Director Experience and Cybersecurity Events
James Nordlund∗
August 30, 2018
Abstract
I study labor market outcomes for, and monitoring activities by, corporate
directors following a data breach. These directors lose shareholder support
at hacked firms, but not at interlocking firms. The interlocking firms exhibit
better cybersecurity risk monitoring after the breach, and hack-experienced
directors receive more appointments at larger, better-governed firms following
the event. The results suggest that, at least when the supply of a specific
skill is particularly sparse, learning on the job following a crisis can dominate
the stigma of failing to prevent that crisis in the labor market for corporate
directors.
∗Louisiana State Univeristy, Ourso College of Business, Baton Rouge, LA 70803, email:[email protected]. I wish to thank Shradha Bindal, Audra Boone, Christa Bouwman, Shane John-son, Adam Kolasinski, Frances Tice, and Nan Yang for helpful comments, and to Texas A&M sem-inar participants for their feedback.
Close to half of the directors we surveyed said “we know [cybersecurity]
is an issue, but we don’t even know what kinds of questions we should be
asking.”
– Jean-Marc Levy, interview for NYSE Governance Services’ Boardroom View
The principal roles of corporate directors are to monitor and advise management.1
In an effort to describe which directors are most likely to be effective at these tasks,
certain traits have been found to characterize particular skills of directors. However,
these traits consider broad aspects of a director’s career and are usually fixed at
the time of appointment to the board, thus ignoring discrete changes in a director’s
skillset following election to the board.2 An important but unanswered question in the
literature on corporate boards is the extent to which the director labor market values
recently acquired skills on top of the longer, more general resume of the director. One
particularly interesting application of this question regards learning from rare crises.
In the labor market for corporate directors, does an increased skillset associated with
handling a crisis offset the reputational penalties borne by failing to prevent the crisis?
This paper answers that question.
A crisis significant to firms and their directors in the modern era is a data breach
that exposes customer/employee private information to unauthorized third parties.
A number of large-scale, high-profile data breaches (Target Corp., Yahoo, Equifax,
et cetera) has pushed cybersecurity risk to the forefront of public attention. Recent
estimates put the average cost of data breach at $7.35 million (Ponemon Institute
LLC 2017). As indicated in the above quote, the supply of cybersecurity-savvy direc-
1See Adams, Hermalin, and Weisbach (2010) and references therein for a survey of this literature.2This set of traits includes directors who are bankers (Guner, Malmendier, and Tate 2008),
venture capitalists (Baker and Gompers 2003), lawyers (Krishnan, Wen, and Zhao 2011), CEOsfrom other firms (Fahlenbrach, Low, and Stulz 2010), experienced in the firm’s industry (Masulis etal. 2012; Von Meyerinck, Oesch, and Schmid 2016; Wang, Xie, and Zhu 2015), or experienced withrelated industries (Dass et al. 2013).
1
tors is remarkably low. Directors acquire first-hand experience with post-data breach
protocol and fallout by sitting on boards of firms that suffer cybersecurity events, and
it is possible that this experience is viewed positively in the director labor market.
Yet anecdotal evidence suggests that shareholders lay part of the blame from data
breaches at the feet of the board, suggesting a reputational penalty for data breach
experience.3 In this paper, I empirically investigate the labor market consequences
and post-data breach monitoring behavior of directors affiliated with a cybersecurity
event, including subsequent cybersecurity risk management at interlocking boards.
After controlling for a number of other observable director characteristics and ad-
dressing multiple forms of endogeneity, the data show that learning on the job after
a data breach leads to a net increase in a director’s reputation in the labor market
and that limited supply in the labor market plays a role in dampening reputational
penalties for monitoring failures.
I use a database of publicly reported cybersecurity events (security breaches)
at U.S. companies over 2005 to 2013.4 This data is provided by Privacy Rights
Clearinghouse, which aggregates reports of cybersecurity events across the country
that are triggered by state and federal data breach notification laws. These laws
are consumer focused, rather than shareholder focused. That is, disclosure is not
restricted to events that firms deem material, but rather encompasses the universe of
cybersecurity events that have the possibility of adversely affecting consumers.
Cybersecurity risk management requires active oversight. A rules-based, “check-
the-boxes” style of cybersecurity management appears to be at best a partial solution
to the problem.5 Dating at least as far back as 2005, federal regulators have required
3See, for example, https://www.wsj.com/articles/iss-calls-for-an-overhaul-of-target-board-after-data-breach-1401285278 or https://www.wsj.com/articles/iss-says-five-equifax-directors-should-be-voted-out-1523901276, accessed 7/31/18.
4The dataset is available for download at www.privacyrights.com.5Target Corp., for example, was certified compliant with the Payment Card Industry’s (PCI)
2
active monitoring, evaluation, and review of information security practices.6 A perva-
sive assumption in the discussion of cybersecurity risk management is that the board
of directors has a positive role to play in mitigating risk. Survey evidence indicates
that directors understand the need for involved review of cybersecurity practices.
Eighty-nine percent of directors report that cybersecurity is regularly discussed in
board meetings (NACD 2017). Members of the Securities and Exchange Commission
have called on boards of directors to become even more proactive in managing cy-
bersecurity risk (Aguilar 2014), and members of Congress seek a legislative effort to
require boards to disclose the presence of a “cybersecurity expert” (Senate Bill 536),
similar to the SOX requirement to disclose the presence of a “financial expert” (Reed,
Collins, and Warner 2017). The presumption is never that directors are themselves
technically sophisticated, but rather there is an expectation that directors be able to
review their firms’ cybersecurity practices and aware of procedures that may reduce
risk.7
I show that directors are significantly more likely to leave their board positions
at a hacked firm, and that those who stay on receive fewer votes in their subsequent
re-election to the board. Evidence from a Cox proportional hazards model shows that
the probability of director turnover rises by 20% following the announcement of a data
breach. Using a Heckman selection model to control for departures that take place
security standards just weeks before it fell victim to a massive malware attack that stole customerpayment information (Bjorhus 2014).
6For example, after failing to encrypt consumer payment information or to delete it in a timelymanner consistent with bank security rules, BJ’s Wholesale Club experienced a data breach thatresulted in millions of dollars of fraudulent purchases. A settlement from June of 2005 with the Fed-eral Trade Commission resulted in BJ’s agreeing to “regular testing or monitoring” and “evaluationand adjustment” of its security protocols (FTC Docket No. C-4148).
7For example, Fontaine and Stark (2018) suggest the following set of questions for directors:“Have we tested how these policies and procedures would operate if we suffered a cyber-attack?”“Where do we store our data?” “What kind of data are we keeping and why?” “What steps havewe taken to validate the adequacy and sufficiency of the procedures we do have?” “How can we bestgauge program effectiveness?” “Do we have adequate cyber insurance coverage in place?” “Are weinvesting in a manner that aligns with our true risk?.”
3
prior to the general shareholders meeting (e.g. departure by directors who choose to
step down, knowing they would not be re-elected), I find that cybersecurity events
lower a director’s re-election vote by 1.3 percentage points. The combined results
are indicative of reputational penalties for poor monitoring, consistent with the work
of Srinivasan (2005), Fich and Shivdasani (2007), Ertimur, Ferri, and Maber (2012),
and Brochet and Srinivasan (2014), amongst others.
I also find that the increased turnover hazard following a data breach is mitigated
when a director has a technology background. This result is suggestive evidence that
the labor pool for directors with technological backgrounds is shallow, making these
directors difficult to replace. As a validation of this conjecture, I show that turnover
risk is larger when the local labor market for directors is larger (Knyazeva, Knyazeva,
and Masulis 2013), and in particular when the pool of local potential directors includes
technology experts.
Because director turnover at hacked firms happens, on average, nine months after
the breach occurred, the director has a front row seat to post-data breach response
efforts by the firm as well as claims of insufficient monitoring filed by litigious con-
sumers. This on the job training may lead to increased monitoring skill, and the
data support this claim. Interlocking firms experience better cybersecurity outcomes:
they are 14% more likely to begin disclosing cybersecurity risk in the annual report
and are 80% less likely to experience a data breach. Because the focus here is on
firms that already employed the director at the time of the data breach, the director
is not endogenously selected because of their experience with this event. The change
in a director’s cybersecurity skillset is effectively exogenous for these interlocking
firms. Moreover, these firms are not endogenously chosen by directors seeking to
avoid another data breach. The results for interlocking firms are robust to exclusion
of interlocks between hacked and un-hacked firms with a high vertical relatedness
4
coefficient (Dass et al. 2013), which rules out the possibility that these are spurious
results generated by vertically related interlocking firms.
If data breach experience is viewed as a positive shock to director skill then one
would expect to see benefits down the road in the labor market for new directorships
(Yermack 2004). Consistent with a perceived increase in skill, I show that directors
affiliated with data breaches are significantly more likely to take on new board ap-
pointments, and these appointments are likely to be at larger firms. To the extent
that firm size proxies for the prestige of the board position, these directors end up at
more prestigious positions than a matched set of directors who do not experience a
data breach. Finally, hacked directors are appointed to firms with lower E-indexes
(Bebchuk, Cohen, and Ferrell 2009), which implies that the new positions are not
the result of entrenched managers seeking out directors with a reputation for poor
monitoring (Levit and Malenko 2016).
These findings contribute to the corporate governance literature in a number of
ways. First, I contribute to the literature on director reputation (Fama 1980; Fama
and Jensen 1983) by documenting the role that supply-side labor market constraints
play in limiting penalties for monitoring failures. Prior authors find an increase in
turnover following financial fraud (Fich and Shivdasani 2007), accounting restate-
ments (Srinivasan 2005; Brochet and Srinivasan 2014), and option backdating (Er-
timur, Ferri, and Maber 2012). In these papers, directors more likely to be responsible
for the oversight failure face harsher reputational penalties. Audit and compensation
committee membership increases the likelihood of turnover in, respectively, cases of re-
statements (Srinivasan 2005; Brochet and Srinivasan 2014) and backdating (Ertimur,
Ferri, and Maber 2012). In contrast, although directors with technology backgrounds
are most likely to be assumed at fault following a data breach, having a technology
background mitigates turnover risk. This can be explained by the limited supply of
5
technically-savvy directors, and complimentary analysis shows that turnover risk is
indeed higher when the local labor pool of tech experts is higher. Limited supply is
much less likely an issue in the market for qualified audit or compensation experts.
Second, I contribute to the literature on director skill sets (e.g. Adams, Akyol, and
Verwijmeren (2018)). Directors have been shown to be valuable for their experience
with acquisitions (Harford and Schonlau 2013; Field and Mkrtchyan 2017), a firm’s
industry (Masulis et al. 2012; Von Meyerinck, Oesch, and Schmid 2016; Wang, Xie,
and Zhu 2015), a firm’s related industries (Dass et al. 2013), or with banking (Guner,
Malmendier, and Tate 2008). Adams, Akyol, and Verwijmeren (2018) point out
that directors are an entire portfolio of skills, and show considerable cross-sectional
variation in board skill sets. My findings show that director experience with data
breaches is also valued in the labor market, as proxied by new board positions and
the size of the new firms at which the director works.
Finally, I contribute to the literature on corporate disclosure by documenting a
mechanism through which firms learn about what risks to disclose: the corporate
director. Campbell et al. (2014) report that firms with more risk factors have higher
market betas following the risk disclosure. Hope, Hu, and Lu (2016) find that more
specific risk disclosure is associated with better analyst assessment of the firm. Thus,
the general conclusion has been that risk disclosure is generally informative about
firm risk. But how managers determine what risks to disclose has heretofore been
unstudied. The increased incidence of cyber risk disclosure at interlocking firms is,
to my knowledge, the first evidence of a channel through which firms learn what risk
factors to consider.
6
2 Data
This section discusses the data used in the paper. Firm-level accounting data come
from Compustat. Director-level data come from Boardex. These databases are linked
by name, ticker, and International Security Identification Numbers using the algo-
rithm described in Engelberg, Gao, and Parsons (2012). Data on shareholder voting
records and a firm’s E-index (Bebchuk, Cohen, and Ferrell 2009) come from Insti-
tutional Shareholder Services. I measure whether a firm discloses cybersecurity as a
form of risk by using Item 1A of the 10-K filing, and pull Item 1A disclosures from
the DirectEdgar database. Data breach records are collected from Privacy Rights
Clearinghouse (PRC). Three features of the combined data are described in detail
here. First, I discuss cybersecurity events as documented by PRC. Next, I outline
the procedure used to identify individual risk factors of a firm’s annual report, since
this is novel to my paper. Finally, I detail the methodology used to classify directors
as “technology experts.”
