Biding Their Time: The Influences of Executive Compensation and Board Cybersecurity Intensity on Firms’ Strategic SEC Data Breach Notification Delays
Management Information Systems
Fox School of Business
Friday, Jan 14
11:00 am – 12:30 pm | Zoom
The U.S. Securities and Exchange Commission (SEC) requires firms to notify investors in an SEC filing of a data breach if it constitutes a material event. Importantly, the determination of materiality lies with executives, which has resulted in firms failing to disclose breaches to the SEC or purposely delaying notifications. We draw from the behavioral theory of the firm and executive compensation literature to develop predictions about the influence of IT and non-IT executives’ compensation on firms’ SEC data breach notification delays. Given the possibility of competing priorities and goals of the two executive groups, we argue that increased IT executive compensation leads to fewer delays, whereas increased non- IT executive compensation has the opposite effect. Because corporate boards of directors have oversight and advise on firms’ cybersecurity matters, we argue that the cybersecurity intensity of the firm’s board (i.e., social ties to breached firms) moderates the relationships between IT and non-IT executive compensation and notification delays. To test our hypotheses, we constructed a panel dataset from public sources and performed a series of econometric analyses. Our results suggest that the influence of executive compensation on notification delays differs for IT and non-IT executives in the manner hypothesized. However, for both types of executives, the moderating influence of the board’s cybersecurity intensity works to increase notification delays. Counter to the conventional view that increased cybersecurity experience on the board benefits timely data breach notification, our findings suggest that greater board experience results in delays of timely communications about data breaches via 8-K filings.