Corporate Transparency and Cybersecurity Risks

Abstract

I study whether disclosure mandates alter the equilibrium of cyberattacks by unintentionally informing cybercriminals. The California Consumer Privacy Act (CCPA) requires companies to disclose their personal information collection practices to consumers, inadvertently informing cybercriminals about the potential benefits of breaching each firm. Using a difference-in-differences design, I find that firms disclosing the collection of valuable personal data face an increased probability of data breaches. These firms also strengthen their cyberdefenses both in terms of cybersecurity software and cybersecurity specialists. Firms trade off cybersecurity costs against the risk of data breaches, with the increase in breach probabilities more pronounced among firms that invest less in cybersecurity. Finally, I find that firms adjust their data collection policies as additional defense strategies. Overall, this study highlights the trade-off between transparency and cybersecurity risks in today’s digital economy.