board members should have mandatory cybersecurity
education. See http://www.dandodiary.com/2016/01/articles/cyber-liability/senate-bill-would-requiredisclosure-concerning-corporate-boards-cybersecurity-expertise/.
9
Gal, and Dilla 2012). By conducting a series of semi-structured interviews with both
internal auditors and information systems professionals, Steinbart et al. (2012) propose that
internal auditors’ IT knowledge, communication skill, and attitude, as well as top
management support, can influence the cooperation between internal audit and the
information security function. Further studies by Steinbart et al. (2013) and Steinbart et al.
(2016) substantiate the claims that a better relationship between the two functions is
associated with fewer information security-related internal control weaknesses being
reported to the board, more attacks stopped before they cause harm, and more attacks
detected after they cause harm.
The second research stream concentrates on the consequences of cybersecurity
breaches and cybersecurity related events. Overall, there is plenty of evidence that
breached firms experience a negative market reaction (Campbell et al. 2003, Gatzlaff and
McCullough 2010, Hinz et al. 2015, Goel and Shawky 2009), but there is no consensus on
which types of the breaches (confidentiality, availability, and integrity) drive the decline
in market value (Goldstein, Chernobai, and Benaroch 2011, Benaroch, Chernobai, and
Goldstein 2012, Gordon, Loeb, and Zhou 2011). Furthermore, several studies report an
array of contingency factors that influence the market response, including firm size,
industries, and announcement texts (Das, Mukhopadhyay, and Anand 2012, Yayla and Hu
2011, Acquisti, Friedman, and Telang 2006, Wang, Ulmer, and Kannan 2013). In addition
to the decline in market value, prior research finds that breaches caused by cyber-attacks
are much more likely than breaches caused by lost or stolen hardware to be settled
(Romanosky, Hoffman, and Acquisti 2014), and that customers’ overall satisfaction and
revisit intentions are negatively affected by cybersecurity breaches (Berezina, Cobanoglu,
10
Miller, and Kwansa 2012). While cyber incidents are shown to be negative, previous
literature also documents that information security investment (Chai, Kim, and Rao 2011)
and voluntary disclosure of information regarding cybersecurity (Wang, Kannan, and
Ulmer 2013, Gordon, Loeb, and Sohail 2010) can generate positive market response. We
extend this stream of literature to demonstrate that cyber incidents could also increase audit
risks that are reflected in audit fees.
Cybersecurity and Audit Fees
We make two plausible arguments about why external auditors should be concerned
about cyber incidents: Internal Control over Financial Reporting (ICFR) and material
misstatement.
Internal Control over Financial Reporting (ICFR)
ICFR is “a process designed by, or under the supervision of, the firm’s principal
executive and principal financial officers, or persons performing similar functions, and
effected by the firm’s board of directors, management, and other personnel, to provide
reasonable assurance regarding the reliability of financial reporting and the preparation of
financial statements for external purposes in accordance with generally accepted
accounting principles” (PCAOB, 2004). ICFR also includes procedures and policies related
to maintaining accounting records, documenting transactions, authorizing receipts and
expenditures, and safeguarding assets (Hogan and Wilkins 2008). Sarbanes-Oxley Act
(SOX) section 404 requires management to assess and report on the effectiveness of their
firms’ ICFR. It also requires external auditors to attest and report on the assessments made
by client management. Hence, external auditors are legally responsible for detecting
deficiencies in firms’ ICFR. Prior research documents that external auditors charge higher
11
fees for clients with deficiencies in ICFR (Hoitash, Hoitash, and Bedard 2008), and the fee
premium persists several years after the deficiencies are fixed (Hoag and Hollingsworth
2011, Munsif, Raghunandan, Rama, and Singhvi 2011).
In the event of a cyber incident, external auditors are expected to consider its
implications for ICFR. If the attack is directly on a firm’s accounting systems, the incident
could involve, or could suggest the risk of, manipulation of the firm’s books and records,
which could affect financial statements (PCAOB, 2014). Prior research posits that the
negative market response following a cyber incident announcement is because such an
event signals the presence of internal control material weaknesses (Benaroch, Chernobai,
and Goldstein 2012). Likewise, the PCAOB’s staff inspection briefs indicate that
inspection staffs are “reviewing how engagement teams evaluate the risks of material
misstatement associated with cyber-security and the related controls in the integrated audit”
(PCAOB, 2015) and cautioning external auditors to consider the implications for ICFR if
cybersecurity incidents have occurred during the audit period (PCAOB, 2016). The SEC
is also pursuing firms based on perceived shortcomings of their ICFR after cyber incidents
to the extent that unauthorized persons are able to access, steal, or destroy material assets
in their information systems (Association of Corporate Counsel 2016).
Even if cyber-attacks have no direct impact on a firm’s accounting systems,
external auditors may still need to exert additional efforts. Cyber-attacks on perimeter or
internal network layers may indicate weaknesses in general IT controls, which could
suggest risks in ICFR. Prior study observes a positive association between data breaches
and material weakness in ICFR, suggesting that vulnerabilities in any of the systems and
procedures could affect both operating and financial reporting activities (Lawrence,
12
Minutti-Meza, and Vyas 2016). For instance, a report by Verizon (2016) demonstrates that
older vulnerabilities are highly targeted and many breaches are permitted by known bugs
or vulnerabilities. If a firm fails to remediate vulnerabilities in one particular area that
eventually leads to a cyber incident, it is unlikely that the firm will be proactive in
preventing vulnerabilities in other systems.7 In the Target data breach case, a senate report
notes that the attackers who infiltrated Target’s network with a vendor’s credentials seemed
to succeed in moving from less sensitive areas of Target’s network to areas storing
consumer data, suggesting that the firm failed to isolate its most sensitive network assets.
As it appears that the attackers succeeded in moving through various key Target systems
(United States Senate 2013), legitimate concerns should be raised that attackers may be
capable of exploring corporate networks in depth and attacking different layers of systems
including Enterprise Resource Planning (ERP) systems and general ledger.
Given the central functionalities of a firm’s accounting information systems and the
wealth of data stored on those systems are likely to be of great interest to cybercriminals,
external auditors should consider the potential risks that come from cybersecurity threats
(Debreceny 2014). Similar concern is also raised by CAQ (2014), which states that,
although professional standards are not likely to include areas or controls that address cyber
incident, auditors need to consider its implications for ICFR. Since external auditors
respond to the higher levels of control risk by charging higher audit fees (Hogan and
Wilkins 2008, Hoitash, Hoitash, and Bedard 2008, Hoag and Hollingsworth 2011), we
expect external auditors to charge higher fees after a cyber incident and expand their
7
According to Data Breach Litigation Report (2016), negligence is the most widely used legal theory against
breached firms.
13
security-related ICFR audit procedures.
Material Misstatement
Cyber incidents may also be associated with the risks of material misstatement. The
occurrence of cyber incidents could increase client business risk, which refers to “the risk
that the client’s economic condition will deteriorate in either the short term or long term”
(Johnstone 2000). Prior studies indicate that external auditors evaluate client business risk
when determining whether to accept a new client (Khalil and Mazboudi 2016), and are less
likely to accept a client’s proposed accounting practice if client business risk is high (Chang
and Hwang 2003). A recent analysis reveals that following a cyber incident, firms, on
average, experience more than 3.3 percent abnormal churn of existing customers, which is
defined as a greater than expected loss of customers in the normal course of business
(Ponemon Institute 2016).8 This is consistent with a behavioral study by Berezina et al.
(2012) that shows participants’ overall satisfaction, revisit intentions, and likelihood of
recommending a hotel to others were negatively affected by a cyber breach. The Ponemon
study also indicates that indirect costs associated with cyber incidents (primarily lost
business) are much larger than (almost twice) the direct costs such as costs to resolve the
data, investments in technologies, or legal fees. Therefore, although the direct costs of
cyber incident may not be material, the resulting indirect costs could be material enough to
provide management incentives to bias the report.9 As client’s business risk is an important
determinant of whether financial statements contain material misstatements (AICPA,
1997), external auditors may conduct more costly audit procedures to achieve an acceptable
8
The report has controlled for outliers by considering only breaches that affect less than 100,000 records.
9
The bias could be either downward or upward. For example, management could also use cybersecurity
breach to explain bad firm performance and take a big bath.
14
level of audit risk and may charge a fee premium if the additional effort is not sufficient to
cover residual costs under heightened client business risk (Stanley 2011).
In addition, cyber-attacks may have an indirect effect on financial statements by
requiring the future recognition of asset impairments and loss contingencies, and may push
a firm to reconsider projections. In auditing accounting estimates, external auditors
normally should consider the firm’s historical experience in making past estimates as well
as their experience of other firms in the same industry. However, changes in facts,
circumstances, or a firm’s procedures may cause the firm and auditors to take into account
different factors that were not considered in the past, but become significant to the
accounting estimate (AU sec. 342). When planning and performing procedures to evaluate
the reasonableness of the firm’s accounting estimates, the auditors should consider, with
an attitude of professional skepticism, subjective and objective factors included in the
estimate. If a cyber incident happens, the auditors may need to collect additional evidence
regarding whether there would be a significant change in circumstances. For example,
external auditors need to examine whether there is a substantial increase in returns that
would affect the sales returns estimate, which could influence accounting numbers on
financial statements materially. Another example is the impact on estimated goodwill
impairment if expected future cash flows for a cash generating unit are affected by a cyber
incident. This is consistent with the SEC’s Disclosure Guidance, which recommends that
subsequent to a security incident firms should reassess the assumptions that underlie the
estimates made in preparing the financial statements and must explain any risk or
uncertainty of a reasonably possible change in its estimates in the near-term that would be
material to the financial statements (SEC, 2011). According to the guidance, cyber
15
incidents may result in diminished future cash flows, thereby requiring consideration of
impairment of certain assets including goodwill, customer related intangible assets,
trademarks, patents, capitalized software or other long-lived assets associated with
hardware or software, and inventory.
