Investors’ Reactions to Cybersecurity Incidents: The Joint Effects of Disclosure Tone, Critical Audit Matters, and IT Knowledge

We investigate whether investors' reactions to management's tone and to auditor's commentary in the disclosure of a cybersecurity incident are contingent on investors' level of knowledge about information technology (IT). In Experiment 1, we predict and find that investors with a high level of IT knowledge are more likely to invest in a company when management's cybersecurity risk disclosure is written in a neutral tone and a critical audit matter (CAM) about the cybersecurity incident is present. In contrast, investors with a low level of IT knowledge are more likely to invest when the cybersecurity risk disclosure is written in a positive tone and a CAM about the incident is absent. We also find that for investors with a high level of IT knowledge, a positive tone of disclosure results in lower perceived management credibility and thus in lower willingness to invest when the CAM relating to the cybersecurity incident is present. In Experiment 2, we find that these results are unchanged regardless of the number of CAMs disclosed. Our findings are relevant to management, to auditors, and to the regulators that have expressed concerns about the quality of cybersecurity risk disclosures for informing investors' decision-making.