2.1 Cybersecurity Events
This paper uses all security breaches reported between 2005 and 2013 and recorded
by Privacy Rights Clearinghouse (PRC). This dataset aggregates all reports of cyber-
security breaches published according to a state’s breach disclosure law. These laws
require individuals in that state to be notified if their personal information is lost by a
company entrusted with it. The first state to enact such a law was California in 2002.
Following a wave of state-level laws in the mid-2000s, all states except two (Alabama
and South Dakota) have disclosure laws in place. The dataset also includes breaches
reported in accordance with the Gramm-Leach-Bliley Act or the Health Insurance
8A thorough discussion of state and federal regulations on breach notification laws is available at
7
Portability and Accountability Act of 1996, which are federal regulations covering,
respectively, financial institutions and health care plans/providers.8
Although breach notification laws vary by state, many of the fundamental aspects
of the disclosure requirements are similar. Personal information loss that triggers
disclosure includes social security numbers, drivers license numbers, or financial in-
formation, although some states also extend this to include biometric information, a
passport number, date of birth, et cetera.9 The disclosure timeline also varies by state.
For example, California law requires disclosure of a breach be made “in the most expe-
dient time possible and without unreasonable delay” (California Civil Code 1798.29)
while in Ohio the disclosure must be made “in the most expedient time possible but
not later than forty-five days following its discovery” (Ohio Code 1349.19). Note,
however, that the laws are written based on the location of the consumer/employee
whose records were lost, not the firm. A California-based firm conducting business
in Ohio would need to follow Ohio laws in reporting information about a data breach
to customers in Ohio. This is generally not a complication for firm disclosure, since
differences in data breach notification laws are relatively minor across states.
The PRC data categorizes reported data losses by the nature of the event that
caused the loss. All cybersecurity events are classified as either: HACK (electronic
entry by an outside party), CARD (electronic payment fraud, e.g. capturing credit
card terminal data), INSD (data loss due to an insider taking advantage of a system),
PHYS (lost, stolen, or discarded paper documents), PORT (lost, stolen, or discarded
portable electronic devices), STAT (lost, stolen, or discarded electronic devices not
designed to be moved), DISC (unintended/accidental disclosure), or UNKNOWN
(all other events). I use all intentional forms of attack (HACK, CARD, INSD) in
www.steptoe.com/assets/htmldocuments/SteptoeDataBreachNotificationChart.pdf.9https://www.bna.com/complicated-compliance-state-data-breach-notification-laws/
8
my analysis because accidental events – for example, a PORT event resulting from
a company laptop stolen out of an employee’s car – are less likely to be subject to
director level oversight.
The institution name identified by PRC is matched into firm names from Compu-
stat using the Levenshtein algorithm to compare string values. Perfect matches are
kept, and the remainder of the data are reviewed by hand and included when appro-
priate. Most of the observations in PRC do not link to Compustat because they are
small private firms, non-profits (including education), or privately owned health care
providers. Table 1 summarizes the frequency of data breaches for each NAICS sector
over time.
[Table 1 about here]
One limitation of data breach information is that the severity of the breach is
not always clear. A breach in the PRC data will include an estimated number of
records lost (i.e., number of customer’s who lost personal information) where possi-
ble, but this information is not always known. For example, the Heartbleed security
bug found in early 2014 was an exploit that did not leave fingerprints, and therefore
it was impossible to tell which records were stolen. In the event that PRC learns new
information about the number of records that were lost (e.g. when the company up-
dates their initial report after discovering a broader breach than originally believed),
the data in PRC are revised to reflect the new numbers.10 Thus it is impossible to
use PRC details to incorporate the severity of the breach into the analysis for the
following two reasons: first, the severity is often unknown, and second, the timing of
when the severity is disclosed is unclear.
10I thank members of the Privacy Rights Clearinghouse team for responding to email queries toclarify certain aspects of their data collection process.
9
In the analysis that follows, I create an indicator variable that turns on when a
director experiences a data breach at one of her firms. In my sample, 668 directors
are affiliated with a data breach, and 18.7% of these experience more than one data
breach in their careers. Additionally, because about half of corporate boards have
3-year staggered election cycles (Fos, Li, and Tsoutsoura 2018), I allow this dummy
variable to switch on for two years at a time in all of our analysis. I define interlocking
events in a similar fashion: the indicator variable turns on whenever a firm’s board
shares a director with a hacked company, and the variable turns on for two years at
a time.
2.2 Risk Factor Disclosure
Data on firm disclosure of risk factors is extracted from the DirectEdgar database,
which pre-processes 10-K filings and separates out Item 1A into an HTML document
that I parse with Python’s BeautifulSoup html pareser. Item 1A of a firm’s 10-K
filing discloses certain risk factors that a firm faces. I search for terms relating to
cybersecurity risk (e.g. “hackers”). The full list of search terms is provided in the
appendix.
I study both the incidence of cyber disclosure and the way in which cybersecurity
disclosures are added to a firm’s 10-K filing. In the former case, a simple text search of
whether the firm uses any of the aforementioned cybersecurity risk words is sufficient.
In the latter, I am interested in the quality of this disclosure. This is measured by
looking at whether a firm begins disclosing cyber security risk by adding a entirely
new risk factor to the firm’s 1A filing or by adding cybersecurity risk to an existing
disclosure. The former case is more likely to be a transparent and more complete
disclosure of cybersecurity risk, whereas the latter is more likely to be a situation
10
in which the firm sweeps cybersecurity into a kitchen-sink listing of potential risks.
Figure 1 presents examples of each case.
[Figure 1 about here]
In panel A, Bank of Hawaii Corporation adds a risk factor discussing cybersecurity
risk to its 10-K filing for the period ending 12/31/2011. Its previous filing, for the
period ending 12/31/2010, did not include this factor. Thus, I classify Bank of Hawaii
Corporation as including a new cybersecurity disclosure. The risk factor disclosure
by Bank of Hawaii Corporation is three paragraphs long, and it discusses both the
potential cybersecurity threats faced by the firm as well as possible consequences of
a security breach. In panel B, The Empire District Electric Company updates an
existing risk factor to include a discussion of cybersecurity risk. I classify this firm as
updating on old disclosure to include cybersecurity risk. The added disclosure is one
sentence long and recognizes that a cybersecurity threat exists.
To identify the different risk factors in the html document, I analyze the structure
of formatting rules used in the document. The headers to each risk factor are assigned
special formatting as visual cues to the reader. For example, some documents use bold
font, some use italics, some use a different color, et cetera. I look over the distribution
of formatting rules applied to the entire document and assume that the most common
formatting structure are the body paragraphs to a risk factor and that the second most
common formatting rule is the one identifying risk factor headers. Before reviewing
the distribution of formatting rules, I exclude table and list paragraphs (e.g. those
including a <tr> or <li> tag) from the distribution since some factors can include
long bullet lists of sub-items. I place all table text into the preceding body paragraph
so that it is included when searching for cybersecurity words.
After finding the risk factor headers for a firm in years t and t − 1, I vectorize
11
the headers using tf-idf and compute the pairwise cosine similarity between each risk
factor header in t and each risk factor header in t− 1. This yields a matrix of cosine
scores. To determine whether a factor in t is novel, or whether it is an updated
version of a factor in t − 1, I create a mapping between the factors in t and t − 1
that maximizes the total pairwise cosine similarity between the two years. Table 2
provides an example matrix of cosine similarity scores.
[Table 2 about here]
This matrix of cosine similarity scores records how closely each risk factor header
at time t − 1 matches a risk factor header at time t. I determine the best mapping
between the time t − 1 factors and the time t factors by transforming each element
of the matrix, ai,j by |1 − ai,j| and applying the Hungarian Method to the resultant
matrix. This method maps each risk factor in t− 1 to a factor in t such that no two
factors in t − 1 point to the same factor at t, and the total cosine similarity of each
pair of factors is maximized. In the reported analysis, an assigned pair is considered
to be a successful match (the risk factor at t is the same as at t − 1) if the cosine
similarity between the two is at least 0.75 (similarity is measured on a scale of 0 to
1). Results are robust to alternative cutoffs (e.g. 0.6, 0.9). I allow for scores less than
1, a perfect match, in order to allow for the possibility that risk factor headers could
re-phrase or modify text from one year to the next. However, as scores move further
below 1, there is an increased likelihood that the assigned (t−1, t) pair of risk factors
discuss different concepts.
2.3 Committee Membership
There is not a standard committee designation for the subset of directors more di-
rectly responsible for overseeing cybersecurity risk. I follow survey evidence from the
12
National Association of Corporate Directors regarding the allocation of cyber respon-
sibilities at the board (NACD 2017). In this survey, only 5% of directors report that
their firm assigns cyber risk oversight to a technology committee. This is consistent
with the observed rarity of technology committees in the Boardex data.11 Per the
survey, 11% of firms assign the cyber risk oversight role to the risk committee, 51%
assign the role to the audit committee, and 41% assign the responsibility to the full
board (the survey allowed directors to select multiple responses).
In order to define which directors are most likely to be presumed responsible
for monitoring cybersecurity risk, one needs a publicly observable proxy for whether
each director has a technical background. In order to do this systematically for
the 13, 000 directors in my sample without manually reviewing the resumes of each
director, I define an indicator variable, “tech expert,” that takes value one if the
director ever served on a technology committee at any of her present or past board
positions. This approach allows me to pinpoint which directors are most likely to
have a certain technological background that would lend towards being the point
person on cybersecurity risk monitoring (even if a board did not have a specific tech
committee).
3 Reputational Penalties
How do labor market outcomes change in response to breach events? Past work
documents reputational costs (increased turnover) for directors following intentional
misrepresentations at the firm, such as with option backdating or fraud (Ertimur,
Ferri, and Maber 2012; Fich and Shivdasani 2007). Higher turnover risk also ex-
ists for audit committee members following restatements (Srinivasan 2005) because
11These committee assignments are not given standard names in the Boardex database and the
13
restatements indicate a monitoring failure by the directors on this committee. Like-
wise, a director who stays on following a bad event may receive a lower fraction of
the vote in her re-election bid (Ertimur, Ferri, and Maber 2012). In this section, I
investigate turnover and voting outcomes for breach-affiliated directors as two proxies
for reputational penalties following a cybersecurity breach.
3.1 Turnover
I model the turnover likelihood for a director using a Cox proportional hazards model.
A Cox model is preferred to a logistic model of turnover because it more realistically
incorporates the time series of information about a director’s turnover hazard and
recognizes that directors can be at risk without actually turning over (Shumway 2001;
Campbell et al. 2011). The empirical framework is given by equation (1):
h(t|ZF , ZI , X) = h0(t)exp(γZF
j,t + θZIi,j,t + β′Xi,j,t + εi,j,t
)(1)
where h(t) is the hazard of turnover for director i at firm j at time t and ZF and ZI
are, respectively, indicators for whether the firm was hacked or whether the director
experienced a hack at an interlocking company. Time t corresponds to the firm’s
fiscal year end; ZF turns on if the firm has hacked in the 24 months leading up to
the year end t. The vector X corresponds to director and firm controls that may
contribute to a director’s hazard of turnover. I include as controls firm performance
(return on assets) and firm size, as well as a governance characteristics about the
firm: board size, percentage of independent directors, the fraction of institutional
investor holdings at the firm, and the firm’s E-index (Bebchuk, Cohen, and Ferrell
2009). I also control for the director’s age, as well as an indicator for whether the
appendix lists the committee names I use to classify a committee as assigned “tech” or “risk.”
14
director is over 65 to account for non-linearities around the age of retirement, the
number of board positions that the director holds, whether the director is classified
as independent, whether the director is female, whether the director sits on the firm’s
audit committee, and whether the director had any experience with cybersecurity
events prior to her appointment to the board. Finally, I control for two observable
features of the director or the firm that may differentially effect the director’s post-
breach turnover likelihood. First, I control for whether the director could be classified
as a technology expert, as defined in section 2, since this may lead to differential
assumed responsibility for cybersecurity monitoring. Second, I control for whether
the firm disclosed the existence of cybersecurity risk prior to the data breach taking
place.
Table 4 presents the estimated hazard ratios. Recall that in a hazard regression,
a ratio of one indicates no effect. Ratios above one are positive effects, while ratios
below one are negative effects. When a firm reports a data breach, the likelihood of
director turnover rises by 20.5% at the firm (p-value = 0.077). In contrast, turnover
likelihood at a director’s interlocked firms does not change in response to the reported
breach. Thus, director’s face employment consequences for their monitoring failure,
but these consequences are limited to the breached firm. This paper is not the first
to document limited reputational penalties for ineffective monitoring – for example,
directors at firms part of the option backdating scandal of 2006-2007 were not any
more likely to lose their jobs at non-backdating firms (Ertimur, Ferri, and Maber
2012). In the next section, I study post-breach changes in risk management at these
interlocking firms and hypothesize a possible reason for retaining these directors at
interlocking firms.
