Cyber incident disclosure—lessons from CO2e emissions disclosure

• Cyber incident disclosure has been proposed as an important tool to create better incentives for cyber security. • This paper outlines lessons for cyber incident disclosure from CO 2 e emissions disclosure. • It is concluded that increased cyber incident disclosure would increase the costs of equity and debt for companies with many and/or severe cyber incidents, and also expose them to shareholder activism as well as to decreasing demand. However, these effects are likely to be smaller than the corresponding CO 2 e emissions disclosure effects. Modern society depends on IT services, but unfortunately, IT services are not always dependable. Cyber incidents occur all the time, caused by bad design or by bad incentives. To address the latter cause, disclosure of cyber incidents has been proposed. Learning about incidents, buyers will find it worthwhile to select and pay for secure vendors, thus contributing to better overall security. While this logic has solid theoretical foundations in the economics of negative externalities and asymmetric information, the practice of cyber incident disclosure is only just emerging, as is empirical research on its effects. However, valuable lessons might be learned from the literature on the more mature practice of CO 2 e emissions disclosure. Based on the extant literature on CO 2 e emissions disclosure, two hypotheses about cyber incident disclosure are derived: First, it is likely that increased cyber incident disclosure would increase the costs of equity and debt for companies with many and/or severe cyber incidents, and also expose them to shareholder activism as well as to decreasing demand. Second, these effects will be smaller for cyber incident disclosure than the corresponding effects for CO 2 e emissions disclosure. The article is concluded with a discussion of implications and future work.