Answer the question

profileSSSSSSSS19
ACCT855-Lecture-Unit9-EvaluatingDisclosure.pptx

Lecture - Unit 9 Evaluate Disclosure

ACCT 855

Seminar in Cybersecurity Audit and Disclosure

Dr. Tien Lee, Ph.D., PMP, CISA, CISSP [email protected] | (415)644-TIEN San Francisco State University Lam Family College of Business

Dye’s Analogy (1985)

Dye (1985) provided a simple analogy using agency theory showing why management would manipulate disclosure:

management’s actions are subject to moral hazard and hidden actions, and

investors, individually, learn about the manager’s actions through disclosure that would reflect the management’s action through stock price changes.

Disclosure allows the principal to mitigate the moral hazard problem by tying the manager’s compensation to the firm’s stock price;

Dye’s Analogy (1985)

In this case, the manager could game the system and make disclosure sufficient to impact or not-impact the firm’s future cash flows.

The firm’s stock price would then become a function of that disclosure rather than a function of investor knowledge about the manager’s actions.

Therefore, firm’s stock price became “influenced” by the disclosure, even more so, by the content of the disclosure.

Dye’s Analogy & Cybersecurity Breach Disclosure

Subsequent to a security breach, managers may foresee that security breach events are intrinsically complex and difficult to understand for the principal;

it may take much longer for the full investigation to be completed.

The manager may very reasonably elect to control the disclosure in a manner that favors the manager’s self-interest.

The market reaction would be a function of the “diluted disclosure”, or “glorified disclosure” not the management’s effort and their true actions in managing or mis-managing the firm.

The Tale of Two Disclosures

StumbleUpon provided little information in its disclosure.

However, it is difficult to evaluate just how “bad” it is.

Need of measuring instruments

The Tale of Two Disclosures

Comparing to another disclosure…

Measuring the Quality of the Disclosure

Discussion: What makes a good disclosure?

ACCURATE

TIMELY

RELEVANT

COMPLETE

MANAGEMENT INVOLVEMENT & CREDIBILITY

Disclosure Accuracy

Accuracy is an important aspect of disclosure.

It’s important for the preparer to issue disclosure truthfully based on best available information at hand.

However…

Accuracy of disclosure is impossible to measure consistently as the “truth” is not observable from the information users’ perspective.

Disclosures are “assumed to be accurate” after independent audit.

Disclosure Timeliness

Timely disclosure allows investors to make timely decisions.

However, in cybersecurity breach, one single dimension of timeliness may not be adequate enough…

Time dimension of cybersecurity breach may include:

When incident occurred

When incident were discovered

When investigation started

When remediation were determined

When external disclosure were issued.

Disclosure Timeliness

These dimensions allows the information user to determine the “lag time” of various events:

Discover lag (from incident occurrence to discovery)

Investigation lag (from discovery to investigation)

Remediation lag (from investigation to remediation)

Disclosure lag (from discovery to external disclosure)

Disclosure Timeliness