In the event of a cyber incident, external auditors should also assess the risk of
material misstatement that comes from the evaluation of the firm’s accounting for known
cybersecurity-related losses that include contingent liabilities and claims (CAQ, 2014). An
estimated loss from a loss contingency would be accrued by a charge to income if both of
the following conditions are met: information available prior to issuance of the financial
statements indicates that it is probable that an asset had been impaired or a liability had
been incurred at the date of the financial statements, and the amount of loss can be
reasonably estimated (FASB, 1975). In addition, the auditors should obtain evidential
matter relevant to (1) the existence of a condition, situation, or set of circumstances
indicating an uncertainty as to the possible loss to an entity arising from litigation, claims,
and assessments, (2) the period in which the underlying cause for legal action occurred, (3)
the degree of probability of an unfavorable outcome, and (4) the amount or range of
potential loss (AU sec. 337). Specific to cybersecurity, approximately 5 percent of publicly
reported data breaches led to class action litigation, and the conversion rate has remained
relatively consistent over the years (Bryan Cave 2016). If a firm had a material contingent
liability for an actual cyber incident, in addition to performing audit procedures related to
the reasonableness of the liability recorded, the auditor would also assess whether the
disclosures in footnotes related to such liability are appropriate as they relate to the
financial statements taken as a whole (CAQ, 2014). Because facts and impacts about cyber
16
incidents may not be fully revealed until further investigation, auditors may need to exert
additional effort to reduce the uncertainty of contingencies and claims.
Taken together, the above discussion suggests that cyber incident could be
associated with increased risk of material misstatement. Consistent with this argument,
Lawrence, Minutti-Meza, and Vyas (2016) find that firms with data breaches are 1.33 times
more likely to have an accounting restatement in subsequent years. It is arguable that in
some cases, the initial direct impact of cyber incidents on financial statements or the
immediate market reaction may not be material quantitatively, and thus should not attract
the auditor’s attention. However, at the time a cyber incident is announced, it is extremely
difficult, if not impossible, for stakeholders to assess its full implications (Kvochko and
Pant 2015). Full understandings regarding the potential implications of cyber incidents
would require extensive research and examination. In addition, the material indirect impact
of cyber incidents could manifest in the long term. Since external auditors do not know,
ex-ante, if the implications of such incidents are material until further investigation, we
argue that external auditors will increase professional skepticism with respect to firms’
cyber incidents even if the initial impacts may not directly influence financial statements
in a quantitatively material manner. 10 Therefore, this study introduces the following
hypothesis.
H1. Ceteris paribus, increases in audit fees are larger for firms that experienced
cyber incidents than firms that did not experience cyber incidents.
It should be noted that it is unlikely for external auditors to simply take advantage
of cyber incidents as grounds to charge higher fees or recover fees for their efforts that
10
See footnote 3.
17
they did not charge in previous engagements, because they need to provide rational
justification for audit fee increase. Since most firms experiencing cyber incidents are large
in terms of firm size, they have greater bargaining power and can therefore reduce auditor’s
opportunistic activities.
Our next hypothesis concentrates on the association between audit fees and ex-ante
cyber risk. While the above discussion argues that auditors will increase audit fees after the
occurrence of cyber incidents as a responding strategy, it remains unexamined whether
external auditors price material cyber risks before the actual incident happens. The
expanded audit fees model in Houston, Peters, and Pratt (2005) suggests that audit fees will
reflect costs that arise from nonlitigation risk such as customer loss of the client firm.
Similarly, Stanley (2011) find that external auditors price any expected cost arising from
potential losses such as future litigation or reputational damage. As cyber risk has
implications for firm’s future performance, customer relationship, and control environment,
we would expect that external auditors incorporate material cyber risk into audit fees even
before the actual risk event happens.
It is not trivial to determine when ex-ante cyber risk is becoming material as
auditors are not required to audit and attest on firm’s cybersecurity. To address this issue,
we use firm’s cybersecurity related risk factor disclosure as the proxy for material cyber
risk. Because cyber risk disclosure is negative information and is not mandatory, firms may
have incentives to withhold the disclosure due to concerns over increased cost of capital or
damaged future career (Kothari, Li, and Short 2009, Kothari, Shu, and Wysocki 2009).
However, litigation cost could be high enough to motivate risk disclosures (Skinner 1994).
Managers could be sued or face legal liability if they fail to disclose a material risk
18
(Campbell, Chen, Dhaliwal, Lu, and Steele. 2014). Consistent with the view, prior studies
have shown that firms are not making boilerplate risk factor disclosures (Campbell et al.
2014, Kravet and Muslu 2013, Hope, Hu, and Lu 2016, Gaulin 2017, Filzen 2015).
Therefore, we expect that firms are likely to make cyber risk disclosure when cyber risk is
material. Since risk disclosure in 10-K (i.e., Item 1A - Risk Factors) is audited by external
auditors, it is natural that the auditors should be aware of material cyber risk. Considering
that material cyber risk may have impact on firm’s performance and controls and
eventually could influence accounting numbers on financial statements materially, auditors
may take material cyber risk into account when they determine audit fees. If auditors
incorporate material cyber risk before a cyber incident happens, we would expect that
external auditors respond to the cyber incident less severely (increase smaller audit fees)
when there is prior disclosure of cyber risk by the firm. On the other hand, if auditors do
not price cyber risk prior to a cyber incident, the reaction to the cyber incident should be
unconditional on firm’s prior cyber risk disclosure. This leads to the following hypothesis.
H2. Ceteris paribus, increases in audit fees should be smaller for cybersecurity
breached firms with prior cyber risk disclosure than for cybersecurity breached
firms without prior cyber risk disclosure.
Note that while we assume that firms that have cyber risk disclosures are facing
material cyber risk, the opposite may not be true. It is still possible that firms withhold
disclosure regarding cybersecurity even if they have material cyber risk. However, this is
not a significant concern for our test as it will only bias against us finding any significant
results if auditors are incorporating material cyber risk that firms did not disclosure.
19
III.
RESEARCH DESIGN AND SAMPLE SELECTION
Estimation Model
To mitigate the concern of endogeneity, we use a change specification to examine
the association between cyber incident and audit fees. We choose audit fee change model
over two-stage model because Lennox, Francis, and Wang (2011) indicate that two-stage
model is fragile and can generate almost any possible outcome by making minor changes
in model specification. We do not use propensity score matching because it can only
control for endogeneity that arises from observable rather than unobservable factors
(Shipman, Swanquist, and Whited 2017, Lennox, Francis, and Wang 2011), which could
be a significant problem in our research context given the fact that there is no well-specified
model to evaluate the determinants of experiencing cyber incidents. As audit fee change
model can eliminate endogeneity caused by unobservable factors under the assumption that
these factors are time-invariant, it has been commonly used in recent audit fee literature
(Stanley 2011, Hardies, Breesch, and Branson 2015, Desir, Casterella, and Kokina 2013,
Khalil and Mazboudi 2016).
We estimate the change form of a traditional audit fees model that is adapted from
prior studies (Stanley 2011, Doogar, Sivadasan, and Solomon 2015, Elliott, Ghosh, and
Peltier 2013, Huang, Raghunandan, and Rama 2009).
∆logAUDITit = ∆Cyber-Incidentit + ∆LNassetsit + ∆InvRecit + ∆Segmentsit + ∆Foreignit
+ ∆Mergerit + ∆Specialit + ∆Lossit + ∆Growthit + ∆Btmit + ∆Big4it
+ ∆GCOit + ∆Initialit + ∆ROAit + ∆Leverageit + ∆Quickit + ∆ICWit
+ Residualit-1 + Year Indicators + Industry Indicators + εit
(1)
where ∆ represents one-year change in the level of each variable, and Residualit-1
20
represents the prior-period unexpected audit fees measured as the residual from yearly
estimations of the basic audit fees model (2) to control for the effect of mispricing and
mean reversion over time (Francis and Wang 2005, Stanley 2011, Mayhew 2005).
Appendix A contains a detailed description of variable definitions.
logAUDITit = Cyber-Incidentit + LNassetsit + InvRecit + Segmentsit + Foreignit + Mergerit
+ Specialit + Lossit + Growthit + Btmit + Big4it + GCOit + Initialit
+ ROAit + Leverageit + Quickit + ICWit + Busyit + Year Indicators
(2)
+ Industry Indicators + εit
The focus of this study is on the relationship between ∆logAUDITit and
∆Cyber-Incidentit . A positive coefficient on ∆Cyber-Incidentit will support our hypothesis
that external auditors increase audit fees in the fiscal year of a cyber incident. For control
variables, we expect a positive coefficient on ∆LNassetsit , as firm size is the primary driver
of audit fees. ∆InvRecit , ∆Segmentsit , ∆Foreignit , ∆Mergerit , and ∆Specialit are included to
control for the complexity of the audit and anticipated positive coefficients. ∆Big4it is
included and expected to be positive as it accounts for fee premium. ∆Lossit , ∆GCOit ,
∆Leverageit , and ∆ICWit control for higher audit fees charged to riskier firms. Coefficients
on ∆Growthit , ∆Btmit , ∆ROAit , and ∆Quickit are anticipated to be negative because such
firms pose less risks to the audit. Finally, ∆Initialit is added to control for the lower fees
due to lowballing in initial engagement.
