THE ROLE OF AUDIT COMMITTEE CYBER RISK OVERSIGHT IN DATA BREACH DISCLOSURE
Audit Committee , Data Breach , Cyber Risk Oversight , Comment Letters
In response to growing levels of cyber risk, an increasing number of firms are delegating cyber risk oversight to audit committees. In this dissertation, I examine the role of audit committee (AC) cyber risk oversight in data breach disclosures in SEC filings. By examining breached firms’ disclosure policies, I find that firms with AC cyber risk oversight (1) are more likely to disclose data breaches in SEC filings, and (2) make timelier data breach disclosures in SEC filings. These empirical results support the monitoring role of AC cyber risk oversight. In addition, the effects of AC cyber risk oversight on the likelihood of data breach disclosures in SEC filings are strengthened when the firm is subject to potential regulatory actions. Further to this, AC cyber risk oversight reduces the likelihood that a firm will receive SEC comment letters relating to data breaches, regardless of whether the firm reports a data breach. Finally, all my main results survive in a battery of robustness checks using two-stage regressions and CEM/PSM matching samples, and are further validated in a placebo test. Overall, this dissertation enhances our understanding of how AC cyber risk oversight affects firm’s disclosure policies in relation to data breaches.