“We find suggestive evidence indicating that some firms manipulate the discovery date (“misreport”) of a cybersecurity incident to postpone the disclosure of the incident, as evidenced by a pronounced spike in insider sales before the reported discovery date. We also find that misreporting is more prevalent among firms with weak internal control systems, when firms face low litigation risk, and when firms have greater pressure to meet a disclosure deadline.”
Financial institutions must enhance cyber defenses and regulatory frameworks must adapt to new risks. International agencies are creating coherent cybersecurity standards, exemplified by the EU's Digital Operational Resilience Act (DORA). Effective defense also requires robust institutional governance and sector-led standards.
Optimal cybersecurity investment depends on threat severity and bank fragility. Regulators should consider operational resilience standards, red-teaming, subsidies, and negligence penalties to facilitate socially desirable cybersecurity investment.
“The financial impact of cybercrime paints a concerning picture. According to the FBI's Internet Crime Complaint Center (IC3), cybercrime complaints in 2023 reached record highs, with reported losses exceeding $10 billion (IC3, 2023). Furthermore, IBM's 2023 Cost of a Data Breach Report estimates the average global cost of a data breach to be a staggering $4.5 million (IBM, 2023). These statistics highlight the immense financial burden cybercrime places on individuals, organizations, and governments.”
“... this article provides anchorage to scholarly audiences when scrutinizing the extent to which privacy and security measures qualify as ‘appropriate’ in the context of liability claims and actions for damages, thereby creating an opportunity to move from technical insight to legal compliance.”
“The analysis reveals that boards are ineffective in cybersecurity risk oversight due to a lack of IT knowledge, and cybersecurity expertise is largely absent at the board level.”
The article advocates for a shift in cyber risk assessment from a threat-centric to a harm-centric approach. Current models often neglect qualitative and cascading impacts of cyber incidents. The proposed Cyber Harm Model (CHM) aims to address this gap, providing a comprehensive framework for assessing and mitigating harm, using empirical data from Critical Information Infrastructures.
“While the main discussion of the paper is tailored to the management of systemic cyber risk in digital networks, we also draw parallels to similar risk management frameworks for other types of complex systems.”
This study explores cyber risk in businesses, suggesting cybersecurity investment and insurance as key strategies. Using a network model, it examines firms' interconnected decisions, defining a Nash equilibrium where firms optimize cybersecurity and insurance. Findings highlight their interdependence and how network structures affect choices, reinforced by numerical analyses.