To examine the second hypothesis, we create an indicator variable Disclosure that
takes the value of 1 if a firm has prior-year cyber risk disclosure in the risk factor disclosure
section (i.e., Item 1A in 10-K), 0 otherwise. Cyber risk disclosure is identified by
searching keywords that are developed based on prior research (Gordon, Loeb, and Sohail
21
2010, Wang, Kannan, and Ulmer 2013). Appendix B provides a list of keywords used in
this study. A firm with risk factor disclosure that contains any of these keywords is
considered
to
have
cyber
risk
disclosure.
We
add
an
interaction,
∆Cyber-Incidentit * Disclosure, into equation (1). A negative coefficient would suggest that
auditors increase fewer fees for the firms that have prior cyber risk disclosures.
Sample Selection
We obtain our cyber incident data from the Audit Analytics cybersecurity database
and Privacy Rights Clearinghouse (privacyrights.org). Audit Analytics cybersecurity
database collects cybersecurity breaches for U.S. public firms while Privacy Rights
Clearinghouse publishes data breaches that involve individual’s identity. We start with 738
data breaches, of which 303 are related to cyber incidents (cyber-attacks) 11 . We first
remove cyber incidents for firms in the financial industry (SIC 6000-6999) as they have a
different audit fee structure. If a firm experienced more than one cyber-attack in one year
(e.g. Hyatt Hotels Corp. was hacked twice in 2015), we keep only one incident per year to
prevent over-sampling. Finally, observations that do not have the necessary financial or
audit data are excluded. These procedures result in a final sample of 140 cybersecurity
breached firm observations. Any firm-year that is not in our initial sample of cyber
incidents is considered to be a non-cybersecurity breached observation (Cyber-Incident=0).
Our final sample consists of 140 cybersecurity breached observations and 29,627 noncybersecurity breached firm observations. Table 1 summarizes the sample selection
procedure.
11
Data breach could happen due to reasons other than cyber-attacks. For example, stolen laptop or improperly
disposed documents could result in breach of sensitive information. We are not considering these types of
data breaches as they are not related cybersecurity. In addition, column 2 of Table 5 also indicates that
external auditors are not concerned about such type of data breaches.
22
-----
Insert Table 1 -----
There are three potential limitations that might affect our data set. The first one is
that a firm experienced a cyber incident but never discovered the attack. The second
scenario is that a firm recognized that it was hacked and notified its external auditor, but
the incident was not publicly announced, thus not recorded in our sample. The third
scenario, although quite unlikely, is that the firm does not disclose a cyber incident to any
party, but its external auditor detects the incident privately and takes corresponding actions
to address the incident. Under the above situations, we may incorrectly classify a
cybersecurity breached firm as a non-breached firm, or fail to capture auditor’s reaction to
the incident. However, the validity of our results should not be affected by these
possibilities because they will only act as a bias against us, thus weaken our findings.
Table 2 reports the descriptive statistics for the variables used in the analysis. Firms
with cyber incidents tend to be larger than their counterparts (9.2160 vs 6.1595, p < 0.001).
In addition, about 86% of cybersecurity breached firms have prior cyber risk disclosure,
while only about 38% of non-breached firms have such disclosures. Table 3, panel A
presents univariate correlations among the variables in equation (2) while Panel B reports
univariate correlations among the change variables. The dependent variable, logAUDIT, is
significantly correlated with all independent variables. Our variable of interest,
Cyber-Incident , is significantly correlated with the dependent variable and several
independent variables, with the largest correlation being 0.094. In the correlation matrix of
change variables, ∆logAUDIT is not significantly correlated with ∆Cyber-Incident ,
∆Foreign, ∆GCO, and ∆ROA. Therefore, we turn to multiple regression to control for other
23
determinants of ∆logAUDIT.
-----
Insert Table 2 & 3 -----
IV.
RESULTS
Main Findings
Table 4 shows the results of the multiple regression in equation (2). The traditional
audit fee model is highly significant and captures about 84.65 percent of the variation in
logAUDIT using our independent variables. The coefficient on Cyber-Incident is 0.216 (p
< 0.0001), providing some initial support for our hypothesis. Except for GCO, Leverage,
and Busy, all the control variables are significant in the predicted direction. Specifically,
LNassets , InvRec , Segments, Foreign , Merger , Special , Loss , Big4 , and ICW are
positively associated with logAUDIT , while Growth , Btm, Initial, ROA and Quick are
negatively correlated with logAUDIT.
-----
Insert Table 4 -----
Column 1 of Table 5 reports the results of the audit fee change model in equation
(1). As expected, the explaining power of the change model is much smaller than that of
the traditional audit fee model (adjusted R square = 24.98%), but is similar to those reported
in prior studies (Hardies, Breesch, and Branson 2015, Desir, Casterella, and Kokina 2013,
Khalil and Mazboudi 2016). Our variable of interest, ∆Cyber-Incident , is positively
associated with ∆logAUDIT , supporting our first hypothesis. The result is also
economically significant. The increase in audit fees after cyber incident (0.045) is about
twice the increase after firms suffer loss (0.024), and about 60 percent of the increase after
firms report material weakness in internal controls (0.074). As for control variables, all
24
except ∆Foreign, ∆Growth, ∆Btm, and ∆GCO are significant in the predicted direction.
-----
Insert Table 5 -----
While our focus is on cyber incidents that are initiated by malicious third parties
and happen in the cyber realm (i.e. hacking), we also report the regression results for data
breaches that do not involve hacking as comparison. Column 2 of Table 5 presents the
result. The coefficient of ∆Non_Cyber-Incident (a binary variable that equals 1 if the firm
suffers a data breach that does not involve cyber-attack, 0 otherwise) is not statistically
significant, suggesting that external auditors are not concerned about data breaches that are
less severe, such as stolen laptop or unintentional disclosure of sensitive information online.
Overall, results in Table 5 support our hypothesis that external auditors are responding to
cyber incident by charging higher audit fees.
Regression results for testing whether external auditors price material cyber risk
prior to the cyber incident are presented in Table 6. Consistent with our hypothesis, there
is a statistically significant and negative coefficient on ∆Cyber-Incident* Disclosure ,
indicating that increase in audit fees is smaller for those cybersecurity breached firms that
have prior cyber risk disclosures. On average, firms without prior cyber risk disclosure are
punished three times larger than those with prior cyber risk disclosure (0.12 vs. 0.12-0.09).
The results provide evidence that auditors indeed price cyber risks even before the actual
adverse event happens12.
-----
Insert Table 6 -----
12
An alternative explanation is that firms making cyber risk disclosures are simply experiencing less severe
cyber-attacks, which result in smaller increase in audit fees. However, we believe this is not likely given that
firms will disclose negative information only when they deem the risk is material. In fact, this will only bias
against us finding a negative interaction.
25
Sensitivity Analyses
Multiple Breaches for a Single Firm
Several firms experienced cyber incidents in multiple years, which could introduce
over-sampling bias in our test. Although standard errors are clustered by firm to correct
time series dependence in our model, we reran our tests by keeping only the first cyber
incident for each firm if it undergoes several cyber incidents to further address the concern.
Our results are still significant with the predicted directions when using this reduced sample
(untabulated).
Propensity Score Matching
Although propensity score matching is not the appropriate choice to address
endogeneity arising from unobservable factors (Lennox, Francis, and Wang 2011, Shipman,
Swanquist, and Whited 2017), which is a significant concern in our current context, we
nevertheless examined our results using a traditional audit fee model in equation (2) using
a propensity score matched sample. We generated propensity scores using a logistic
regression that models the likelihood that a firm will experience cyber incidents13. Based
on Wang, Kannan, and Ulmer (2013), Higgs et al. (2014), and Sheneman (2017), we used
the following logit model:
Prob (Breach = 1) = LNassetsit + Segmentsit + ROAit + Growthit + Lossit
+ Leverageit + ICWit + Year Indicators
+ Industry Indicators + εit
(3)
Detailed description of variable definitions can be found in Appendix A. After
obtaining propensity scores, we matched each cybersecurity breached firm observations
13
We reiterate that there is no well-specified model for explaining the probability of experiencing cyber
incident.
26
with non-breached firm observations that have propensity scores within 10 percent of the
treatment firm. Table 7 summarizes the regression results using the propensity matched
sample. Column 1 indicates that audit fees are higher for firms experiencing cyber incidents
(p < 0.05), while Column 2 suggests that firms with prior cyber risk disclosures have
smaller fee increases (p < 0.05). Overall, findings using propensity score matching are
similar to those reported in the main model.
-----
Insert Table 7 -----
Additional Tests
Repeated Cyber Incidents
Since several firms experience multiple cyber incidents, we examine whether
auditors are responding differently for firms having past cyber incidents. While some
practitioners have argued that cyber incidents could be inevitable14, firms experiencing
more than one cyber incident can be hardly explained as coincidence. Specifically,
experiencing multiple cyber incidents could be indicative of severe weaknesses in firm’s
internal controls over operations and management’s lack of commitment to maintain a
sound internal control environment and remediate past vulnerabilities that result in the past
cyber incidents. Thus, we expect that auditors perceive such firms as riskier and increase
more audit fees.
We create an indicator variable Past_Breach to capture firm’s past cyber incidents
and interact this variable with ∆Cyber-Incident. The regression results are presented in
Table 8. The coefficient on the interaction, ∆Cyber-Incident* Past_Breach, is positive and
significant, suggesting that auditors increase larger audit fees for cybersecurity breached
14
ASEC Cybersecurity Working Group Initiative.
