Is Prevention Better Than Cure? Effects of Cyber Risk Disclosures on Shareholder Response to Breaches

As digitalization increases firms’ exposure to cyber risks, corporate disclosures about how these risks are managed are becoming more common and influential. This study examines 1,912 breach incidents affecting public companies to understand how shareholder reactions differ depending on the type of cyber risk strategies disclosed. We find that, although breaches generally lead to stock price declines, firms that previously disclosed preventive strategies, such as efforts to avoid breaches, experience significantly smaller losses in market value. Conversely, disclosing mitigative strategies, focused on damage control after a breach, amplifies the negative impact. These effects arise from shareholders’ loss aversion: They respond more favorably to firms perceived as trying to prevent harm rather than simply reacting to it. These findings suggest that managers should focus cyber risk disclosures on credible, prevention-oriented strategies to build investor confidence and minimize financial fallout after a breach. Additionally, our findings advise against using cyber risk disclosures as tools for impression management. Managers should ensure these disclosures accurately reflect the firm’s cyber risk management practices, as failing to do so can undermine the economic benefits of emphasizing preventive strategies.