[Table 4 about here]
15
Given the novelty of cybersecurity as a form of risk, many firms do not list cy-
bersecurity in their annual disclosure of risk factors.12 Does part of the observed
reputational penalty for suffering a data breach stem from failure to inform share-
holders that cybersecurity was a potential threat? I test for this by interacting the
data breach indicator variables (ZF and ZI from equation 1) with an indicator for
whether the firm disclosed cybersecurity as a form of risk in its prior 10-K filing. This
is the 10-K report from fiscal year end t − 2, since the indicators for data breaches
flip on for events over the interval (t− 2, t]. An interaction term less than one would
indicate decreased hazard for directors whose firm disclosed cybersecurity risk prior to
a data breach occurring. The regression results from column two of table 4 indicates
that prior disclosure of risk is not a mitigating factor in post-breach turnover – the
interaction term is statistically indistinguishable from one.
I next consider the possibility that director turnover likelihood in response to a
data breach will be higher when the director has a more direct role in overseeing
cybersecurity risk management. Recall that the indicator variable, “tech expert,”
takes value one if the director ever served on a technology committee at any of her
present or past board positions. Directors with experience on technology committees
for corporate boards are likely to be those most knowledgeable about cybersecurity
risk management practices. It is therefore reasonable to assume that they would be
held most directly responsible for reviewing the corporate practices that failed to stop
12Per table 3, roughly 24% of firm-year observations between 2005 and 2013 included a disclosureof cybersecurity risk in Item 1A of a firm’s 10-K filing. Few, if any, firms are completely immunefrom cybersecurity concerns. One may wonder whether firms choose not to disclose cybersecurityrisk because of Item 503(c) in Regulation S-K, which instructs firms to not present shareholderswith a set of generic risk factors applicable to any firm. Evidence from Hu, Johnson, and Liu (2017),however, shows that the majority of firm report “downturn/recession” risk as a risk factor. Thisimplies that generic factors are certainly fair game in corporate risk disclosure. More recently, theSEC provided guidance to clarify their position on cybersecurity as a risk factor, and included an8-point list of items to consider when determining the relevancy of cyber to a company (see ReleaseNo. 33-10459, February 21, 2018).
16
a data breach from occurring. The past literature shows increased turnover hazard
for directors most responsible for monitoring failure (Srinivasan 2005; Ertimur, Ferri,
and Maber 2012; Brochet and Srinivasan 2014). Thus, one may expect that directors
classified as “tech experts” would be more likely to turn over following a data breach.
As reported in column three table 4, a director’s turnover hazard is lower for
technology experts. The total hazard ratio of turnover for a technology expert (the
direct plus the interacted effect) is statistically indistinguishable from one. Outside
penalties at interlocked firms do not change in response to a director’s role at the
breached firm. These results therefore imply that some of the directors most likely
to be held responsible for implementing cybersecurity risk management practices are
the least likely to turn over after a data breach. This is a deviation from prior
work which finds that turnover following monitoring failure is highest among the
group most directly responsible for monitoring. One significant difference between the
“tech experts” of this study and the audit committee remembers more likely to turn
over following restatements (Srinivasan 2005) as well as the compensation committee
members more likely to turn over following backdating (Ertimur, Ferri, and Maber
2012) is that the supply of technology experts in the labor market for corporate
directors is substantially smaller than the pool of qualified audit or compensation
committee members.
The possibility that labor market constraints affect a director’s reputational penalty
(turnover hazard) following a data breach is further explored in columns four and five
of table 4. Following Knyazeva, Knyazeva, and Masulis (2013), I identify the set of
non-competing firms within a 60 mile radius of the firm’s headquarters. Knyazeva,
Knyazeva, and Masulis (2013) show that this pool of potential directors has a strong
impact on board composition. I define the variable “local market” to be the log
transformed count of non-competing firms in the firm’s 60 mile radius, and interact
17
this with the data breach indicator variables “firm breached” and “interlocked firm
breached.” In column four, the positive interaction effect between “local market”
and “firm breached” indicates that the hazard for turnover for directors at hacked
companies increases when the pool of potential replacement directors is higher. In
column five, I focus on a subset of this potential replacement pool. I identify all
inside directors at non-competing firms within a 60 mile radius. These are therefore
directors who are in a firm’s local labor pool. To ensure that they are reasonable can-
didates, I filter to the set of directors who have at most one other board appointment
beyond the insider position at their own firm’s board since directors with multiple
other appointments may be less likely to be willing or able to take on an additional
position. I then define the variable “local expert” equal to the percentage of this set
of directors who are classified as “tech experts”, using a log transform to adjust for
skewness. The interaction of “local expert” is significant and positive, showing that
directors at hacked companies face a higher hazard of turnover when the local pool of
replacement directors includes a higher percentage of directors who have some experi-
ence on a board’s technology committee. Moreover, this interaction is significant and
positive for interlocking positions as well, showing that directors face an increased
hazard of turnover at even their interlocking positions when those interlocking firms
have access to replacement directors with a technology background.
The totality of evidence in the turnover analysis suggests that directors face rep-
utational penalties (increased turnover hazard) following a data breach, but that this
is limited to their breached firm. This effect is mitigated by having a technology
background and exacerbated by working at a firm with a large local pool of poten-
tial replacement options. It is difficult to systematically classify the 3, 661 observed
turnovers in my sample as voluntary or involuntary, especially given the limited infor-
mation that is provided around most turnover announcements. This distinction is not
18
an important one to make, however, since either can follow from shareholder disap-
proval. Shareholder pressure can lead to forced turnover of a director, or, more likely,
the decision of a director to not seek re-election. The most important limiting factor
of the analysis thusfar is that it cannot fully separate turnover resulting from reputa-
tional penalties (i.e. directors leave because shareholders demand it) from turnover
to avoid reputational penalties (i.e. directors leave to separate themselves from bad
press). This latter possibility is consistent with work from Dewally and Peck (2010),
Aharony, Liu, and Yawson (2015), and Fahlenbrach, Low, and Stulz (2017), amongst
others, who argue that directors have an incentive to depart a firm following, or in
advance of, a bad event in order to preserve their reputations. To further distinguish
between these two possibilities and verify, I turn to direct evidence from shareholder
voting.
3.2 Votes Withheld
As direct evidence of whether data breaches affect shareholder approval of board
members, I look to shareholder voting records from ISS.13 The empirical design follows
equation
votes withheldi,j,t = γZFj,t + θZI
i,j,t + β′Xi,j,t + εi,j,t (2)
where the votes withheld from director i at firm j at meeting t is a function of whether
the firm was hacked, ZF , and whether the director experienced a breach at one of
her interlocking positions, ZI . The vector X represents a set of controls. The control
13Names of directors up for election in the ISS voting database are matched to the Boardex-Compustat linked records with the same cusip using the director’s name and the Leven-shtein algorithm. Because a director’s first name may be listed differently in differentdatabases (e.g. “Ronald” in one database may be “Ron” in another), I include all diminu-tive forms of names in the matching procedure, using a diminutive lookup table available at:https://github.com/carltonnorthern/nickname-and-diminutive-names-lookup.
19
vector includes a similar set of observables as in equation 1, with the addition of
variables unique to the ISS voting database. First, I add a control for the fraction of
the vote a director received in her prior election, to account for variation historical
approval of a director. Second, I control for whether the ISS recommends against
voting favorably at meeting t. The variables of interest, ZF and ZI , are measured
over the interval between a director’s election dates. That is, time t is an event-time
for a director where time t is the current re-election vote for the director and time
t− 1 represents the last time that the director was up for election (whether this was
one or more years prior). The indicators ZF and ZI turn on if there is a data breach
at, respectively, firm j or one of director i’s other appointments over the interval
(t − 1, t]. Votes withheld are measured as the sum of votes against and abstentions,
following Aggarwal, Dahiya, and Prabhala (2017).
The results from estimating equation 2 are reported in column one of table 5.
Votes withheld in a director’s re-election are 1.3 percentage points (p-value = 0.014)
higher following a data breach. This corresponds to a 24% increase over the sample
mean, as reported in table 3. As with turnover risk, shareholder voting does not seem
to negatively respond to interlocking data breaches.
[Table 5 about here]
One weakness of the linear model in equation 2 is that it ignores the endogenous
selection issue surrounding the decision to stand for re-election. For directors who
chose to leave prior to the general meeting, or who choose to let their appointment
expire and not seek re-election to the board, one cannot observe what voting would
have been. This corresponds to the classic Heckman framework in which the outcome
of interest is censored according to a decision rule. In this case, the decision rule is
the selection equation that models the decision to stand for re-election. I therefore
20
analyze the system
votes withheldi,j,t = γZFj,t + θZI
i,j,t + β′Xi,j,t + εi,j,t if re-electioni,j,t = 1
re-electioni,j,t = Φ(ω′Xi,j,t + δWi,t + υi,j,t) (3)
using Heckman’s twostep estimator (Heckman 1979; Li and Prabhala 2007). In a
slight abuse of notation, the vector of controls X is the same for the two equations,
save for the ISS recommendation at time t, since this is not observed for directors who
do not stand for re-election. The variable W represents an excluded variable used in
predicting whether or not a director will stand for re-election that is not predictive
of the vote outcome. The outcome of interest is estimated according to
votes withheldi,j,t = γZFj,t + θZI
i,j,t + β′Xi,j,t + πλ(Xi,j,t,Wi,t) + εi,j,t (4)
where λ(X,W ) is the inverse mills ratio that corrects for self-selection from equation
(3).
Strictly speaking, an excluded variable is not required to correctly estimate a
Heckman model. The concern for an excluded variable W is that if the inverse Mills
function λ(·) = − φ(·)Φ(·) is approximately linear over the region of observed X then λ
will be a near-linear function of X and thus π will be estimated to be insignificant
due to collinearity with X. This could lead to the false conclusion that the sample-
selection is irrelevant, since a π coefficient significantly different from zero indicates
a sample-selection problem in the second stage that necessitates use of the Heckman
procedure in place of OLS. In untabulated results, I run the Heckman framework
without an excluded variable W and find a significant π, suggesting that the possible
21
near-linearity problem of λ(·) is not a concern for the analysis here. However, for
my main analysis, I define a W excluded variable as follows. I determine the set
of current director appointments for the month prior to the re-election date or the
reported departure date of the executive (whichever comes earlier). I then determine
the location of each company headquarters for these board positions, and compute a
director’s “travel distance” as the aggregate travel distance a director would have to
travel to visit each board. The conjecture is that a higher aggregate travel distance
would increase the likelihood of the director choosing to give up a board position. The
total travel distance is estimated conservatively by assuming that the director lives
in the center of these geographic positions (the medoid in the set of geo-coordinates),
unless the director is an inside director at a firm in which case I define her home
zip code to be the zip code of the company headquarters at which she is an insider.
Untabulated analysis finds that a director’s “travel distance” is uncorrelated with
votes withheld, and use of the excluded variable lowers the variance inflation factor
of π (a measure of multi-collinearity) by 52%. These facts combined indicate that
travel distance satisfies the conditions needed to be a useful exclusion variable the
Heckman two-step procedure.
Column two of table 5 reports second-stage estimation results for the equation
3. Similar to the linear form given in column one, the Heckman two-step estimation
shows that votes withheld increase following a data breach. A data breach increases
votes withheld by 1.6 percentage points (p-value = 0.017). As in the OLS specifi-
cation, breaches at interlocking firms do not appear to negatively affect a director’s
vote outcome. It is also worthwhile to note that the inverse Mills coefficient is signifi-
cantly different from zero, which indicates that models which estimate votes withheld
without correcting for self-selection surrounding the decision to stand for re-election
are misspecified and suffer an omitted variables problem.
22
Columns three and four of table 5 test for interactive effects between the data
breach indicators ZF and ZI and features which may lead to differential voting out-
comes. In column three, I test interaction terms with the indicator variable for
whether the firm disclosed cyber risk at time t − 1. As with director turnover, dis-
closure of cybersecurity risk in the prior period does not mitigate the reputational
penalty (here, lower shareholder support) of suffering a data breach. However, in-
terlocking breaches now seem to matter. For firms that disclose cybersecurity risk,
directors receive lower shareholder support in re-election if these directors experi-
ence a data breach at one of their interlocking appointments. In column four, I test
interaction terms with an indicator for whether the director can be classified as a
technology expert. Consistent with the turnover analysis the interaction between a
firm data breach and a director’s status as a technology expert is negative, but here
the result is not statistically different from zero.