27
firms that have past cyber incidents. On average, the increase in audit fees for breached
firms with past cyber incidents is more than twice of those that experience cyber incident
for the first time (0.040+0.054 vs 0.040), demonstrating that auditors are especially
concerned about the systematic problems underscored by repeated cyber incidents.
-----
Insert Table 8 -----
Type of Information Hacked
While cybersecurity breaches is generally more severe than other types of data
breaches (e.g. stolen laptop) because it is initiated by malicious third parties, the type of
information hacked could determine the severity and implication of the incident. In this
section, we specifically consider intellectual property because intellectual property is the
most important assets that firms should protect, and the damage of intellectual property
theft could be material. Reuters (2015) reported that after Chinese hackers have stolen
intellectual property from an Australian firm, the firm was forced to slash price of its
products in half to compete with the counterfeiters. As intellectual property is the core of
firm’s value, theft of intellectual property could result in the forfeiture of competitive
advantage, reduced market share, and loss of profitability (Gelinne, Fancher, and Mossburg
2016). Compared with theft of customer personal information and credit card information,
cybercrime towards intellectual property has stronger and more direct implications for
firm’s financial positions, including but not limited to future cash flows, valuation of
intangible assets, and going concerns, all of which require auditors exert additional efforts
to reduce the risk of material misstatement. In addition, since intellectual property is one
of the most important assets for firms and has the strongest protection, breach of it could
indicate material weakness in firm’s internal controls over operations, which could be
indicative of material weakness in internal controls over financial reporting (Lawrence,
28
Minutti-Meza, and Vyas 2016). We create a variable IP that equals 1 if the cyber incident
involves intellectual property, 0 otherwise. ∆Cyber-Incident*IP is added into equation 1 to
capture the differential effect of different types of information hacked. Results are
presented in Table 9. Consistent with our expectation, the interaction is statistically
significant and negative (p < 0.05), suggesting that external auditors have differential
responses to different types of cyber incidents.
-----
Insert Table 9 -----
Mitigating Channel
In this section, we explore whether auditor’s reaction to cyber incident will be
mitigated by external monitoring. Particularly, we focus on institutional ownership and
block holders (i.e., shareholders who hold at least 5 percent of the shares outstanding).
There is rich literature on the effect of block holders and institutional ownership on
corporate governance. The overall finding is that larger block holders and institutional
ownership can improve corporate governance, mitigate agency problem, and reduce the
risk of material misstatement and fraud (Sharma 2004, Edmans 2014). Because large and
sophisticated shareholders provide active monitoring of corporate affairs and firm’s
accounting practices (Mitra, Hossain, and Deis 2007), they may help mitigate auditor’s
concern to cyber incident as these firms post less risk to auditors. For example, these firms
are less likely to have a weak control environment as they are actively monitored by large
and sophisticated shareholders.
We use two variables to capture external monitoring: the percentage of institutional
holdings (INST) and the number of block holders (NUM). The results of interacting these
two variables with ∆Cyber-Incident are summarized in Table 10. Both interactions are
29
negatively associated with the increase in audit fees, providing evidence that external
monitoring could mitigate auditor’s concern over cyber incident.
-----
Insert Table 10 -----
Reversal of Fee Premium
We also investigate if there is any reversal of fee premium if the firm does not
experience cyber incident in subsequent years. One might expect that once the control
issues are fixed, audit fees will be reversed (Munsif et al. 2011). In our untabulated
results, we find that there is no reduction in audit fees if there is cyber incident in year
t, but not in year t+1 (negative but not statistically significant). This is not surprising
because even if there is no future cyber incident, auditor’s concern about increased risk
could persist. Unlike material weakness in ICFR where we can use section 404 report
as the signal of remediation, there is no clear timing of when the problems signified by
cyber incidents are remediated. Lawrence, Minutti-Meza, and Vyas (2016) reveal that
operational weakness could indicate financial reporting control weakness in the future.
Therefore, unless auditors finding convincing evidence that the management has fixed
the problem, audit fees are less likely to be reduced.
Effect of Regulatory Emphasis
Although there is no mandatory requirement regarding cybersecurity from both
the SEC and the PCAOB, the issuance of cybersecurity disclosure guidance by the SEC
could be viewed as a signal that the regulators are starting to take cybersecurity
seriously. Therefore, we examine whether there is a differential effect of auditor’s
reaction before and after the disclosure guidance. Untabulated results indicate that the
effect of cyber incident on audit fee increase is only significant in the post-guidance
30
period (coefficient=0.050, t=2.51), not the pre-guidance period (coefficient=0.026,
t=1.08). However, when comparing the coefficient of cyber incident, z-statistics
introduced by Paternoster, Brame, Mazerolle, and Piquero (1998) suggest that there is
no statistically significant difference in the pre-guidance and post-guidance period.
Thus, while the results seem to indicate that auditors are only reacting in the post guidance period, we intend not to draw any conclusion here.
V.
Concluding Remark
This study demonstrates a potential relationship between the external audit and
cyber incidents. Specifically, using data on cyber incidents for the period 2005 to 2015, we
empirically examine the relationship between the increase in audit fees and cyber incidents.
Consistent with our expectation, we observe a significant positive association between
audit fee increase and cyber incidents using an audit fee change model. In addition, we find
that increases in audit fees are smaller for firms with prior cyber risk disclosure following
cyber incidents, implying that auditors have priced material cyber risk prior to the cyberattacks. In addition, evidence in this paper demonstrates that firms with repeated cyber
incidents are charged higher audit fees than firms that are only breached for the first time.
Furthermore, auditors differentiate the type of information hacked. Increases in Audit fees
are higher for firms with cyber incidents that involve intellectual property than for firms
not involving intellectual property hacking. Finally, we document that auditor’s concern
over cyber incidents is mitigated by external monitoring, as measured by the percentage of
institutional holdings and number of block holders. Collectively, results in this paper
should be valuable to regulators and academics who are interested in understanding
auditor’s opinion over cyber incidents. The findings that auditors both price cyber risk ex31
ante and respond to cyber incidents ex-post disagree with the concern that auditors are not
taking cybersecurity seriously.
As with any study, there are several limitations that must be considered when
interpreting the findings. Although we argue that auditors should respond to cyber incidents
because they may indicate deficiencies in ICFR and risks of material misstatement, there
could be other reasons why external auditors would increase audit fees following a cyber
incident. In-depth case studies or interviews with external auditors should be conducted to
build a more comprehensive understating of how external auditors respond to cybersecurity
risks and cyber incident. In addition, the results of the study do not address how external
auditors are evaluating cyber risks prior to cyber incidents. A thorough investigation is
necessary to advance our understanding of cyber risk anticipation. For example, analogous
to “contagion” effects in stock price reactions reported by Ettredge and Richardson (2003),
do auditors of firms that are similar to firms that have experienced cyber incidents increase
their audit procedures and audit fees to identify potentially unidentified cyber incidents
among those clients and to address potential consequences?
32
REFERENCES
Acquisti, Alessandro, Allan Friedman, and Rahul Telang. 2006. "Is there a cost to privacy breaches?
An event study." ICIS 2006 Proceedings:94.
Aguilar, Luis A. 2014. "Boards of Directors, Corporate Governance and Cyber-Risks."
American Institute of Certified Public Accountants. 1997. "Consideration of Fraud in a Financial
Statement Audit." Statement on Auditing Standards No. 82.
American Institute of Certified Public Accountants. 2016. "Cybersecurity Reporting: A
Backgrounder,
Available
at
https://www.aicpa.org/interestareas/frc/assuranceadvisoryservices/downloadabledocu
ments/cybersecurity/aicpa_brief_cybersecurity.pdf."
Association of Corporate Counsel. 2016. "SEC priorities and enforcement trends, available at
http://m.acc.com/chapters/del/upload/2016-04-19_AkinGump_SEC_Trends-PPTX.pdf."
Benaroch, Michel, Anna Chernobai, and James Goldstein. 2012. "An internal control perspective
on the market value consequences of IT operational risk events." International Journal of
Accounting Information Systems 13 (4):357-381.
Berezina, Katerina, Cihan Cobanoglu, Brian L. Miller, and Francis A. Kwansa. 2012. "The impact of
information security breach on hotel guest perception of service quality, satisfaction,
revisit intentions and word-of-mouth." International journal of contemporary hospitality
management 24 (7):991-1010. doi: 10.1108/09596111211258883.
Bryan Cave. 2016. "2016 Data Breach Litigation Report."
Bulgurcu, Burcu, Hasan Cavusoglu, and Izak Benbasat. 2010. "Information security policy
compliance: an empirical study of rationality-based beliefs and information security
awareness." MIS Quarterly 34 (3):523-548.
33
Campbell, John L., Hsinchun Chen, Dan S. Dhaliwal, Hsin-min Lu, and Logan B. Steele. 2014. "The
information content of mandatory risk factor disclosures in corporate filings." Review of
Accounting Studies 19 (1):396-455.
Campbell, Katherine, Lawrence A. Gordon, Martin P. Loeb, and Lei Zhou. 2003. "The economic
cost of publicly announced information security breaches: empirical evidence from the
stock market." Journal of Computer Security 11 (3):431-448.
Cavusoglu, Huseyin, Birendra Mishra, and Srinivasan Raghunathan. 2004. "The effect of internet
security breach announcements on market value: Capital market reactions for breached
firms and internet security developers." International Journal of Electronic Commerce 9
(1):70-104.
Center for Audit Quality. 2014. "CAQ Member Alert: Cybersecurity and the External Audit."
