Modern society depends on IT services, but unfortunately, IT services are not always dependable. Cyber incidents occur all the time, caused by bad design or by bad incentives. To address the latter cause, disclosure of cyber incidents has been proposed. Learning about incidents, buyers will find it worthwhile to select and pay for secure vendors, thus contributing to better overall security. While this logic has solid theoretical foundations in the economics of negative externalities and asymmetric information, the practice of cyber incident disclosure is only just emerging, as is empirical research on its effects. However, valuable lessons might be learned from the literature on the more mature practice of CO2e emissions disclosure. Based on the extant literature on CO2e emissions disclosure, two hypotheses about cyber incident disclosure are derived: First, it is likely that increased cyber incident disclosure would increase the costs of equity and debt for companies with many and/or severe cyber incidents, and also expose them to shareholder activism as well as to decreasing demand. Second, these effects will be smaller for cyber incident disclosure than the corresponding effects for CO2e emissions disclosure. The article is concluded with a discussion of implications and future work.
Forskningen har finansierats av Länsförsäkringsgruppens Forsknings- & Utvecklingsfond, avtalsnummer P4/18 (U. Franke) och avtalsnummer P8/18 (J. Svanberg).