A natural question following the turnover and shareholder voting analysis is why
interlocking data breaches seem to matter so little to a director’s reputation. Suffering
a data breach at an interlocking appointment does not lead to higher turnover, and
in general does not result in reduced shareholder support at re-election. In the next
section, I investigate post-breach outcomes to determine whether directors alter their
behavior at firms interlocked with a hacked company.
4 Cybersecurity Monitoring
A pervasive assumption in the discussion of cybersecurity risk is that corporate di-
rectors should play a role in mitigating risk.14 Despite this, half of directors report a
14See, for example, reports by the National Association of Corporate Directors (NACD 2017),U.S. Senate Bill 536 (Reed, Collins, and Warner 2017), and SEC guidance (Release No. 33-10459,published 2/21/2018).
23
lack of confidence in management’s ability to address cyber risk.15 The labor market
for corporate directors may value candidates who have direct experience with a data
breach. The average director stays on at a hacked company for 9 months following a
cybersecurity event. Over this time horizon, she is exposed to a variety of cyber risk
management topics. Several events transpire after a data breach that can serve as
first-hand education for the board. The company enters a cleanup period, in which
they manage notification of affected parties, and, sometimes, set up call centers to
answer questions from concerned customers. The company also faces fallout and the
risk of customer loss, which may lead to an understanding of what approaches do and
do not work in reassuring clients/customers. Additionally, the company faces claims
by litigious parties of potential wrongdoing, in which suggestions of what should have
been done better are laid out. The firm may also conduct an internal review of its
current practices to identify where improvements can be made. Each of these could
translate into learning on the job for breach affiliated directors.
To investigate whether data breach experience alters cybersecurity monitoring of
corporate directors, I look to two publicly observable outcomes for a firm. First,
I identify which firms disclose cybersecurity as a risk factor in their annual report.
Second, I look at the empirically observed propensity to suffer a data breach.
The point of emphasis in this section is on interlocking firms. Post-breach be-
havior at a hacked company is less interesting. Firms that suffer a data breach are,
for instance, more likely to discuss cybersecurity risk in their next annual report.
This is not surprising. Many of these disclosures include not only a discussion of the
possibility of future breaches but also a discussion of current breach fallout and, for
example, ongoing litigation risk from the previous breach. Behavior at interlocking
positions provides an interesting laboratory for investigating how a director’s experi-
15See “2017-2018 NACD Public Company Governance Survey” published at www.nacdonline.org.
24
ence with a data breach changes her cybersecurity monitoring. Because the focus is
in interlocks that existed at the time of the data breach, the interlocking firms could
not have endogenously selected the director for her cybersecurity experience. Had the
firm done so, it would be hard to attribute any increased cybersecurity monitoring
to the director. Moreover, these interlocking firms are not endogenously chosen by
the director to be at lower-risk of suffering a data breach, since the appointments
were held prior to the cybersecurity event. Had the director chosen an interlocking
position after the breach occurred, one would wonder whether the director selected
this second position to avoid additional cyber fiascoes. Thus, when zeroing in on
the firms that already employed a director who experiences a data breach somewhere
else, one can cleanly attribute post-breach changes in behavior to director experience
following from learning on the job.
4.1 Disclosure of Cybersecurity Risk
Over my sample period, 24% of firm-year observations include a disclosure of cyber-
security risk in the 10-K filing. How firms determine what to include in their Item
1A filing (disclosure of risk factors) is not well understood. These disclosures only
became mandatory in 2005. Originally, there was concern that the risk factor dis-
closures would include a plethora of boilerplate language (Kravet and Muslu 2013).
On average, firms that disclose more risk factors experience higher market betas and
stock return betas post-disclosure (Campbell et al. 2014) and analysts do a better
job of assessing firm risk when risk factors include named entities rather than general
nouns (Hope, Hu, and Lu 2016). Thus, risk factors are generally thought to be infor-
mative about firm risk. However, the process through which firms uncover sources of
risk is still unclear.
25
Internal governance has been shown to affect corporate transparency in other
areas of disclosure, though much of this literature is focused on the independence
of the board. For example, board independence leads to more precise and accurate
management forecasts (Armstrong, Core, and Guay 2014) and better earnings quality
(Ahmed and Duellman 2007). If first-hand experience with a data breach increases a
director’s awareness of the risk and her ability to identify its presence at interlocking
firms, then one would expect to see interlocking breach experience to be positively
predictive of whether a firm will disclose cybersecurity as a source of risk. I model
this using the logit specification:
logit(Di,t) = γZFi,t + θZI
i,t + β′Xi,t + εi,t (5)
where D is an indicator that takes value 1 if firm i discloses cybersecurity risk in
the annual report at the end of fiscal year t. The indicator Zf takes value 1 if the
firm suffered a data breach in the 24 months ending at the fiscal year end t, and the
indicator ZI takes value 1 if at least one director at firm i experienced a data breach
at one of her interlocking positions over the last 24 months. The vector X contains
firm level controls. Because board structure and composition is thought to affect
transparency, X includes a number of observable governance features: board inde-
pendence, average director age, board size, an indicator for whether the board has a
specifically designated risk committee, an indicator for whether the board is classified
as busy (Fich and Shivdasani 2006), and the firm’s E-index (Bebchuk, Cohen, and
Ferrell 2009). The vector X also includes firm observables that could indicate an
increased risk of cyberattack, namely the size of the firm, the amount of sales at the
firm, and the number of employees. Because disclosure of cybersecurity risk may be
initiated by observing a data breach at a peer firm or from direct past experience, I
26
also control for whether the firm was previously hacked (at any point in its history)
and whether there was a recent data breach at another firm in the industry within
the past 24 months. Additionally, I control for whether the firm previously disclosed
cybersecurity risk, since risk factors are often maintained once added. Finally, all
models include time and industry fixed effects to absorb constant latent time and
industry variation in cybersecurity disclosure.16 Industries are defined at the 2-digit
NAICS level.17
[Table 6 about here]
Table 6 reports the estimation results from equation 5. The estimated coefficient
on the indicator for whether the board is interlocked to a data breach is positive
and significant. A director’s outside experience with a cybersecurity event raises the
estimated propensity to disclose cybersecurity risk by 6.6 percentage points, a 27.7%
increase over the sample average. In column two, I repeat the analysis with a linear
probability model and obtain similar results: a director’s external experience with a
data breach raises the likelihood of a firm to disclose cybersecurity risk.
[Table 7 about here]
One caveat with the analysis thusfar is that it cannot completely rule out spu-
riously significant results that are driven by similarities in interlocked firms that
16Firm fixed effects are not possible, as it would require the sample to be exclusively containedwith firms that had variation in the outcome variable. Over my sample period, many firms alwaysor never disclose cybersecurity risk.
17Although this is a rather coarse definition, it is necessitated by separation problems inducedin maximum likelihood estimates of dichotomous outcomes. At finer levels, one encounters 3-digitor 4-digit NAICS groups that have zero incidence of cyber disclosure. Industry fixed effects atthis granularity thus render the maximum likelihood unsolvable. This is an even more substantialproblem in the next subsection when I turn to the incidence of data breaches, since many finergrouping of NAICS classifications have zero observed data breaches, though their risk of beingbreached is likely nonzero.
27
run deeper than merely sharing a director. Economically related firms often share
directors (Dass et al. 2013). Thus, one concern could be that firm A and B are
economically related, happen to share a director, and the increased propensity for
firm B to disclose cyber risk following a data breach at A reflects firm B learning
to identify cyber risks relevant to B by observing similarities in A and B’s exposure
(rather than the disclosure running through learning by the shared director). To rule
out this possibility, I follow (Dass et al. 2013) and compute a vertical relatedness
coefficient (VRC)using the Bureau of Economic Analysis Input-Output tables. A
high VRC between two firms represents a significant amount of economic activity
between the two firms’ industries. Thus, firms with higher VRCs are more likely to
be economically related. To ensure that economically linked firms are not driving my
results, I exclude interlocking connections between firms with a VRC in excess of 10%
and re-run the analysis. The estimated coefficient on the indicator for whether the
board is interlocked to a data breach remains positive and significant. The results
are reported in the appendix.
Beyond the incidence of cybersecurity risk disclosure, a natural question is whether
director learning increases the quality of the disclosure. Risk factor disclosure is
thought to be of higher quality when it is more specific to the firm; thus, SEC guidance
recommends that factors be as firm-specific as possible, although this is often not
the case (SEC 2016). Table 7 reports the estimated marginal effects of a director’s
outside experience with cybersecurity on a firm’s quality of disclosure of cybersecurity
risk. This is estimated with a multinomial logit model with the same controls that
are used in (5). The outcome variable considers different cases of cyber disclosure
that depend on the quality of that disclosure. I proxy for the quality of a new
cybersecurity disclosure by dividing new disclosures between those that happen via
a new risk factor and those that happen via an addition to an existing risk factor. I
28
assume that new risk factors are more specific descriptions of cybersecurity risk and
therefore of higher quality. The marginal change in the probability of switching from
no cybersecurity disclosure to a cybersecurity disclosure via a new risk factor is a 11.5
percentage point increase (p-value < 0.01) for firms that employ a breach-interlocked
director. The marginal change in the probability of switching from no cybersecurity
disclosure to a new cybersecurity disclosure via an addition to an existing risk factor
is a 6.9 percentage point increase (p-value < 0.01) for firms that employ a breach-
interlocked director. Thus, a new data breach experience for a director significantly
changes the likelihood that a connected firm discloses cybersecurity risk, consistent
with table 6. In the last column, I test whether firms are more likely to initiate
cybersecurity disclosure by using or new risk factor or by adding to an existing risk
factor. The results show that a firm is 4.6 percentage points (p-value = 0.016)
more likely to initiate cybersecurity disclosure with a new risk factor when the firm
employs a director with recent data breach experience. Thus, along with an increased
propensity to disclose cybersecurity risk, firms interlocked with a hacked company are
more likely to have a higher quality disclosure of cybersecurity risk.
4.2 Future Cybersecurity Events
As a second measure of director cybersecurity monitoring, I use the propensity of
the firm to suffer a data breach in the following year. One limitation of cyber risk
disclosure is that it could be cheap talk. The board may encourage the firm to
disclose cyber risk merely in an attempt to limit their liability to shareholders without
taking real steps to ensure cybersecurity events are made less likely. On the other
hand, if data breach experience leads to development of director skill in monitoring
cybersecurity risk, one would expect that the probability of a firm suffering a data
29
breach would decrease. Therefore, in this subsection I study the realized likelihood
of suffering a data breach to learn whether directors with cybersecurity experience
lower their firms propensity to suffer a data breach. Importantly, I again look at
shocks to a director’s experience with cybersecurity and its effect on firms at which
the director is already employed. This removes the potential that breach-affiliated
directors will endogenously seek out less risky board appointments in the future. The
primary analysis here follows a logistic model:
logit(Hi,t+1) = γZFi,t + θZI
i,t + β′Xi,t + εi,t (6)
where H is an indicator that takes value 1 if firm i discloses a data breach over the
interval (t, t + 1]. The indicator Zf takes value 1 if the firm suffered a data breach
in the 24 months ending at the fiscal year end t, and the indicator ZI takes value 1
if at least one director at firm i experienced a data breach at one of her interlocking
positions over the last 24 months. The vector X contains firm level controls. This
is the same set of controls used in (5), since the factors that affect whether a firm
discloses cybersecurity risk should be similar to the set of factors that characterizes
whether the firm is at risk for a data breach.
Table 8 presents the estimated marginal effects on a firm’s propensity to suffer
a data breach. Column one presents results for a logistic regression model. The
data show that firms employing a director who experiences a data breach at an
interlocking firm are 0.6 percentage points (p-value < 0.01) less likely to experience
a data breach. Though a 60 basis point drop in risk may seem small, it represents
a 33% decrease from the sample mean. Because cybersecurity events are rare in the
data, I repeat the analysis with a complimentary log-log model in column two. While
also a dichotomous outcome model, the complimentary log-log model is more robust
30
to sparse outcomes (Cameron and Trivedi 2005). These results are nearly identical to
the logistic specification. Finally, I present the results for a linear probability model
in column three, which has the advantage of easy interpretation of the estimated
coefficients. While the magnitude of the effects appear somewhat smaller (though
still significant) under an OLS estimation, it should be recognized that the linear
probability model predicts negative probabilities of data breaches in 26% of the sample
observations. Therefore, the dichotomous outcome models reported in columns one
or two are more likely a more realistic fit of the data.
[Table 8 about here]
4.3 Robustness of the Interlocking Effects
As discussion in section 4.1, the estimated propensity to disclose cybersecurity risk
is robust to excluding interlocks between economically related firms, defined by the
pairwise vertical relatedness coefficient of Dass et al. (2013). Results are inferentially
similar when the “interlocked breach” indicator is flipped back to zero in all instances
in which the interlocking breach was due to a connection to a vertically related firm.