Chai, Sangmi, Minkyun Kim, and H. Raghav Rao. 2011. "Firms' information security investment
decisions: Stock market evidence of investors' behavior." Decision Support Systems 50
(4):651-661. doi: 10.1016/j.dss.2010.08.017.
Chang, C. Janie, and Nen-Chen Hwang. 2003. "The impact of retention incentives and client
business risks on auditors' decisions involving aggressive reporting practices." Auditing:
A Journal of Practice & Theory 22 (2):207-218. doi: DOI 10.2308/aud.2003.22.2.207.
Das, Saini, Arunabha Mukhopadhyay, and Manoj Anand. 2012. "Stock market response to
information security breach: A study using firm and attack characteristics." Journal of
Information Privacy and Security 8 (4):27-55.
Debreceny, Roger. 2014. "Aggravated Cybersecurity Risks Implications for Accounting and
Auditing Research and Practice." JIS Senior Editors' Blog-Journal of Information Systems.
34
Desir, Rosemond, Jeffrey R. Casterella, and Julia Kokina. 2013. "A reexamination of audit fees for
initial audit engagements in the post-SOX period." Auditing: A Journal of Practice &
Theory 33 (2):59-78.
Doogar, Rajib, Padmakumar Sivadasan, and Ira Solomon. 2015. "Audit fee residuals: costs or
rents?" Review of Accounting Studies 20 (4):1247-1286.
Edmans, Alex. 2014. "Blockholders and corporate governance." Annual Review of Financial
Economics, Vol 6 6:23-50. doi: 10.1146/annurev-financial-110613-034455.
Elliott, John A., Aloke Ghosh, and Elisabeth Peltier. 2013. "Pricing of risky initial audit
engagements." Auditing: A Journal of Practice & Theory 32 (4):25-43. doi: 10.2308/ajpt50523.
Ettredge, Michael L., and Vernon J. Richardson. 2003. "Information transfer among internet firms:
the case of hacker attacks." Journal of Information Systems 17 (2):71-82.
Filzen, Joshua J. 2015. "The information content of risk factor disclosures in quarterly reports."
Accounting Horizons 29 (4):887-916.
Financial Accounting Standards Board. 1975. "Statement of Financial Accounting Standards No. 5:
Accounting for Contingencies ".
Francis, Jere R., and Dechun Wang. 2005. "Impact of the SEC's public fee disclosure requirement
on subsequent period fees and implications for market efficiency." Auditing: A Journal of
Practice & Theory 24 (1):145-160.
Gatzlaff, Kevin M., and Kathleen A. McCullough. 2010. "The Effect of Data Breaches on
Shareholder Wealth." Risk Management and Insurance Review 13 (1):61-83.
Gaulin, Maclean. 2017. "Risk Fact or Fiction: The information content of risk factor disclosures."
Working Paper.
35
Gelinne, John, J. Donald Fancher, and Emily Mossburg. 2016. "The hidden costs of an IP breach:
Cyber theft and the loss of intellectual property." Deloitte Review (19).
Goel, Sanjay, and Hany A. Shawky. 2009. "Estimating the market impact of security breach
announcements on firm values." Information & Management 46 (7):404-410. doi:
10.1016/j.im.2009.06.005.
Goldstein, James, Anna Chernobai, and Michel Benaroch. 2011. "An event study analysis of the
economic impact of IT operational risk and its subcategories." Journal of the Association
for Information Systems 12 (9):606-631.
Gordon, Lawrence A., Martin P. Loeb, and Tashfeen Sohail. 2010. "Market value of voluntary
disclosures concerning information security." MIS Quarterly 34 (3):567-594.
Gordon, Lawrence A., Martin P. Loeb, and Lei Zhou. 2011. "The impact of information security
breaches: Has there been a downward shift in costs?" Journal of Computer Security 19
(1):33-56.
Grant, Gerry H., and C. Terry Grant. 2014. "SEC cybersecurity disclosure guidance is quickly
becoming a requirement." The CPA Journal 84 (5):69.
Hardies, Kris, Diane Breesch, and Joël Branson. 2015. "The Female Audit Fee Premium." Auditing:
A Journal of Practice & Theory 34 (4):171-195.
Higgs, Julia L., Robert Pinsker, Thomas Smith, and George Young. 2014. "The Relationship Between
Board-Level Technology Committees and Reported Security Breaches."
Journal of
Information Systems.
Hinz, Oliver, Michael Nofer, Dirk Schiereck, and Julian Trillig. 2015. "The influence of data theft on
the share prices and systematic risk of consumer electronics companies." Information &
Management 52 (3):337-347. doi: 10.1016/j.im.2014.12.006.
36
Hoag, Matthew L., and Carl W. Hollingsworth. 2011. "An intertemporal analysis of audit fees and
Section 404 material weaknesses." Auditing: A Journal of Practice & Theory 30 (2):173200. doi: 10.2308/ajpt-50005.
Hogan, Chris E., and Michael S. Wilkins. 2008. "Evidence on the audit risk model: Do auditors
increase audit fees in the presence of internal control deficiencies?" Contemporary
Accounting Research 25 (1):219-242.
Hoitash, Rani, Udi Hoitash, and Jean C. Bedard. 2008. "Internal control quality and audit pricing
under the Sarbanes-Oxley Act." Auditing: A Journal of Practice & Theory 27 (1):105-126.
doi: DOI 10.2308/aud.2008.27.1.105.
Hope, Ole-Kristian, Danqi Hu, and Hai Lu. 2016. "The benefits of specific risk-factor disclosures."
Review of Accounting Studies Forthcoming.
Houston, Richard W., Michael F. Peters, and Jamie H. Pratt. 2005. "Nonlitigation risk and pricing
audit services."
Auditing-a Journal of Practice & Theory 24 (1):37-53. doi: DOI
10.2308/aud.2005.24.1.37.
Hu, Qing, Tamara Dinev, Paul Hart, and Donna Cooke. 2012. "Managing employee compliance
with information security policies: the critical role of top management and organizational
culture." Decision Sciences 43 (4):615-660.
Huang, Hua-Wei, Kanan Raghunandan, and Dasaratha Rama. 2009. "Audit fees for initial audit
engagements before and after SOX." Auditing: A Journal of Practice & Theory 28 (1):171190. doi: 10.2308/aud.2009.28.1.171.
Ifinedo, Princely. 2014. "Information systems security policy compliance: An empirical study of
the effects of socialisation, influence, and cognition." Information & Management 51
(1):69-79. doi: 10.1016/j.im.2013.10.001.
37
ISACA. 2006. "Information Security Governance Guidance for Boards of Directors and Executive
Management, 2nd Edition ".
Johnstone, Karla M. 2000. "Client-acceptance decisions: Simultaneous effects of client business
risk, audit risk, auditor business risk, and risk adaptation." Auditing: A Journal of Practice
& Theory 19 (1):1-25.
Khalil, Samer, and Mohamad Mazboudi. 2016. "Client Acceptance and Engagement Pricing
following Auditor Resignations in Family Firms." Auditing: A Journal of Practice & Theory
35 (4):137-158. doi: 10.2308/ajpt-51489.
Kothari, Sabino P., Xu Li, and James E. Short. 2009. "The effect of disclosures by management,
analysts, and business press on cost of capital, return volatility, and analyst forecasts: A
study using content analysis." Journal of Accounting and Economics 84 (5):1639-1670.
Kothari, Sabino P., Susan Shu, and Peter D. Wysocki. 2009. "Do managers withhold bad news?"
Journal of Accounting Research 47 (1):241-276.
Kravet, Todd, and Volkan Muslu. 2013. "Textual risk disclosures and investors' risk perceptions."
Review of Accounting Studies 18 (4):1088-1122.
Kvochko, Elena, and Rajiv Pant. 2015. "Why data breaches don’t hurt stock prices." Harvard
business review.
Kwon, Juhee, Jackie Rees Ulmer, and Tawei Wang. 2013. "The association between top
management involvement and compensation and information security breaches."
Journal of Information Systems 27 (1):219-236.
Lawrence, Alastair, Miguel Minutti-Meza, and Dushyantkumar Vyas. 2016. "Is Operational Control
Risk Informative of Undetected Financial Reporting Deficiencies?" Working Paper.
Lennox, Clive S., Jere R. Francis, and Zitian Wang. 2011. "Selection models in accounting research."
The Accounting Review 87 (2):589-616.
38
Mayhew, Brian W. 2005. "Discussion of impact of the SEC's public fee disclosure requirement on
subsequent period fees and implications for market efficiency." Auditing-a Journal of
Practice & Theory 24:161-169. doi: DOI 10.2308/aud.2005.24.s-1.161.
Mitra, Santanu, Mahmud Hossain, and Donald R. Deis. 2007. "The empirical relationship between
ownership characteristics and audit fees." 28 (3):257-285.
Munsif, Vishal, Kannan Raghunandan, Dasaratha V. Rama, and Meghna Singhvi. 2011. "Audit fees
after remediation of internal control weaknesses." Accounting Horizons 25 (1):87-105.
doi: 10.2308/acch.2011.25.1.87.
Paternoster, Raymond, Robert Brame, Paul Mazerolle, and Alex Piquero. 1998. "Using the correct
statistical test for the equality of regression coefficients." Criminology 36 (4):859-866.
Ponemon Institute. 2016. "2016 Cost of Data Breach Study: United States."
PricewaterhouseCoopers. 2016. "The Global State of Information Security."
Public Company Accounting Oversight Board. 2004. "Auditing Standard No. 2: An audit of internal
control over financial reporting performed in conjuction with an audit of financial
statements."
Public Company Accounting Oversight Board. 2014. "Standing advisory group meeting:
cybersecurity.
