Answer the question
Lecture - Unit 9 Evaluate Disclosure
ACCT 855
Seminar in Cybersecurity Audit and Disclosure
Dr. Tien Lee, Ph.D., PMP, CISA, CISSP [email protected] | (415)644-TIEN San Francisco State University Lam Family College of Business
Dye’s Analogy (1985)
Dye (1985) provided a simple analogy using agency theory showing why management would manipulate disclosure:
management’s actions are subject to moral hazard and hidden actions, and
investors, individually, learn about the manager’s actions through disclosure that would reflect the management’s action through stock price changes.
Disclosure allows the principal to mitigate the moral hazard problem by tying the manager’s compensation to the firm’s stock price;
Dye’s Analogy (1985)
In this case, the manager could game the system and make disclosure sufficient to impact or not-impact the firm’s future cash flows.
The firm’s stock price would then become a function of that disclosure rather than a function of investor knowledge about the manager’s actions.
Therefore, firm’s stock price became “influenced” by the disclosure, even more so, by the content of the disclosure.
Dye’s Analogy & Cybersecurity Breach Disclosure
Subsequent to a security breach, managers may foresee that security breach events are intrinsically complex and difficult to understand for the principal;
it may take much longer for the full investigation to be completed.
The manager may very reasonably elect to control the disclosure in a manner that favors the manager’s self-interest.
The market reaction would be a function of the “diluted disclosure”, or “glorified disclosure” not the management’s effort and their true actions in managing or mis-managing the firm.
The Tale of Two Disclosures
StumbleUpon provided little information in its disclosure.
However, it is difficult to evaluate just how “bad” it is.
Need of measuring instruments
The Tale of Two Disclosures
Comparing to another disclosure…
Measuring the Quality of the Disclosure
Discussion: What makes a good disclosure?
ACCURATE
TIMELY
RELEVANT
COMPLETE
MANAGEMENT INVOLVEMENT & CREDIBILITY
Disclosure Accuracy
Accuracy is an important aspect of disclosure.
It’s important for the preparer to issue disclosure truthfully based on best available information at hand.
However…
Accuracy of disclosure is impossible to measure consistently as the “truth” is not observable from the information users’ perspective.
Disclosures are “assumed to be accurate” after independent audit.
Disclosure Timeliness
Timely disclosure allows investors to make timely decisions.
However, in cybersecurity breach, one single dimension of timeliness may not be adequate enough…
Time dimension of cybersecurity breach may include:
When incident occurred
When incident were discovered
When investigation started
When remediation were determined
When external disclosure were issued.
Disclosure Timeliness
These dimensions allows the information user to determine the “lag time” of various events:
Discover lag (from incident occurrence to discovery)
Investigation lag (from discovery to investigation)
Remediation lag (from investigation to remediation)
Disclosure lag (from discovery to external disclosure)
Disclosure Timeliness