Muma College of Business Researchers Look at Cybersecurity Risk Management
By Keith Morelli
TAMPA (October 15, 2020) -- As the cybersecurity risks facing publicly held companies advance each day, the way those companies provide assurances that they are mitigating that risk may affect how willing investors are to invest, according to a recent study conducted by USF Muma College of Business accounting researchers.
“Companies may be tempted to hire their financial-statements auditor to also provide cybersecurity assurance,” Murthy said. “On one hand, companies may feel that the high-quality nature of the audit conducted by their financial-statements auditor would extend to the cybersecurity realm.” This logic suggests that cybersecurity assurance provided by the company's own financial statements auditor not only would be sufficient, but may be preferred by investors.
“We found in the study that this was the case when there was no cybersecurity incident,” he said. “However, the problem arose when there was a cybersecurity breach, that is, an adverse event. When that occurred, we found in our study that investors had a negative view not only of the cybersecurity assurance but also of the quality of the financial statements audit.”
All publicly held companies are required to have their financial statements audited by an independent auditor who is a CPA, said Uday Murthy, accounting professor and former director of the Lynn Pippenger School of Accountancy. And many of these CPA firms do have teams that can recommend cybersecurity risk-mitigation measures and provide assurance that these risks are being managed. However, there are non-CPA, cyber-risk management firms that also provide such services and public companies therefore have a choice.
“Public companies can choose to have cybersecurity assurance services provided either by their financial statements auditor for which the auditor is paid additional fees,” Murthy said, “or they can contract that service from a third-party provider.”
Companies are better off contracting cybersecurity assurance services with reputable third-party providers rather than with the CPA firm auditing their financial statements, the study found.
“Under normal circumstances,” Murthy said, “there is not a concern, however, when a cybersecurity breach occurs (which is inevitable for many companies) then there is an adverse investor reaction not only in relation to the cybersecurity breach but also in relation to the quality of the audit of their financial statements.”
The main advantage of using a third-party assurance provider (other than the CPA firm auditing their financials) is that they likely have higher expertise in that realm, Murthy said. The advantage of using a third-party provider is that, if a cybersecurity incident occurs, investors maintain a positive perception of the audit quality of the financial statements, since a different party performs those audits.
The study, co-authored by former PhD student Rebecca Perols, used MBA students as proxies for nonprofessional investors. Participants looked at a scenario with details of a hypothetical company and the nature of assurance services they had contracted – both for their financial statements and for cybersecurity. Researchers observed the perceptions of participants both before and after they learned about a cybersecurity incident that occurred for the hypothetical company and documented the changes in those perceptions as well as a reluctance to make investments in the company.
The study is forthcoming in Auditing: A Journal of Practice & Theory, the leading journal for academic auditing research. This journal has an impact factor higher than two accounting journals on the Financial Times list of 50 journals.