Available
at
http://pcaobus.org/News/Events/Documents/0624252014_SAG_Meeting/06252014_Cy
bersecurity.pdf ".
Public Company Accounting Oversight Board. 2015. "Staff inspection brief."
Public Company Accounting Oversight Board. 2016. "Staff inspection brief."
Ransbotham, Sam, and Sabyasachi Mitra. 2009. "Choice and chance: A conceptual model of paths
to information security compromise." Information Systems Research 20 (1):121-139.
Reuters. 2015. "Australian metal detector company counts cost of Chinese hacking."
39
Romanosky, Sasha, David Hoffman, and Alessandro Acquisti. 2014. "Empirical Analysis of Data
Breach Litigation."
Journal of Empirical Legal Studies 11 (1):74-104. doi:
10.1111/jels.12035.
Schubert, Daniel F., Jonathan G. Cedarbaum, and Leah Schloss. 2015. "The SEC’s Two Primary
Theories in Cybersecurity Enforcement Actions." The Cybersecurity Law Report.
Securities and Exchange Commission. 2011. "CF Disclosure Guidance: Topic No. 2: Cybersecurity."
Securities and Exchange Commission. 2014. "Cybersecurity Roundtable. Available at
https://www.sec.gov/spotlight/cybersecurity-roundtable.shtml."
Sharma, Vineeta D. 2004. "Board of director characteristics, institutional ownership, and fraud:
Evidence from Australia." Auditing-a Journal of Practice & Theory 23 (2):105-117. doi: DOI
10.2308/aud.2004.23.2.105.
Sheneman, Amy Genson. 2017. "The Effect of Operating Control Failures on the Cost of CapitalEvidence from Data Breaches." Working Paper.
Shipman, Jonathan E., Quinn T. Swanquist, and Robert L. Whited. 2017. "Propensity score
matching in accounting research."
The Accounting Review 92 (1):213-244. doi:
10.2308/accr-51449.
Skinner, Douglas J. 1994. "Why firms voluntarily disclose bad news." Journal of Accounting
Research 32 (1):38-60.
Soomro, Zahoor Ahmed, Mahmood Hussain Shah, and Javed Ahmed. 2016. "Information security
management needs more holistic approach: A literature review." International Journal of
Information Management 36 (2):215-225. doi: 10.1016/j.ijinfomgt.2015.11.009.
Stanley, Jonathan D. 2011. "Is the audit fee disclosure a leading indicator of clients' business risk?"
Auditing: A Journal of Practice & Theory 30 (3):157-179.
40
Steinbart, Paul John, Robyn Raschke, Graham Gal, and William N. Dilla. 2016. "The organizational
benefits of a good relationship between the internal audit and information security
functions." Working Paper.
Steinbart, Paul John, Robyn L. Raschke, Graham Gal, and William N. Dilla. 2012. "The relationship
between internal audit and information security: An exploratory investigation."
International Journal of Accounting Information Systems 13 (3):228-243. doi:
10.1016/j.accinf.2012.06.007.
Steinbart, Paul John, Robyn L. Raschke, Graham Gal, and William N. Dilla. 2013. "Information
security professionals' perceptions about the relationship between the information
security and internal audit functions." Journal of Information Systems 27 (2):65-86.
United States Senate. 2013. "A “Kill Chain” Analysis of the 2013 Target Data Breach."
Verizon. 2016. "2016 Data Breach Investigations Report."
Von Solms, Basie. 2005. "Information Security Governance–compliance management vs
operational management." Computers & Security 24 (6):443-447.
Wang, Tawei, Karthik N. Kannan, and Jackie Rees Ulmer. 2013. "The association between the
disclosure and the realization of information security risk factors." Information Systems
Research 24 (2):201-218. doi: 10.1287/isre.1120.0437.
Wang, Tawei, Jackie Rees Ulmer, and Karthik Kannan. 2013. "The textual contents of media
reports of information security breaches and profitable short-term investment
opportunities."
Journal of Organizational Computing and Electronic Commerce 23
(3):200-223. doi: 10.1080/10919392.2013.807712.
Yayla, Ali Alper, and Qing Hu. 2011. "The impact of information security events on the stock value
of firms: The effect of contingency factors." Journal of Information Technology 26 (1):6077.
41
Zafar, Humayun, Myung S. Ko, and Kweku-Muata Osei-Bryson. 2015. "The value of the CIO in the
top management team on performance in the case of information security breaches."
Information Systems Frontiers:1-11.
42
Appendix A
Variable Definitions
Variable
Definition
LogAudit
Natural log of audit fees for the fiscal year of the cyber incident;
Cyber-Incident
Indicator variable, equal to 1 if a cyber incident was reported for the firm during fiscal year t, and
0 otherwise;
Lnassets
Natural log of total assets in millions;
InvRec
Sum of inventory and accounts receivable divided by total assets;
Segments
Number of business segments;
Foreign
Indicator variable, equal to 1 if the firm has foreign operations (based on FCA), and 0 otherwise;
Merger
Indicator variable, equal to 1 if the firm was involved in merger activity during the fiscal year
(based on AQP), and 0 otherwise;
Special
Indicator variable, equal to 1 if the firm was involved in merger activity during the fiscal year
(based on SPI), and 0 otherwise;
Loss
Indicator variable, equal to 1 if the firm reported negative net income, and 0 otherwise;
Growth
One-year growth rate in sales;
Btm
Book value of common equity divided by market value of common equity;
Big4
Indicator variable, equal to 1 if the auditor is a member of the Big 4, and 0 otherwise;
GCO
Indicator variable, equal to 1 if the auditor issues a going-concern audit opinion in year t, and 0
otherwise;
Initial
Indicator variable, equal to 1 if an auditor change occurred during the fiscal year, and 0
otherwise;
ROA
Operating income after depreciation divided by total assets;
Leverage
Total liabilities divided by total assets;
Quick
Current assets minus inventories divided by current liabilities;
ICW
Indicator variable, equal to 1 if the auditor reports an internal control weakness, and 0 otherwise;
Busy
Indicator variable, equal to 1 if the auditee’s fiscal year ends in December, and 0 otherwise;
Residual
Represents the prior-period unexpected audit fees measured as the residual from yearly
estimations of the basic audit fees model (Equation (2))
∆Cyber-Incident
Indicator variable, equal to 1 if a cyber incident was reported for the firm during fiscal year t but
not in year t-1, and 0 otherwise;
∆Non_CyberIncident
Indicator variable, equal to 1 if the firm experiences a data breach (not involving hacking) during
fiscal year t but not in year t-1, and 0 otherwise;
Disclosure
Indicator variable, equal to 1 if the firm has cyber risk disclosure in year t-1, and 0 otherwise;
Past_Breach
Indicator variable, equal to 1 if the firm had any cyber incident prior to year t, and 0 otherwise;
IP
Indicator variable, equal to 1 if the cyber incident involves intellectual property, and 0 otherwise;
INST
Percentage of institutional ownership of shares outstanding;
NUM
Number of block institutional ownerships that have larger than 5% shares outstanding; and
∆
One-year change in the level of each variable.
43
Appendix B
Keywords for Identifying Cyber Risk Disclosure
encryption
computer (virus|breach|break-in|attack|security)
security (breach|incident)
(information|network|computer) security
intrusion
hacking|hacker
denial of service
cyber(-| )(attack|fraud|threat|risk|terrorist|incident|security)
cyber-based attack
cybersecurity
infosec
system security
information technology (security|attack)
data theft
phishing
malware
data confidentiality
confidentiality of data
confidential data
unauthorized access
data corruption
corruption of data
network break-in
espionage
cyber(-| )insurance
data breach
crimeware
ransomware
keylogger
keystroke logging
social engineering
44
Table 1. Sample Selection Criteria
Number of firm-years with cyber incidents
Original Number of cyber incidents
140
303
Minus: observations that are in financial industries
(24)
Minus: observations that have more than one cyber incident in
a year (keep each firm-year only once)
(-76)
Minus: observations that have missing data for the analysis
(-68)
Number of firm-years without cyber incidents (i.e., control groups)
29,627
Total number of observations
29,767
45
Table 2. Descriptive Statistics
Variables in the Original Form
Variable
Total Sample
Firms with Cyber Incidents
Firms without Cyber Incidents
Variables in the Change Form
Mean
Std
Median
Mean
Std
Median
Mean
Std
Median
Mean
Std
Median
logAUDIT
13.6863
1.3001
13.7280
15.5013
1.1434
15.5454
13.6785
1.2953
13.7231
0.0206
0.2588
0.0131
Lnassets
6.1726
2.2492
6.1912
9.2160
1.7234
9.4533
6.1595
2.2423
6.1823
0.0518
0.2685
0.0375
InvRec
0.2371
0.1788
0.2039
0.1746
0.1398
0.1271
0.2374
0.1789
0.2044
0.0002
0.0540
0.0002
Segments
1.9346
1.2642
1.0000
2.9766
1.8675
3.0000
1.9301
1.2591
1.0000
0.0100
0.3701
0.0000
Foreign
0.3517
0.4775
0.0000
0.4531
0.4998
0.0000
0.3513
0.4774
0.0000
0.0113
0.2145
0.0000
Merger
0.1966
0.3975
0.0000
0.3750
0.4860
0.0000
0.1959
0.3969
0.0000
0.0310
0.3812
0.0000
Special
0.6772
0.4676
1.0000
0.8359
0.3718
1.0000
0.6765
0.4678
1.0000
0.0204
0.5220
0.0000
Loss
0.3543
0.4783
0.0000
0.1719
0.3788
0.0000
0.3551
0.4785
0.0000
0.0131
0.4286
0.0000
Growth
0.1434
0.5980
0.0609
0.0563
0.1463
0.0442
0.1438
0.5992
0.0610
-0.0573
0.6206
-0.0242
Btm
0.5487
0.9372
0.4593
0.4519
0.4129
0.3698
0.5491
0.9388
0.4597
0.0128
0.5769
0.0015
Big4
0.7099
0.4538
1.0000
0.9531
0.2122
1.0000
0.7088
0.4543
1.0000
-0.0080
0.1321
0.0000
GCO
0.0630
0.2429
0.0000
0.0234
0.1519
0.0000
0.0631
0.2432
0.0000
0.0092
0.1870
0.0000
Initial
0.0587
0.2350
0.0000
0.0000
0.0000
0.0000
0.0589
0.2355
0.0000
-0.0002
0.3169
0.0000
ROA
-0.0136
0.2954
0.0603
0.0941
0.03
0.0831
-0.0141
0.2959
0.0603
-0.0074
0.1330
-0.0006
Leverage
0.5402
0.3783
0.4904
0.5995
0.2372
0.6033
0.5400
0.3788
0.4901
0.0173
0.1433
0.0025
Quick
2.2318
2.4193
1.4701
1.4781
1.0762
1.1526
2.2350
2.4230
1.4718
-0.0608
1.2509
-0.0098
ICW
0.0913
0.2881
0.0000
0.0313
0.1747
0.0000
0.0916
0.2885
0.0000
-0.0097
0.2990
0.0000
Busy
0.7401
0.4386
1.0000
0.5703
0.4970
1.0000
0.7408
0.4382
1.0000
Disclosure
0.3835
0.4863
0.0000
0.8614
0.3473
1.0000
0.3812
0.4857
0.0000
Note: All variables are winsorized at 1 and 99 percent.