These results are presented in appendix table B1. Likewise, the estimated propensity
to suffer a data breach is robust to exclusion of interlocks between economically
related firms (appendix table B2).
One might ask whether there is some other unobservable factor which explains
why the propensity to disclose cybersecurity risk is higher at interlocking firms. Per-
haps a director happens to be at multiple firms that are at an above-average risk
of suffering a data breach, thus leading to the observed increase in cyber disclosure.
However, absent the presence of director learning, it is hard to rationalize why the
estimated propensity to suffer a data breach becomes lower at these (supposedly,
31
high-risk) interlocking firms. Likewise one might wonder whether there is some un-
observable factor which explains why the propensity to suffer a data breach is lower
at interlocking firms. Perhaps a director naturally lands at some high-risk and some
low-risk firms. The high-risk boards suffer breaches, but the low-risk (interlocking)
firms do not. However, absent the presence of director learning, it is hard to ratio-
nalize why the estimated propensity to disclose cyber risk becomes higher at these
(supposedly, low-risk) interlocking firms.
As an additional approach to verify that the estimated effects found in this section
are in fact due to director learning, I perform a placebo test by temporally shifting
the “interlocked breach” variable. I redefine this indicator variable to turn on if the
firm is interlocked to a company which will report a data breach next year. Thus,
the indicator picks up on the same variation in connection between firms, but it is
time-shifted such that the interlocking directors would not have actually been exposed
to any potential learning at the hacked firm. The results show that the incidence of
cyber risk disclosure (appendix table B3) and the propensity to suffer a data breach
(appendix table B4) are unaffected by a forward-looking version of the “interlocked
breach” indicator. This implies that the timing of the event matters, and gives
additional support to the claim that the interlocking effects of this section are in fact
driven by directors learning on the job.
The combined results of tables 6, 7, and 8 show that directors who experience
data breaches increase their cyber monitoring at their other current firms. These
interlocked firms are more likely to disclose cyber risk, do so in a higher quality fash-
ion, and are less likely to experience a data breach. In the next section, I determine
whether this demonstrated increase in monitoring skill is valued in the labor market
for corporate directors.
32
5 New Board Appointments
Having observed an improvement in cybersecurity risk monitoring by directors at
their interlocking positions following a data breach, a natural question is whether
this experience makes them more valuable in the labor market for corporate director-
ships. In the literature on corporate governance, earning new board appointments is
interpreted as a sign of a good reputation in the labor market (Yermack 2004). Thus,
under the hypothesis that cyber experience is viewed positively in the labor market,
one would expect to see an increase in board seats for directors such experience. I
estimate this using a logistic model:
logit(Ni,t+4) = γZi,t + β′Xi,t + εi,t (7)
where N is an indicator for whether director i receives at least one new board position
over the interval (t, t + 4] and t indexes time at a quarterly frequency. Variable Z
is an indicator for whether director i experienced a data breach over the 24 months
ending at the end of quarter t. The vector X contains publicly observable features
of a director’s resume that may be relevant in obtaining a new position. Here, I
control for director age and sex, as well as the number of board appointments that
the director has at the end of quarter t. I also control for the average size of the
firm at which the director currently works and the average performance of the firm
in order to capture what the director’s employment record.
[Table 9 about here]
The results for equation 7 are reported in the first column of table 9. Marginal
effects are reported. A director is 2.5% (p-value < 0.01) more likely to receive a new
position in the next twelve months if she experiences a data breach. The analysis
33
following equation 7 assumes that the variable Z, an indicator for whether or not
a director experiences a data breach, is distributed randomly. The propensity of a
firm to report a cybersecurity event does indeed appear to be near-random (table 8).
However, as a robustness check I use the doubly-robust matching estimator of Hirano
and Imbens (2001) that matches directors on their propensity to suffer a data breach
and then estimates the propensity to achieve a new board position using the matched
sample. The treatment effect of Z under this econometric framework is reported in
the last line of table 9. This approach yields inferentially similar results. Directors
are significantly more likely to obtain a new directorship in the year following a data
breach.
One caveat to the analysis regarding new directorships is that directors may be
sought out for their reputations as bad monitors, rather than being sought out for
their reputation as being a skilled (good) monitor (Levit and Malenko 2016). Thus,
the new board appointments may reflect the fact that directors who experience data
breaches are understood to be weak monitors, and thus are hired on by firms in which
management has captured the director selection process. While the post-breach mon-
itoring analysis performed in the prior section does seem to rule out this conjecture
(since directors increase their monitoring activity), as an additional check I zero-in
on the directors who receive new positions and compare the E-index of these firms
(Bebchuk, Cohen, and Ferrell 2009) between hacked and un-hacked directors. Firms
with a higher E-index are more likely to have entrenched management. If directors
who experience data breaches are sought out for their reputation as bad monitors,
rather than for their increased skill in cybersecurity risk monitoring, then one would
expect to see them end up at firms with a higher E-index. I show in column two of
table 9 that this is not the case. In fact, of the set of directors who take on new posi-
tions, directors with cybersecurity experience end up at firms with better governance
34
(as proxied by the firm’s E-index).
The fact that directors who experience data breaches obtain more new positions
is not immediately indicative of better director reputation in the labor market and a
perceived increase in a valuable skill. This is because directors may compromise and
take on less prestigious positions following the cybersecurity event. Thus, in order
to better characterize the types of boards at which directors gain appointments, I
look to firm size as a proxy for prestige (Shivdasani 1993; Adams and Ferreira 2008;
Masulis and Mobbs 2014). All else equal, directors should view a board position at a
larger firm to be more valuable than a position at a smaller firm.
6 Conclusion
This paper studies whether the director labor market values smaller, discrete changes
in director skill on top of the broader resume of the director. In particular, I contrast
post-data breach monitoring activities and labor market outcomes against reputa-
tional penalties at existing board appointments. This allows me to uncover whether
an increased skillset in monitoring for cybersecurity risk (a discrete change in a direc-
tor’s skill set) is valued above the possibly damaging news that the director allowed
the data breach to occur.
I find evidence that director turnover hazard at hacked firms is 20% higher follow-
ing a data breach and that votes in favor of re-electing the director are 1.3 percentage
points lower. There is a pervasive assumption in the discussion of cyber policy that
internal governance has a positive role to play in mitigating risk, and anecdotal evi-
dence suggests that shareholders buy in to this notion and assign some of the blame
for a data breach to the board. My results give empirical support to these claims.
However, while directors do suffer some reputational penalties at the hacked firm,
35
I find evidence that a labor pool short on technically skilled directors plays a role in
dampening reputational penalties. Technology experts do not experience increased
turnover risk, and turnover hazard and shareholder support at interlocking firms is
unaffected. Consistent with the hypothesis that learning on the job makes these di-
rectors valuable, thus justifying their retention, I find that post-breach monitoring at
interlocking firms improves. Specifically, the incidence of cybersecurity risk disclosure
increases, the quality of risk disclosure increases, and the propensity to suffer a data
breach decreases.
Finally, I find that directors who experience a data breach are sought out in the
labor market. They take on new positions and at larger (more prestigious) firms. The
results suggest that, at least when the supply of a specific skill is particularly sparse,
learning on the job following a crisis can dominate the stigma of allowing a crisis to
occur in the labor market for corporate directors.
36
References
Adams, R, B. Hermalin, and M. Weisbach (2010). “The role of boards of directors incorporate governance: A conceptual framework and survey”. Journal of EconomicLiterature 48.1, pp. 58–107.
Adams, R. B., A. C. Akyol, and P. Verwijmeren (2018). “Director skill sets”. Journalof Financial Economics.
Adams, R. B. and D. Ferreira (2008). “Do director’s perform for pay?” Journal ofAccounting and Economics 46.1, pp. 154–171.
Aggarwal, R., S. Dahiya, and N. Prabhala (2017). “The Power of Shareholder Votes:Evidence from Director Elections”. Journal of Financial Economics Forthcoming.
Aguilar, L. (2014). Boards of Directors, Corporate Governance and Cyber-Risks:Sharpening the Focus. url: https : / / www . sec . gov / news / speech / 2014 -
spch061014laa (visited on 08/07/2018).Aharony, J., C. Liu, and A. Yawson (2015). “Corporate litigation and executive
turnover”. Journal of Corporate Finance 34, pp. 268–292.Ahmed, A. S. and S. Duellman (2007). “Accounting conservatism and board of direc-
tor characteristics: An empirical analysis”. Journal of Accounting and Economics43.2-3, pp. 411–437.
Armstrong, C. S., J. E. Core, and W. R. Guay (2014). “Do independent directorscause improvements in firm transparency?” Journal of Financial Economics 113.3,pp. 383–403.
Baker, M. and P. A. Gompers (2003). “The Determinants of Board Structure at theInitial Public Offering*”. Journal of Law and Economics XLVI.October.
Bebchuk, L., A. Cohen, and A. Ferrell (2009). “What matters in corporate gover-nance”. Review of Financial Studies 22.2, pp. 783–827.
Bjorhus, J. (2014). Clean Reviews Preceded Target’s Data Breach, and Others. url:http://www.govtech.com/security/Clean-Reviews-Preceded-Targets-
Data-Breach-and-Others.html (visited on 05/12/2017).Brochet, F. and S. Srinivasan (2014). “Accountability of independent directors: Evi-
dence from firms subject to securities litigation”. Journal of Financial Economics111.2, pp. 430–449.
Cameron, A. and P. Trivedi (2005). Microeconometrics: methods and applications.New York: Cambridge University Press.
Campbell, J. L., H. Chen, D. Dhaliwal, H.-m. Lu, and L. Steele (2014). “The Informa-tion Content of Mandatory Risk Factor Disclosures in Corporate Filings”. Reviewof Accounting Studies 19.1, pp. 396–455.
Campbell, T. C., M. Gallmeyer, S. a. Johnson, J. Rutherford, and B. W. Stanley(2011). “CEO optimism and forced turnover”. Journal of Financial Economics101.3, pp. 695–712.
37
Dass, N., O. Kini, V. Nanda, B. Onal, and J. Wang (2013). “Board Expertise: DoDirectors from Related Industries Help Bridge the Information Gap?” Review ofFinancial Studies 27.5, pp. 1533–1592.
Dewally, M. and S. W. Peck (2010). “Upheaval in the boardroom: Outside directorpublic resignations, motivations, and consequences”. Journal of Corporate Finance16.1, pp. 38–52.
Engelberg, J., P. Gao, and C. Parsons (2012). “The Price of a CEO’s Rolodex”.Review of Financial Studies 26.1, pp. 79–114.
Ertimur, Y., F. Ferri, and D. Maber (2012). “Reputation Penalties for Poor Monitor-ing of Executive Pay: Evidence from Option Backdating”. Journal of FinancialEconomics 104.1, pp. 118–144.
Fahlenbrach, R., A. Low, and R. M. Stulz (2010). “Why do firms appoint CEOs asoutside directors?” Journal of Financial Economics 97.1, pp. 12–32.
— (2017). “Do independent director departures predict future bad events?” Reviewof Financial Studies 30.7, pp. 2313–2358.
Fama, E. (1980). “Agency Problems and the Theory of the Firm”. The Journal ofPolitical Economy 88.2, pp. 288–307.
Fama, E. and M. Jensen (1983). “Separation of Ownership and Control”. Journal oflaw and economics 26.2, pp. 301–325.
Fich, E. M. and A. Shivdasani (2007). “Financial Fraud, Director Reputation, andShareholder Wealth”. Journal of Financial Economics 86.2, pp. 306–336.
Fich, E. and A. Shivdasani (2006). “Are busy boards effective monitors?” The Journalof Finance LXI.2.
Field, L. and A. Mkrtchyan (2017). “The Effect of Director Expertise on AcquisitionPerformance”. Journal of Financial Economics 123, pp. 488–511.
Fontaine, D. and J. R. Stark (2018). Cybersecurity: The SEC’s Wake-up Call toCorporate Directors. url: https://corpgov.law.harvard.edu/2018/03/31/cybersecurity-the-secs-wake-up-call-to-corporate-directors.
Fos, V., K. Li, and M. Tsoutsoura (2018). “Do Director Elections Matter?” TheReview of Financial Studies 31.4.
Guner, A. B., U. Malmendier, and G. Tate (2008). “Financial Expertise of Directors”.Journal of Financial Economics 88.2, pp. 323–354.
Harford, J. and R. J. Schonlau (2013). “Does the Director Labor Market Offer Ex PostSettling-Up for CEOs? The Case of Acquisitions”. Journal of Financial Economics110.1, pp. 18–36.
