Asymmetric Learning Effects of Chief Information Officer Outside Board Appointments: Cybersecurity Implications for Sender and Receiver Firms

Cybersecurity failures are increasingly costly, prompting companies to recruit CIOs from other firms to their boards. This study examines whether there any impacts on a firms’ cybersecurity when (a) firms allow their own CIO to serve on an outside board; and (b) when firms appoint a CIO from another company to their own board. Using CIO-firm-year observations, we compare two pathways: (1) receiver firms that appoint an external CIO to their board, and (2) sender firms whose own CIO serves on another company’s board. The findings show asymmetric effects. Receiver firms experience fewer data breaches, suggesting that external CIOs effectively transfer cybersecurity expertise and practices. In contrast, sender firms face higher breach risk, as CIOs who serve externally appear to prioritize educating the recipient firm over acquiring new insights for their home firm. This risk intensifies when the external firm lacks strong cybersecurity practices but is mitigated when the home firm has a dedicated CISO. Conversely, receiver firms benefit most when the sending firm has strong cybersecurity capabilities—or even a past breach—because negative events create valuable lessons. The results offer actionable implications: firms should strategically recruit outside CIOs to improve board-level cyber capabilities and carefully weigh the risks before permitting their own CIOs to serve externally. Policymakers should consider mechanisms that incentivize effective cybersecurity knowledge transfer across board interlocks.