All Variables are defined in Appendix A.
46
Table 3. Correlations among Variables Included in Audit Fees Model
Panel A: Variables in the Original Form
logAUDIT
logAUDIT
1.000
CyberIncient
0.094
CyberLnassets InvRec Segments Foreign Merger Special Loss Growth
Incident
Btm
Big4 Initial GCO
ROA Leverage Quick ICW
Busy Disclosure
1.000
Lnassets
0.872
0.094
1.000
InvRec
-0.061
-0.028
-0.152
1.000
Segments
0.413
0.048
0.398
0.034
1.000
Foreign
0.251
0.013
0.133
0.103
0.092
1.000
Merger
0.227
0.032
0.203
-0.032
0.098
0.107
1.000
1.000
Special
0.316
0.019
0.236
-0.023
0.142
0.140
0.340
Loss
-0.306
-0.031
-0.426
-0.082
-0.210
-0.050
-0.076
0.032
Growth
-0.091
-0.009
-0.072
-0.083
-0.064
-0.032
0.027
-0.056 0.028
1.000
1.000
Btm
-0.035
-0.008
0.035
0.076
0.041
0.005
-0.013
-0.011 -0.027 -0.053 1.000
Big4
0.640
0.036
0.588
-0.125
0.182
0.115
0.113
0.174 -0.227 -0.048 -0.045 1.000
Initial
-0.111
-0.011
-0.102
0.022
-0.039
-0.005
-0.025
-0.003 0.064
0.020
GCO
-0.273
-0.017
-0.345
-0.005
-0.113
-0.063
-0.089
-0.018 0.284
0.020 -0.212 -0.225 0.046 1.000
ROA
0.370
0.027
0.502
0.118
0.203
0.092
0.111
0.060 -0.537 -0.065 0.153 0.254 -0.051 -0.501 1.000
Leverage
0.021
0.008
-0.032
0.001
0.019
-0.068
-0.025
0.093
Quick
-0.204
-0.019
-0.208
-0.210
-0.172
-0.004
-0.060
-0.126 0.084
0.073
ICW
-0.148
-0.011
-0.206
0.041
-0.054
-0.017
-0.034
0.001
Busy
0.029
-0.022
0.028
-0.187
0.014
-0.012
0.005
0.006
Disclosure
0.198
0.068
0.191
-0.061
0.039
0.028
0.161
0.005 -0.144 1.000
0.007 -0.471 -0.030 0.001 0.395 -0.351
1.000
0.062 -0.055 0.008 -0.117 -0.060
-0.396
1.000
0.149
0.028 -0.010 -0.180 0.076 0.219 -0.162
0.127
-0.033 1.000
0.061
0.062 -0.028 0.040 0.004 0.029 -0.069
0.072
0.031 -0.002 1.000
0.090 -0.077 -0.031 -0.054 0.134 -0.016 -0.074 0.099
0.013
-0.079 -0.047 -0.015
0.187
Note: This table presents correlations for all variables in the original form. Significant correlations are represented in bold (two-sided and threshold: .05).
All Variables are defined in Appendix A.
47
1.000
Table 3. Correlations among Variables Included in Audit Fees Model (continued)
Panel B: Variables in the Change Form
∆logAUDIT
∆CyberIncident
∆Lnassets ∆InvRec ∆Segments ∆Foreign ∆Merger ∆Special ∆Loss ∆Growth
∆logAUDIT
1.0000
∆CyberIncident
0.0105
1.0000
∆Lnassets
0.2771
0.0031
1.0000
∆InvRec
-0.0210
-0.0034
-0.2430
1.0000
∆Segments
0.0840
-0.0121
0.1084
0.0308
1.0000
∆Foreign
0.0031
-0.0068
0.0081
0.0092
0.0026
1.0000
∆Merger
0.0899
0.0005
0.1305
-0.0334
0.0461
0.0095
1.0000
∆Special
0.0593
-0.0053
0.0114
-0.0063
0.0321
0.0054
0.2139
1.0000
∆Loss
0.0470
0.0019
-0.1097
0.0122
0.0068
-0.0031
0.0214
0.0774
∆Growth
0.0302
0.0049
0.1610
0.0839
0.0375
0.0011
0.0300
-0.0034 -0.1151 1.0000
∆Btm
∆Big4 ∆Initial ∆GCO
∆ROA ∆Leverage ∆Quick ∆ICW
1.0000
∆Btm
0.0417
-0.0008
0.1220
-0.0540
0.0209
0.0207
0.0085
0.0312
0.0510 -0.0076
1.0000
∆Big4
0.2113
0.0029
0.0483
-0.0119
-0.0061
-0.0062
0.0069
0.0118
0.0126
0.0015
0.0132
∆Initial
-0.1200
0.0003
0.0055
-0.0050
0.0018
-0.0050
-0.0100
0.0032
-0.0054 0.0163
∆GCO
-0.0078
-0.0074
-0.1537
0.0419
-0.0160
-0.0075
-0.0052
0.0086
0.0508 -0.0341 -0.0625 0.0123 0.0147 1.0000
∆ROA
-0.0009
0.0034
0.3722
-0.0260
0.0002
0.0016
-0.0141
-0.0448 -0.2618 0.2602
∆Leverage
0.0403
-0.0043
-0.2286
0.1784
0.0240
-0.0103
0.0254
0.0336
∆Quick
-0.0495
0.0027
0.1628
-0.2200
-0.0450
-0.0121
-0.0591
-0.0280 -0.0795 -0.0334
∆ICW
0.1212
0.0071
0.0190
0.0044
0.0015
0.0107
0.0079
0.0171
1.0000
0.0015 -0.1066 1.0000
0.0284
0.0036 0.0075 -0.1761 1.0000
0.1678 -0.0267 -0.2533 -0.0066 -0.0044 0.1865 -0.3162
1.0000
0.0038 0.0053 -0.1141 0.2136
-0.3368
1.0000
0.0282 -0.0053 -0.0119 0.0306 0.0070 0.0174 -0.0145
0.0393
-0.0227 1.0000
0.0328
Note: This table presents correlations for all variables in the change form. Significant correlations are represented in bold (two-sided and threshold: 0.05).
All Variables are defined in Appendix A.
48
Table 4. Regression of Cyber Incidents on Audit Fees using Equation (2)
Note:
Independent Variables
Estimates
t-statistics
Cyber-Incident
0.216
5.18***
Lnassets
0.495
95.90***
InvRec
0.463
10.04***
Segments
0.060
10.10***
Foreign
0.118
8.25***
Merger
0.049
4.33***
Special
0.150
15.25***
Loss
0.121
11.35***
Growth
-0.031
-6.65***
Btm
-0.066
-10.38***
Big4
0.395
21.28***
Initial
-0.089
-5.66***
GCO
-0.039
-1.69*
ROA
-0.286
-12.96***
Leverage
0.011
0.58
Quick
-0.015
-5.89***
ICW
0.163
10.18***
Busy
0.003
0.21
Intercept
10.229
113.44***
Industry Effects
Included
Year Effects
Included
Adjusted R square
84.65%
# Observations
36,565
*, **, *** represent significance at the 0.10, 0.05, and 0.01 levels (one-tailed),
respectively. Test statistics are based on coefficient standard errors that are
heteroscedasticity-consistent and are clustered at firm level. Estimated coefficients
for year and industry dummy variables are not reported for brevity.
All Variables are defined in Appendix A.