Heckman, J. J. (1979). “Sample Selection Bias as a Specification Error”. Econometrica47.1, pp. 153–161.
Hirano, K. and G. Imbens (2001). “Estimation of Causal Effects using PropensityScore Weighting: An Application to Data on Right Heart Catheterization”. HealthServices & Outcomes Research Methodology 2, pp. 259–278.
Hope, O. K., D. Hu, and H. Lu (2016). “The Benefits of Specific Risk-Factor Disclo-sures”. Review of Accounting Studies 21.4, pp. 1005–1045.
38
Hu, S., S. A. Johnson, and Y. Liu (2017). “Asset Pricing under Uncertainty”. SSRNWorking Paper.
Knyazeva, A., D. Knyazeva, and R. Masulis (2013). “The Supply of Corporate Di-rectors and Board Independence”. Review of Financial Studies 26.6, pp. 1561–1605.
Kravet, T. and V. Muslu (2013). “Textual risk disclosures and investors’ risk percep-tions”. Review of Accounting Studies 18.4, pp. 1088–1122.
Krishnan, J., Y. Wen, and W. Zhao (2011). “Legal expertise on corporate auditcommittees and financial reporting quality”. Accounting Review 86.6, pp. 2099–2130.
Levit, D. and N. Malenko (2016). “The Labor Market for Directors and Externalitiesin Corporate Governance”. Journal of Finance 71.2, pp. 775–808.
Li, K. and N Prabhala (2007). “Self-selection models in corporate finance”. Handbookof Empirical Corporate Finance. Ed. by B. E. Eckbo. 1st ed. Vol. 1. Oxford:Elsevier. Chap. 2, pp. 37–86.
Masulis, R, C Ruzzierb, S. Xiao, and S. Zhao (2012). “Do Independent Expert Di-rectors Matter?” Working paper.
Masulis, R. W. and S. Mobbs (2014). “Independent Director Incentives: Where doTalented Directors Spend Their Limited Time and Energy”. Journal of FinancialEconomics 111.2, pp. 406–429.
NACD (2017). Cyber-Risk Oversight. Tech. rep. National Association of Corporate Di-rectors. url: https://www.nacdonline.org/files/FileDownloads/NACDCyber-RiskOversightHandbook2017.pdf.
Ponemon Institute LLC (2017). “2017 Cost of Data Breach Study”. March, pp. 1–34.url: https://www-01.ibm.com/common/ssi/cgi-bin/ssialias?htmlfid=SEL03130WWEN\&.
Reed, J., S. Collins, and M. Warner (2017). Cybersecurity Disclosure Act of 2017.url: https://www.congress.gov/bill/115th-congress/senate-bill/536(visited on 05/12/2017).
SEC (2016). Concept Release on Business and Financial Disclosure Required by Reg-ulation S-K. url: https://www.sec.gov/comments/s7-06-16/s70616-25.pdf(visited on 12/05/2017).
Shivdasani, A. (1993). “Board composition, ownership structure and hostile takeovers”.Journal of Accounting and Economics 16, pp. 167–198.
Shumway, T. (2001). “Forecasting Bankruptcy More Accurately: A Simple HazardModel”. Journal of Business 7.1, pp. 101–124.
Srinivasan, S. (2005). “Consequences of Financial Reporting Failure for Outside Direc-tors: Evidence from Accounting Restatements and Audit Committee Members”.Journal of Accounting Research 43.May, pp. 291–334.
Von Meyerinck, F., D. Oesch, and M. Schmid (2016). “Is Director Industry ExperienceValuable?” Financial Management 45.1, pp. 207–237.
39
Wang, C., F. Xie, and M. Zhu (2015). “Industry Expertise of Independent Directorsand Board Monitoring”. Journal of Financial and Quantitative Analysis 50.05,pp. 929–962.
Yermack, D. (2004). “Remuneration , Retention , and Reputation”. Jounral of Fi-nance LIX.5, pp. 2281–2308.
40
A Word Lists for Classifying Cyber Disclosure and
Board Committees
Cybersecurity words. I search 10-K item 1A filings for the following words related to
cybersecurity risk: cyber, data?breach*, cyber?security, cyber?attack*, computer?hack*,
hack*, information?security, unauthorized?access, security?breach*. I use ? as a wild-
card to mean either “” or “ ” since some firms use the spelling “cybersecurity” while
others use “cyber security” or “cyber-security” (I convert hyphens to spaces in pre-
processing). The wildcard * denotes any number of trailing alphabetic characters so
that plurals (e.g. “data breaches”) are picked up in the analysis.
Boardex committee names. The following is a list of all committee names in
the Boardex database that I use to classify a director as having a technology role:
cyber security, technology, technology environmental social responsibility, technol-
ogy & development, technology & products, technology advisory, technology risk,
technology strategy and innovation, technology strategy and investment, technology
and acquisition, technology and competition, technology and corporate responsibil-
ity, technology and environment, technology and quality, technology and reserves,
technology and safety, technology and science, technology and strategy, technology
and transactions, e-commerce and technology, health it, health safety environment
and technology, it, it oversight, it steering, information systems, information systems
steering committee, information technology, information technology and security, risk
and information security, safety environment and technology, science and technology,
science and technology advisory, scientific and technology, technical, technical health
safety and environmental, technical advisory, technical services, technical and com-
mercial oversight, technical and operations, technical and projects, technical and
reserves, technical and resources, technical and safety.
41
The following is a list of all committee names in the Boardex database that I use to
classify a director as having a risk role: corporate risk, enterprise risk management,
governance & risk, governance nominating & risk oversight, governance and risk,
risk, risk compliance and planning, risk & credit, risk assessment, risk capital and
subsidiaries, risk management, risk management & compliance, risk management
and finance, risk oversight, risk oversight and management, risk policy, risk policy
and capital, risk review, risk review investment and loan, risk and capital, risk and
credit policy, risk and public policy, risk and regulatory, risk and return, risk and
safety health and environment.
B Robustness Checks
This section reports the estimates for the robustness checks discussed in sections 4.1
and 4.3. In the first set of tests, I verify that the estimated effects of sharing a director
with a hacked company are not due to economic connections between the firms. I flip
the indicator “interlocked breach” back to zero in instances in which the interlocking
hacked firm has a pairwise vertical relatedness coefficient (Dass et al. 2013) of greater
than 10%. In the second set of tests, I temporally shift the indicator of “interlocked
breach” so that it turns on in the year before the breach at the interlocking firm. This
maintains variation in pairwise connections between firms, but turns the indicator on
prior to any possibility of learning on the job by the interlocking director.
42
Table B1: Estimated Propensity to Disclose Cybersecurity RiskThis table estimates the probability of a firm including cybersecurity risk in its disclosed set ofrisk factors in its 10-K filing. Column one presents marginal effects from a logistic regression,whereas column two reports coefficients from a linear probability model. The effect of interest ison “interlocked breach,” an indicator for whether the firm employs a director affiliated with a databreach at another company. Both “firm breach” and “interlocked breach” are indicators that turnon for a duration of 24 months. To verify that interlocking effects are not driven by economiclinks between the two firms, I turn off the indicator for connections between firms with a verticalrelatedness coefficient in excess of 10%. Regressions include industry and time fixed effects andcluster on industry (standard errors reported in parentheses).
Interlocked breach (excl. related firms) 0.078*** 0.057**(0.027) (0.021)
Firm breach 0.145 0.124(0.107) (0.077)
Firm was previously hacked 0.229*** 0.150***(0.028) (0.021)
Percent independent 0.009 0.006(0.021) (0.015)
ROA 0.023 0.012(0.015) (0.013)
log(total assets) -0.058** -0.045*(0.029) (0.021)
log(sales + 1) 0.035 0.022(0.023) (0.018)
log(number of employees) 0.025 0.024(0.033) (0.028)
Number of breached peer firms 0.030** 0.025**(0.014) (0.011)
Avg. director age -0.004 -0.003(0.004) (0.003)
Number of directors -0.002 -0.002(0.010) (0.007)
Hack in industry 0.001 0.001(0.002) (0.002)
E-index 0.009 0.003(0.010) (0.008)
Previously disclosed cyber risk 1.088*** 0.480***(0.186) (0.055)
Busy board 0.019 0.004(0.048) (0.032)
Firm has risk committee -0.014 -0.012(0.029) (0.023)
N 2318 2318Industry and time fixed effects not reported.Marginal effects on the probability of the outcome variable are reported.Standard errors (clustered on industry) in parentheses.* p <0.10, ** p <0.05, *** p <0.01.
43
Table B2: Probability of Reporting a Data BreachThis table reports estimates of the probability of a firm experiencing a data breach. Column oneshows marginal effects from a logistic regression where the outcome variable is an indicator forwhether the firm reports a cybersecurity event. Column two repeats the analysis with a compli-mentary log-log model as a sparse-outcome robust alternative to the logit regression. Column threereports coefficients from a linear probability model. The effect of interest is on “interlocked breach,”an indicator for whether the firm employs a director affiliated with a data breach at another com-pany. Both “firm breach” and “interlocked breach” are indicators that turn on for a duration of 24months. To verify that interlocking effects are not driven by economic links between the two firms,I turn off the indicator for connections between firms with a vertical relatedness coefficient in excessof 10%. Regressions include industry and time fixed effects and cluster on industry (standard errorsreported in parentheses).
Interlocked breach (excl. related firms) -0.007*** -0.008*** -0.024**(0.002) (0.002) (0.008)
Firm breach -0.000 -0.000 0.031(0.003) (0.003) (0.027)
Firm was previously hacked 0.005** 0.005** 0.042**(0.002) (0.002) (0.016)
Percent independent -0.001* -0.001 -0.004(0.001) (0.001) (0.003)
ROA 0.001 0.001 0.001(0.001) (0.001) (0.002)
log(total assets) 0.000 -0.000 -0.004(0.002) (0.003) (0.011)
log(sales + 1) 0.004 0.004 0.012(0.002) (0.003) (0.010)
log(number of employees) 0.001 0.001 0.007(0.002) (0.002) (0.008)
Number of breached peer firms 0.000 0.000 0.000(0.001) (0.001) (0.004)
Avg. director age -0.000** -0.000** -0.001(0.000) (0.000) (0.001)
Number of directors 0.000 0.000 0.000(0.000) (0.000) (0.001)
Hack in industry -0.001*** -0.001*** -0.002***(0.000) (0.000) (0.001)
E-index 0.001 0.001 0.003(0.001) (0.001) (0.003)
Previously disclosed cyber risk -0.000 -0.000 0.002(0.002) (0.002) (0.009)
Busy board -0.004 -0.004 -0.013(0.005) (0.005) (0.009)
Firm has risk committee -0.002 -0.002 -0.006(0.003) (0.003) (0.007)
N 2318 2318 2318Industry and time fixed effects not reported.Marginal effects on the probability of the outcome variable are reported.Standard errors (clustered on industry) in parentheses.* p <0.10, ** p <0.05, *** p <0.01.
44
Table B3: Estimated Propensity to Disclose Cybersecurity RiskThis table estimates the probability of a firm including cybersecurity risk in its disclosed set ofrisk factors in its 10-K filing. Column one presents marginal effects from a logistic regression,whereas column two reports coefficients from a linear probability model. The effect of interest ison “interlocked breach,” an indicator for whether the firm employs a director affiliated with a databreach at another company. Both “firm breach” and “interlocked breach” are indicators that turnon for a duration of 24 months. As a placebo test, the “interlocked breach” variable is temporallyshifted so that it turns on in the year prior to a breach. Regressions include industry and time fixedeffects and cluster on industry (standard errors reported in parentheses).
Interlocked breach (t+1) 0.034 0.030(0.056) (0.045)
Firm breach 0.146 0.119(0.107) (0.076)
Firm was previously hacked 0.236*** 0.153***(0.027) (0.021)
Percent independent 0.010 0.007(0.022) (0.015)
ROA 0.024 0.013(0.015) (0.013)
log(total assets) -0.058* -0.043*(0.030) (0.021)
log(sales + 1) 0.040* 0.026(0.022) (0.017)
log(number of employees) 0.024 0.022(0.033) (0.027)
Number of breached peer firms 0.035** 0.027**(0.015) (0.012)
Avg. director age -0.004 -0.003(0.004) (0.003)
Number of directors -0.003 -0.002(0.010) (0.007)
Hack in industry 0.001 0.001(0.002) (0.002)
E-index 0.009 0.003(0.010) (0.008)
Previously disclosed cyber risk 1.092*** 0.480***(0.183) (0.054)
Busy board 0.020 0.007(0.050) (0.032)
Firm has risk committee -0.015 -0.013(0.031) (0.023)
N 2318 2318Industry and time fixed effects not reported.Marginal effects on the probability of the outcome variable are reported.Standard errors (clustered on industry) in parentheses.* p <0.10, ** p <0.05, *** p <0.01.
