The Impact of Audit Committee IT Expertise on Data Breaches

ABSTRACT The continued risk of cyberattacks has led regulatory and governance bodies to call on boards to take a more active role in overseeing and preventing future cyber risks. Boards have responded by delegating cyber risk responsibilities to board technology committees and increasingly the audit committee (AC). This study examines whether information technology expertise at the AC level impacts the likelihood of a data breach occurrence. Using a sample of firms who experienced a data breach from 2005 to 2018, we find that AC IT expertise is negatively associated with the likelihood of a data breach occurrence and is associated with a reduction in external and internal data breaches. Our findings highlight the importance of ACs being actively involved in strategic decisions related to IT security and provide empirical evidence that IT expertise enhances the AC's monitoring ability and oversight of cybersecurity risks.