49
Table 5. Regression of Cyber incidents on Audit Fees increases using Equation (1)
Cyber-Incident
Non_Cyber-Incident
Independent Variables
∆Cyber-Incident
Estimates
t-statistics
0.045
2.86***
∆Non_Cyber-Incident
Estimates
t-statistics
0.019
1.37
∆Lnassets
0.277
37.22***
0.276
37.06***
∆InvRec
0.133
4.28***
0.131
4.23***
∆Segments
0.025
5.85***
0.025
5.86***
∆Foreign
0.009
1.28
0.009
1.27
∆Merger
0.029
7.70***
0.029
7.78***
∆Special
0.025
9.37***
0.025
9.37***
∆Loss
0.024
6.62***
0.024
6.59***
∆Growth
0.000
0.01
0.000
0.03
∆Btm
-0.004
-1.09
-0.004
-1.11
∆Big4
0.335
21.27***
0.334
21.26***
∆Initial
-0.076
-12.06***
-0.076
-12.05***
∆GCO
0.013
1.34
0.013
1.34
∆ROA
-0.127
-8.81***
-0.126
-8.77***
∆Leverage
0.059
4.29***
0.059
4.25***
∆Quick
-0.010
-6.67***
-0.010
-6.65***
∆ICW
0.074
11.32***
0.074
11.34***
Residual
-0.152
-41.31***
-0.151
-41.33***
Intercept
0.034
1.88*
0.035
1.90*
Industry Effects
Included
Included
Year Effects
Included
Included
Adjusted R square
24.98%
24.95%
# Observations
29,767
29,725
Note: *, **, *** represent significance at the 0.10, 0.05, and 0.01 levels (one-tailed), respectively. Test statistics
are based on coefficient standard errors that are heteroscedasticity-consistent and are clustered at firm level.
Estimated coefficients for year and industry dummy variables are not reported for brevity.
All Variables are defined in Appendix A.
50
Table 6. Regression of Cyber incidents and Prior Cyber Risk Disclosure on Audit Fees
Increases using Equation (1)
Independent Variables
Estimates
t-statistics
∆Cyber-Incident
0.120
3.77***
Disclosure
0.011
3.16***
∆Cyber-Incident * Disclosure
-0.090
-2.38**
∆Lnassets
0.273
32.57***
∆InvRec
0.145
4.21***
∆Segments
0.029
5.81***
∆Foreign
0.008
1.03
∆Merger
0.030
7.51***
∆Special
0.026
8.82***
∆Loss
0.026
6.33***
∆Growth
-0.003
-0.73
∆Btm
-0.004
-1.05
∆Big4
0.343
19.40***
∆Initial
-0.085
-11.17***
∆GCO
0.004
0.35
∆ROA
-0.125
-7.90***
∆Leverage
0.061
4.08***
∆Quick
-0.010
-6.03***
∆ICW
0.081
10.87***
Residual
-0.157
-36.13***
Intercept
0.017
0.78
Note:
Industry Effects
Included
Year Effects
Included
Adjusted R square
27.62%
# Observations
20,883
*, **, *** represent significance at the 0.10, 0.05, and 0.01 levels (one-tailed), respectively. Test
statistics are based on coefficient standard errors that are heteroscedasticity-consistent
and are clustered at firm level. Estimated coefficients for year and industry dummy
variables are not reported for brevity.
All Variables are defined in Appendix A.
51
Table 7. Regression Results of Equation (2) using Propensity Score Matched Sample
Cyber Incident
Prior Risk Disclosure
Independent variables
Estimates
t-statistics
Estimates
t-statistics
0.131
2.01**
0.386
2.74***
Disclosure
0.197
2.09**
Cyber-Incident*Disclosure
-0.321
-2.12**
Cyber-Incident
Lnassets
0.554
18.41***
0.543
15.86***
InvRec
1.442
3.25***
1.443
3.63***
Segments
0.019
0.78
0.038
1.60
Foreign
0.125
1.77*
0.187
2.43**
Merger
-0.003
-0.05
0.042
0.57
Special
0.062
0.7
-0.025
-0.26
Loss
0.141
1.42
0.033
0.32
Growth
-0.110
-0.97
-0.137
-1.08
Btm
-0.116
-1.62
-0.071
-0.90
Big4
0.356
2.81***
0.415
3.25***
Initial
-0.222
-1.16
-0.074
-0.50
GCO
-0.692
-3.46***
0.000
.
ROA
-1.012
-2.41**
-1.414
-3.01***
Leverage
0.044
0.23
0.086
0.42
Quick
-0.056
-1.86*
-0.038
-1.30
ICW
0.585
1.98**
0.367
1.25
Busy
-0.077
-0.93
-0.040
-0.46
Intercept
10.180
25.33***
9.330
16.86***
Industry Effects
Included
Included
Year Effects
Included
Included
Adjusted R square
79.59%
82.09%
# Observations
545
412
Note: *, **, *** represent significance at the 0.10, 0.05, and 0.01 levels (one-tailed), respectively. Test statistics
are based on coefficient standard errors that are heteroscedasticity-consistent and are clustered at firm level.
Estimated coefficients for year and industry dummy variables are not reported for brevity.
All Variables are defined in Appendix A.
52
Table 8. Regression of Cyber incidents and Past Breach on Audit Fees Increases using
Equation (1)
Independent Variables
Estimates
t-statistics
∆Cyber-Incident
0.040
2.31**
Past_Breach
0.007
0.63
∆Cyber-Incident *Past_Breach
0.054
2.12**
∆Lnassets
0.276
37.05***
∆InvRec
0.131
4.24***
∆Segments
0.025
5.88***
∆Foreign
0.009
1.28
∆Merger
0.029
7.79***
∆Special
0.025
9.37***
∆Loss
0.024
6.61***
∆Growth
0.000
0.02
∆Btm
-0.004
-1.11
∆Big4
0.334
21.26***
∆Initial
-0.076
-12.05***
∆GCO
0.013
1.35
∆ROA
-0.126
-8.77***
∆Leverage
0.058
4.25***
∆Quick
-0.010
-6.66***
∆ICW
0.074
11.34***
Residual
-0.152
-41.37***
Intercept
0.034
1.88*
Note:
Industry Effects
Included
Year Effects
Included
Adjusted R square
24.96%
# Observations
29,853
*, **, *** represent significance at the 0.10, 0.05, and 0.01 levels (one-tailed),
respectively. Test statistics are based on coefficient standard errors that are
heteroscedasticity-consistent and are clustered at firm level. Estimated coefficients
for year and industry dummy variables are not reported for brevity.
All Variables are defined in Appendix A.
53
Table 9. Regression of Cyber incidents and Intellectual Property on Audit Fees
Increases using Equation (1)
Note:
Independent Variables
Estimates
t-statistics
∆Cyber-Incident
0.024
1.65*
IP
-0.057
-5.47***
∆Cyber-Incident *IP
0.092
2.21**
∆Lnassets
0.276
36.98***
∆InvRec
0.130
4.19***
∆Segments
0.024
5.83***
∆Foreign
0.008
1.19
∆Merger
0.029
7.78***
∆Special
0.025
9.39***
∆Loss
0.024
6.59***
∆Growth
0.000
0.10
∆Btm
-0.003
-1.05
∆Big4
0.334
21.26***
∆Initial
-0.076
-12.00***
∆GCO
0.014
1.37
∆ROA
-0.127
-8.79***
∆Leverage
0.059
4.30***
∆Quick
-0.010
-6.61***
∆ICW
0.075
11.46***
Residual
-0.152
-41.31***
Intercept
0.034
1.88*
Industry Effects
Included
Year Effects
Included
Adjusted R square
25.05%
# Observations
29,682
*, **, *** represent significance at the 0.10, 0.05, and 0.01 levels (one-tailed),
respectively. Test statistics are based on coefficient standard errors that are
heteroscedasticity-consistent and are clustered at firm level. Estimated coefficients
for year and industry dummy variables are not reported for brevity.
All Variables are defined in Appendix A.
54
Table 10. Regression of Cyber incidents and External Monitoring on Audit Fees
Increases using Equation (1)
(1)
(2)
Independent variables
Estimates
t-statistics
Estimates
t-statistics
∆Cyber-Incident
0.072
4.11***
0.075
3.22***
NUM
0.001
1.12
∆Cyber-Incident *NUM
-0.019
-2.46**
INST
0.005
1.20
∆Cyber-Incident *INST
-0.068
-1.76*
∆Lnassets
0.277
37.18***
0.276
36.87***
∆InvRec
0.133
4.29***
0.133
4.29***
∆Segments
0.025
5.91***
0.025
5.92***
∆Foreign
0.009
1.31
0.009
1.31
∆Merger
0.029
7.70***
0.029
7.69***
∆Special
0.025
9.37***
0.025
9.37***
∆Loss
0.024
6.61***
0.024
6.62***
∆Growth
0.000
-0.02
0.000
-0.02
∆Btm
-0.004
-1.11
-0.004
-1.08
∆Big4
0.335
21.27***
0.335
21.25***
∆Initial
-0.076
-12.05***
-0.076
-12.06***
∆GCO
0.014
1.36
0.014
1.37
∆ROA
-0.127
-8.80***
-0.126
-8.78***
∆Leverage
0.059
4.32***
0.060
4.35***
∆Quick
-0.010
-6.66***
-0.010
-6.65***
∆ICW
0.074
11.31***
0.074
11.31***
Residual
-0.152
-41.35***
-0.152
-41.34***
Intercept
0.034
1.89*
0.035
1.91*
Industry Effects
Included
Included
Year Effects
Included
Included
Adjusted R square
24.99%
24.99%
# Observations
29,761
29,761
Note: *, **, *** represent significance at the 0.10, 0.05, and 0.01 levels (one-tailed), respectively. Test statistics
are based on coefficient standard errors that are heteroscedasticity-consistent and are clustered at firm level.
Estimated coefficients for year and industry dummy variables are not reported for brevity.
All Variables are defined in Appendix A.
55