45
Table B4: Probability of Reporting a Data BreachThis table reports estimates of the probability of a firm experiencing a data breach. Column oneshows marginal effects from a logistic regression where the outcome variable is an indicator forwhether the firm reports a cybersecurity event. Column two repeats the analysis with a compli-mentary log-log model as a sparse-outcome robust alternative to the logit regression. Column threereports coefficients from a linear probability model. The effect of interest is on “interlocked breach,”an indicator for whether the firm employs a director affiliated with a data breach at another com-pany. Both “firm breach” and “interlocked breach” are indicators that turn on for a duration of 24months. As a placebo test, the “interlocked breach” variable is temporally shifted so that it turnson in the year prior to a breach. Regressions include industry and time fixed effects and cluster onindustry (standard errors reported in parentheses).
Interlocked breach (t+1) -0.002 -0.002 -0.008(0.003) (0.003) (0.015)
Firm breach 0.001 0.001 0.033(0.002) (0.002) (0.027)
Firm was previously hacked 0.004* 0.004* 0.041**(0.002) (0.002) (0.016)
Percent independent -0.001* -0.001* -0.004(0.001) (0.001) (0.003)
ROA 0.001 0.001 0.001(0.001) (0.001) (0.002)
log(total assets) 0.000 0.000 -0.005(0.002) (0.002) (0.011)
log(sales + 1) 0.003 0.003 0.011(0.002) (0.003) (0.010)
log(number of employees) 0.001 0.001 0.007(0.001) (0.001) (0.008)
Number of breached peer firms -0.000 -0.000 -0.001(0.001) (0.001) (0.004)
Avg. director age -0.000** -0.000** -0.001(0.000) (0.000) (0.001)
Number of directors 0.000 0.000 0.000(0.000) (0.000) (0.001)
Hack in industry -0.001*** -0.001*** -0.002***(0.000) (0.000) (0.001)
E-index 0.001 0.001 0.003(0.001) (0.001) (0.003)
Previously disclosed cyber risk 0.000 0.001 0.002(0.003) (0.003) (0.009)
Busy board -0.004 -0.004 -0.014(0.004) (0.004) (0.010)
Firm has risk committee -0.001 -0.001 -0.005(0.002) (0.002) (0.007)
N 2318 2318 2318Industry and time fixed effects not reported.Marginal effects on the probability of the outcome variable are reported.Standard errors (clustered on industry) in parentheses.* p <0.10, ** p <0.05, *** p <0.01.
46
Tab
le1:
Data
Bre
ach
Even
tsT
his
tab
led
ocu
men
tsth
efr
equ
ency
of
data
bre
ach
even
tsby
yea
ran
dN
AIC
Sse
ctor.
Th
ed
ata
set
incl
ud
esal
lcy
ber
secu
rity
even
tsre
port
edby
Pri
vacy
Rig
hts
Cle
ari
ngh
ou
sew
hic
hm
erge
into
the
Com
pu
stat
un
iver
se,
usi
ng
the
matc
hin
gp
roce
du
red
escr
ibed
inse
ctio
n2.1
.
NA
ICS
Sec
tor
2005
2006
2007
2008
2009
2010
2011
2012
2013
Tot
alU
tiliti
es0
20
00
00
00
2C
onst
ruct
ion
00
10
00
10
02
Man
ufa
cturi
ng
47
128
14
15
648
Whol
esal
eT
rade
01
00
03
00
04
Ret
ail
Tra
de
13
72
06
75
940
Tra
nsp
orta
tion
and
War
ehou
sing
02
10
12
30
09
Info
rmat
ion
11
51
85
16
533
Fin
ance
and
Insu
rance
613
97
616
72
571
Rea
lE
stat
ean
dR
enta
lan
dL
easi
ng
11
20
02
21
211
Pro
fess
ional
,Sci
enti
fic,
and
Tec
hin
cal
Ser
vic
es1
04
21
10
20
11A
dm
inis
trat
ive
Supp
ort
01
10
01
13
310
Educa
tion
alSer
vic
es0
10
00
00
00
1H
ealt
hca
reSer
vic
es0
30
20
20
22
11A
ccom
modat
ion
and
Food
Ser
vic
es1
11
20
55
20
17T
otal
1536
4324
1747
2828
3227
0
47
Table 2: Example Mapping of Risk Factors Between t− 1 and tThis table provides an example mapping between risk factors for a firm at time t and time t − 1.Each cell reports the cosine similarity between rf i
t and rf jt−1. In this example, rf b
t−1 maps to rfCt ,
rfat−1 maps to rfB
t , and rfAt is classified as a new risk factor. To establish a mapping between t− 1
and t I convert each element, ai,j in the matrix (a cosine similarity) by |1 − ai,j | and apply theHungarian Method to the resultant matrix.
rfAt rfBt rfCt
rfat−1 0.032 0.95 0.09
rf bt−1 0.12 0.21 0.99
48
Table 3: Summary StatisticsThis table reports summary statistics of the data used. Panel A reports director-level variables, whilepanel B reports firm-level variables. All variables are defined in the text. The primary variables ofinterest in this paper are indicators for whether a firm suffers a data breach of whether an interlockingfirm suffers a data breach.
Panel A
Mean Std. DeviationData breach 0.043 0.202Age 61.892 8.036Age over 65 0.346 0.476Female 0.146 0.353Num. directorships 1.735 0.956Independent dir. 0.940 0.238Previous cyber exp. 0.015 0.122On audit committe 0.538 0.499Tech expert 0.045 0.206Votes withheld 5.418 7.876ISS against 0.109 0.312Travel distance 681.734 1352.244
Panel B
Mean Std. DeviationInterlocked breach 0.143 0.350Firm breach 0.018 0.132Firm was previously hacked 0.066 0.249Percent independent 0.845 0.074Number of directors 9.302 2.392E-index 0.023 1.042Discloses cyber risk 0.238 0.426ROA 0.057 0.083log(total assets) 7.775 1.538log(sales + 1) 7.323 1.436log(number of employees) 1.949 1.275Hack in industry 10.350 8.477Number of breached peer firms 15.492 10.370Avg. director age 60.924 4.222Busy board 0.044 0.205Firm has risk committee 0.085 0.278Local market 2.131 1.818Local expert 0.010 0.031
49
Table 4: Hazard of Director Turnover Following a Cybersecurity EventThis table reports hazard ratios for the variables used in predicting a director’s turnover. The primary interest is in the hazardsfor “firm breached,” an indicator for whether the firm had a data breach within the last two years and “interlocked firm breached,”an indicator for whether the director experienced a data breach at one of her other firms in the last two years. The table showsthat directors are more likely to turn over at a firm that reports a data breach (standard errors reported in parentheses).
Firm breach 1.205* 1.160 1.288** 1.195* 1.086(0.127) (0.138) (0.139) (0.129) (0.135)
... × Disclosed cyber risk 1.214(0.300)
... × Tech expert 0.411**(0.182)
... × Local market 1.300***(0.124)
... × Local expert 2.369**(0.806)
Interlocked firm breach 1.019 1.113 1.048 1.017 1.014(0.140) (0.161) (0.154) (0.143) (0.141)
... × Disclosed cyber risk 0.529(0.219)
... × Tech expert 0.794(0.304)
... × Local market 1.019(0.123)
... × Local expert 1.263***(0.108)
Return on assets 0.961** 0.961** 0.961** 0.962** 0.962**(0.016) (0.016) (0.016) (0.016) (0.016)
log(total assets) 0.999 0.999 0.999 0.998 0.998(0.023) (0.023) (0.023) (0.023) (0.023)
Institutional holdings 0.770*** 0.770*** 0.770*** 0.769*** 0.769***(0.015) (0.015) (0.015) (0.015) (0.015)
Local market 1.085*** 1.085*** 1.085*** 1.092*** 1.088***(0.021) (0.021) (0.021) (0.021) (0.021)
Local expert 1.047*** 1.047*** 1.047*** 1.047*** 1.048***(0.012) (0.012) (0.012) (0.012) (0.012)
Age 0.984*** 0.984*** 0.984*** 0.984*** 0.984***(0.004) (0.004) (0.004) (0.004) (0.004)
Num. directorships 0.969 0.969 0.970 0.970 0.970(0.019) (0.019) (0.019) (0.019) (0.019)
Pct. board indep. 6.741*** 6.744*** 6.721*** 6.732*** 6.681***(1.674) (1.675) (1.669) (1.670) (1.657)
Board size 1.002 1.002 1.002 1.002 1.002(0.008) (0.008) (0.008) (0.008) (0.008)
50
E-index 0.956*** 0.955*** 0.956*** 0.957*** 0.957***(0.015) (0.015) (0.015) (0.015) (0.015)
Previous cyber exp. 2.325*** 2.343*** 2.317*** 2.306*** 2.311***(0.394) (0.398) (0.392) (0.392) (0.393)
Female 1.024 1.023 1.024 1.022 1.024(0.056) (0.056) (0.056) (0.056) (0.056)
Age over 65 1.338*** 1.339*** 1.338*** 1.337*** 1.340***(0.075) (0.075) (0.075) (0.075) (0.075)
Independent dir. 1.571*** 1.571*** 1.575*** 1.572*** 1.571***(0.144) (0.144) (0.144) (0.144) (0.144)
Audit committee 0.905*** 0.905*** 0.905*** 0.905*** 0.906***(0.032) (0.032) (0.032) (0.032) (0.032)
Disclosed cyber risk 1.349*** 1.353*** 1.347*** 1.349*** 1.349***(0.067) (0.069) (0.067) (0.067) (0.067)
Tech expert 1.215** 1.213** 1.274*** 1.216** 1.211**(0.102) (0.102) (0.110) (0.102) (0.101)
N 51065 51065 51065 51065 51065N directors 13282 13282 13282 13282 13282N turnovers 3661 3661 3661 3661 3661
Hazard ratios reported.
Standard errors (clustered on director) in parentheses.
* p <0.10, ** p <0.05, *** p <0.01.
51
Table 5: Votes Withheld in Re-Election Bids Following a Cybersecurity EventThis table reports estimated coefficients for the variables used in predicting the percentage of votes withheld in a director’s re-election bid. The first column shows estimates from an ordinary least squares regression. The remaining columns report secondstage coefficients from a two-step Heckman estimator that controls for the endogenous selection into choosing to seek re-election.The primary interest is in the hazards for “firm breached,” an indicator for whether the firm had a data breach within the lasttwo years and “interlocked firm breached,” an indicator for whether the director experienced a data breach at one of her otherfirms in the last two years. The table shows that directors receive fewer votes following a data breach (standard errors reportedin parentheses).
Firm breach 1.325** 1.601** 1.339* 1.786**(0.538) (0.671) (0.745) (0.696)
... × Disclosed cyber risk 0.878(1.165)
... × Tech expert -1.687(1.703)
Interlocked firm breach -0.014 0.394 -0.109 0.344(0.580) (0.741) (0.786) (0.787)
... × Disclosed cyber risk 2.927**(1.450)
... × Tech expert 0.198(1.512)
Votes withheld (prior election) 0.208*** 0.223*** 0.223*** 0.223***(0.008) (0.013) (0.013) (0.013)
ISS Against 17.150*** 17.167*** 17.164*** 17.167***(0.198) (0.195) (0.195) (0.195)
Return on assets -14.627*** -15.119*** -15.052*** -15.135***(1.878) (2.269) (2.277) (2.273)
log(total assets) 0.125*** 0.054 0.052 0.053(0.043) (0.066) (0.066) (0.066)
Institutional holdings 1.739*** -0.893 -0.923 -0.905(0.162) (1.441) (1.443) (1.442)
Age 0.048*** 0.049*** 0.048*** 0.049***(0.011) (0.013) (0.013) (0.013)
Age over 65 -0.424** -0.519** -0.507** -0.519**(0.191) (0.241) (0.242) (0.242)
Female 0.187 0.121 0.122 0.117(0.203) (0.249) (0.250) (0.249)
Independent dir. 0.422** 0.563** 0.561** 0.562**(0.194) (0.247) (0.248) (0.248)
Num. directorships 0.181*** 0.121 0.121 0.121(0.061) (0.083) (0.083) (0.083)
Tenure 0.038*** 0.058*** 0.058*** 0.058***(0.010) (0.017) (0.017) (0.017)
Previous cyber exp. -0.233 0.012 -0.006 0.031(0.613) (0.745) (0.749) (0.747)
52
Audit committee 0.168 -0.063 -0.066 -0.065(0.131) (0.205) (0.206) (0.206)
Tech expert 0.295 0.491 0.493 0.557(0.355) (0.442) (0.443) (0.458)
Disclosed cyber risk -0.102 0.964 0.924 0.966(0.165) (0.600) (0.602) (0.601)
Pct. board indep. 1.914** 5.197** 5.249*** 5.207**(0.801) (2.031) (2.036) (2.033)
Board size -0.194*** -0.191*** -0.190*** -0.191***(0.031) (0.038) (0.038) (0.038)
E-index 0.133** 0.336** 0.336** 0.336**(0.063) (0.132) (0.132) (0.132)
Inverse Mills -7.323* -7.404* -7.360*(3.964) (3.971) (3.967)
N 9863 9863 9863
Standard errors in parentheses.
* p <0.10, ** p <0.05, *** p <0.01.
53
Table 6: Estimated Propensity to Disclose Cybersecurity RiskThis table estimates the probability of a firm including cybersecurity risk in its disclosed set ofrisk factors in its 10-K filing. Column one presents marginal effects from a logistic regression,whereas column two reports coefficients from a linear probability model. The effect of interest ison “interlocked breach,” an indicator for whether the firm employs a director affiliated with a databreach at another company. Both “firm breach” and “interlocked breach” are indicators that turnon for a duration of 24 months. Regressions include industry and time fixed effects and cluster onindustry (standard errors reported in parentheses).
Interlocked breach 0.066** 0.049*(0.031) (0.022)
Firm breach 0.147 0.125(0.107) (0.077)
Firm was previously hacked 0.230*** 0.152***(0.028) (0.020)
Percent independent 0.009 0.005(0.021) (0.015)
ROA 0.023 0.012(0.015) (0.013)
log(total assets) -0.058** -0.045*(0.029) (0.021)
log(sales + 1) 0.036 0.023(0.022) (0.017)
log(number of employees) 0.023 0.023(0.033) (0.028)
Number of breached peer firms 0.031** 0.025**(0.014) (0.011)
Avg. director age -0.004 -0.003(0.004) (0.003)
Number of directors -0.002 -0.002(0.010) (0.007)
Hack in industry 0.001 0.001(0.002) (0.002)
E-index 0.009 0.003(0.010) (0.008)
Previously disclosed cyber risk 1.088*** 0.479***(0.186) (0.055)
Busy board 0.016 0.003(0.047) (0.031)
Firm has risk committee -0.013 -0.011(0.029) (0.023)
N 2318 2318Industry and time fixed effects not reported.Marginal effects on the probability of the outcome variable are reported.Standard errors (clustered on industry) in parentheses.* p <0.10, ** p <0.05, *** p <0.01.
54
Table 7: Quality Cybersecurity DisclosureThis table shows estimates of the probability of a firm adding a cybersecurity risk disclosure toits 10-K filing by considering categorical outcomes proxying for the quality of a new disclosure.Marginal effects computed from a multinomial logistic regression are reported. Controls, time fixedeffects, and industry fixed effects are included but not reported below to conserve space. Controlvariables are identical to those in table 6. Standard errors are clustered on the industry and reportedin parentheses below the marginal effects.
Case 1: No cybersecurity disclosure (baseline)Case 2: At least one new factor disclosing cyber is addedCase 3: The only new cyber disclosure addition is through updating an existing factor
Pr(2)-Pr(1) Pr(3)-Pr(1) Pr(3)-Pr(2)Interlocked breach 0.115∗∗∗ 0.069∗∗∗ -0.046∗∗
(.031) (.013) (.019)
55
Table 8: Probability of Reporting a Data BreachThis table reports estimates of the probability of a firm experiencing a data breach. Column oneshows marginal effects from a logistic regression where the outcome variable is an indicator forwhether the firm reports a cybersecurity event. Column two repeats the analysis with a compli-mentary log-log model as a sparse-outcome robust alternative to the logit regression. Column threereports coefficients from a linear probability model. The effect of interest is on “interlocked breach,”an indicator for whether the firm employs a director affiliated with a data breach at another com-pany. Both “firm breach” and “interlocked breach” are indicators that turn on for a duration of 24months. Regressions include industry and time fixed effects and cluster on industry (standard errorsreported in parentheses).
Interlocked breach -0.006*** -0.006*** -0.021**(0.002) (0.002) (0.008)
Firm breach -0.000 -0.000 0.030(0.003) (0.003) (0.027)
Firm was previously hacked 0.005** 0.005** 0.041**(0.002) (0.002) (0.016)
Percent independent -0.001 -0.001 -0.004(0.001) (0.001) (0.003)
ROA 0.001 0.001 0.001(0.001) (0.001) (0.002)
log(total assets) 0.000 0.000 -0.004(0.002) (0.003) (0.011)
log(sales + 1) 0.004 0.004 0.012(0.003) (0.003) (0.010)
log(number of employees) 0.001 0.001 0.007(0.002) (0.002) (0.008)
Number of breached peer firms -0.000 0.000 0.000(0.001) (0.001) (0.004)
Avg. director age -0.000** -0.000** -0.001(0.000) (0.000) (0.001)
Number of directors 0.000 0.000 0.000(0.000) (0.000) (0.001)
Hack in industry -0.001*** -0.001*** -0.002***(0.000) (0.000) (0.001)
E-index 0.001 0.001 0.002(0.001) (0.001) (0.003)
Previously disclosed cyber risk 0.000 0.000 0.002(0.002) (0.002) (0.009)
Busy board -0.003 -0.002 -0.012(0.004) (0.004) (0.009)
Firm has risk committee -0.002 -0.002 -0.006(0.003) (0.003) (0.007)
N 2318 2318 2318Industry and time fixed effects not reported.Marginal effects on the probability of the outcome variable are reported.Standard errors (clustered on industry) in parentheses.* p <0.10, ** p <0.05, *** p <0.01.
56
Table 9: New Board Positions after a Data BreachIn this table, columns one through three report, respectively, the estimated marginal effects in (1) alogistic prediction of whether or not a director will obtain a new board position in the next twelvemonths, (2) a linear prediction of the average E-index of the new board position(s), and (3) a linearprediction of the average firm size of the new board position(s). The variable of interest is “Breachin last 2 years,” which is an indicator variable that turns on if the director has experienced a databreach at any of her current board appointments in the last two years. The last line of the tablereports estimated treatment effects for a double-robust matching estimator implementation of theregressions in which directors who do and do not experience data breaches are matched on theirpropensity to experience a data breach (Hirano and Imbens 2001).
Breach in last 2 years 0.025*** -0.143* 0.460**(0.008) (0.075) (0.182)
Number of board positions 0.036*** -0.015 -0.035(0.001) (0.011) (0.024)
Avg. firm size of current board positions (log) 0.005*** -0.014** 0.596***(0.001) (0.006) (0.013)
Avg. ROA of current board positions -0.177*** 0.131* 1.293***(0.006) (0.068) (0.171)
Tech expert 0.036*** -0.016 -0.341**(0.006) (0.059) (0.170)
Audit expert 0.026*** 0.006 -0.093***(0.001) (0.009) (0.020)
Risk expert -0.038*** 0.015 0.772***(0.006) (0.069) (0.144)
Age -0.005*** 0.000 -0.017***(0.000) (0.002) (0.004)
Age > 65 -0.047*** -0.037 -0.326***(0.003) (0.034) (0.079)
Female -0.008*** 0.052* 0.298***(0.003) (0.028) (0.062)
N 728693 31304 31304Matched Avg. Treatment Effect .055** -.247*** .690**
Standard errors (clustered on director) in parentheses.* p <0.10, ** p <0.05, *** p <0.01
57
Panel A: Example case of a firm adding a new risk factor that discloses cyber risk
An interruption or breach in security of our information systems may result in financial losses, loss of customers, or
damage to our reputation. We rely heavily on communications and information systems to conduct our business. In addition, we rely
on third parties to provide key components of our infrastructure, including loan, deposit and general ledger
processing, internet connections, and network access. These types of information and related systems are critical to
the operation of our business and essential to our ability to perform day-to-day operations, and, in some cases, are
critical to the operations of certain of our customers. The risk of a security breach or disruption, particularly through
cyber attack or cyber intrusion, including by computer hackers, has increased as the number, intensity and
sophistication of attempted attacks and intrusions from around the world have increased. As a financial institution,
we face a heightened risk of a security breach or disruption from threats to gain unauthorized access to our and our
customers' data and financial information, whether through cyber attack, cyber intrusion over the internet, malware,
computer viruses, attachments to e-mails, spoofing, phishing, or spyware.
Our customers have been, and will continue to be, targeted by parties using fraudulent emails and other
communications to misappropriate passwords, credit card numbers, or other personal information or to introduce
viruses or other malware through "trojan horse" programs to our customers' computers. These communications
appear to be legitimate messages sent by the Bank, but direct recipients to fake websites operated by the sender of
the e-mail or request that the recipient send a password or other confidential information via e-mail or download a
program. Despite our efforts to mitigate these tactics through product improvements and customer education, such
attempted frauds remain a serious problem that may cause customer and/or Bank losses, damage to our brand, and
increase in our costs.
Although we make significant efforts to maintain the security and integrity of our information systems and
we have implemented various measures to manage the risk of a security breach or disruption, there can be no
assurance that our security efforts and measures will be effective or that attempted security breaches or disruptions
would not be successful or damaging. Even the most well protected information, networks, systems and facilities
remain potentially vulnerable because attempted security breaches, particularly cyber attacks and intrusions, or
disruptions will occur in the future, and because the techniques used in such attempts are constantly evolving and
generally are not recognized until launched against a target, and in some cases are designed not to be detected and,
in fact, may not be detected. Accordingly, we may be unable to anticipate these techniques or to implement
adequate security barriers or other preventative measures, and thus it is virtually impossible for us to entirely
mitigate this risk. A security breach or other significant disruption could: 1) Disrupt the proper functioning of our
networks and systems and therefore our operations and/or those of certain of our customers; 2) Result in the
unauthorized access to, and destruction, loss, theft, misappropriation or release of confidential, sensitive or
otherwise valuable information of ours or our customers, including account numbers and other financial
information; 3) Result in a violation of applicable privacy and other laws, subjecting the Bank to additional regulatory
scrutiny and expose the Bank to civil litigation and possible financial liability; 4) Require significant management
attention and resources to remedy the damages that result; or 5) Harm our reputation or cause a decrease in the
number of customers that choose to do business with us. The occurrence of any such failures, disruptions or security
breaches could have a negative impact on our results of operations, financial condition, and cash flows.
10-K Filing by Bank of Hawaii Corporation for fiscal year end December 31, 2011
Figure 1: Two Example Disclosures of Cybersecurity Risk
Panel B: Example case of a firm updating an existing risk factor to include cyber risk
Operations risks may adversely affect our business and financial results.
The operation of our electric generation, and electric and gas transmission and distribution systems involves
many risks, including breakdown or failure of expensive and sophisticated equipment, processes and personnel
performance; operating limitations that may be imposed by equipment conditions, environmental or other
regulatory requirements; fuel supply or fuel transportation reductions or interruptions; transmission scheduling
constraints; and catastrophic events such as fires, explosions, severe weather or other similar occurrences. In
addition, our information technology systems and network infrastructure may be vulnerable to internal or external
cyber attack, unauthorized access, computer viruses or other attempts to harm our systems or misuse our
confidential information.
We have implemented training and preventive maintenance programs and have security systems and
related protective infrastructure in place, but there is no assurance that these programs will prevent or minimize
future breakdowns, outages or failures of our generation facilities or related business processes. In those cases, we
would need to either produce replacement power from our other facilities or purchase power from other suppliers
at potentially volatile and higher cost in order to meet our sales obligations, or implement emergency back-up
business system processing procedures.
10-K Filing by The Empire District Electric Company for fiscal year end December 31, 2011
Operations risks may adversely affect our business and financial results.
The operation of our electric generation, and electric and gas transmission and distribution systems involves
many risks, including breakdown or failure of expensive and sophisticated equipment, processes and personnel
performance; operating limitations that may be imposed by equipment conditions, environmental or other
regulatory requirements; fuel supply or fuel transportation reductions or interruptions; transmission scheduling
constraints; and catastrophic events such as fires, explosions, severe weather or other similar occurrences.
We have implemented training, preventive maintenance and other programs, but there is no assurance
that these programs will prevent or minimize future breakdowns, outages or failures of our generation facilities. In
those cases, we would need to either produce replacement power from our other facilities or purchase power from
other suppliers at potentially volatile and higher cost in order to meet our sales obligations.
These and other operating events may reduce our revenues, increase costs, or both, and may materially
affect our results of operations, financial position and cash flows.
10-K Filing by The Empire District Electric Company for fiscal year end December 31, 2010