Board liability for cyberattacks: The effects of a prior attack and implementing the AICPA’s cybersecurity framework

Alicke, 2000, Culpable control and the psychology of blame, Psychol. Bull., 126, 556, 10.1037/0033-2909.126.4.556 Alicke, 2008, Culpable control and counterfactual reasoning in the psychology of blame, Pers. Soc. Psychol. Bull., 34, 1371, 10.1177/0146167208321594 Alicke, 1994, A posteriori adjustment of a priori decision criteria, Soc. Cognit., 12, 281, 10.1521/soco.1994.12.4.281 American Institute of Certified Public Accountants (AICPA), 2017a. AICPA Unveils Cybersecurity Risk Management Reporting Framework. April 26. New York, NY: AICPA. Available at: https://www.aicpa.org/press/pressreleases/2017/aicpa-unveils-cybersecurity-risk-management-reporting-framework.html. American Institute of Certified Public Accountants (AICPA), 2017 American Institute of Certified Public Accountants (AICPA), 2017 AON, 2019. 2019 Cyber security risk report: What’s now and what’s next. Available at: https://www.aon.com/getmedia/4c27b255-c1d0-412f-b861-34c5cc14e604/Aon_2019-Cyber-Security-Risk-Report.aspx. Backof, 2015, The impact of audit evidence documentation on jurors’ negligence verdicts and damage awards, Account. Rev., 90, 2177, 10.2308/accr-51072 Backof, A., Bowlin, K., Goodson, B.M., 2019. The importance of clarification of auditors’ responsibilities under the new audit reporting standards. Working paper, University of Virginia, University of Mississippi, and Clemson University. Bamber, 1989, Audit structure and its relation to role conflict and role ambiguity: An empirical investigation, Account. Rev., 64, 285 Brasel, 2016, Risk disclosure preceding negative outcomes: the effects of reporting critical audit matters on judgments of auditor liability, Account. Rev., 91, 1345, 10.2308/accr-51380 Brown, 2019, The Effects of Specialist Type and Estimate Aggressiveness on Juror Judgments of Auditor Negligence, Audit.: J. Pract. Theory, 38, 47 Brown, 2020, The influence of evaluator expertise, a judgment rule, and critical audit matters on assessments of auditor legal liability, Forthcoming – Accounting Organizations and Society Buhrmester, 2011, Amazon’s Mechanical Turk: A new source of inexpensive, yet high-quality, data?, Perspect. Psychol. Sci., 6, 3, 10.1177/1745691610393980 Byrne, 2010 Casey, 2015, Understanding and contributing to the enigma of corporate social responsibility (CSR) assurance in the United States, Audit.: J. Pract. Theory, 34, 97 Center for Audit Quality, 2016. 2016 Main Street Investor Survey. Available at: http://www.thecaq.org/2016-main-street-investor-survey. Cianci, 2013, The moderating effects of the incentive system and performance measure on managers’ and their superiors’ expectations about the manager’s effort, Behav. Res. Account., 25, 115, 10.2308/bria-50290 Collier, K., 2020. Major hospital system hit with cyberattack, potentially largest in U.S. history. September 28. Available at: https://www.nbcnews.com/tech/security/cyberattack-hits-major-u-s-hospital-system-n1241254. Commerford, 2018, The Effect of Real Earnings Management on Auditor Scrutiny of Management's Other Financial Reporting Decisions, Account. Rev., 93, 145, 10.2308/accr-52032 Coram, 2009, The value of assurance on voluntary nonfinancial disclosure: An experimental evaluation, Audit.: J. Pract. Theory, 28, 137 Davis, J., 2019. Quest, LabCorp, AMCA Face Breach Lawsuits, State Investigations. June 11. Available at: https://healthitsecurity.com/news/quest-labcorp-amca-face-hit-by-breach-lawsuits-state-investigations. Donelson, D. C., Kadous, K., McInnis, J. M., 2014. Litigation Against Auditors. In Routledge Companion to Auditing, D. Hay, R. Knechel, and M. Willekens Eds. Downs, J. S., Holbrook, M. B., Sheng, S., Cranor, L. F., 2010. Are your participants gaming the system? Screening Mechanical Turk workers. In Proceedings of the 28th ACM SIGCHI Conference on Human Factors in Computing Systems, Atlanta, GA, April 10–15, 2399–402. New York: ACM. Edwards, 2019, Cybersecurity oversight liability, Georgia State Univ. Law Rev., 35, 663 Epstein, 1994, Recent evidence of the expectation gap, J. Account., 177, 60 Farrell, 2017, Scoundrels or stars? Theory and evidence on the quality of workers in online labor markets, Account. Rev., 92, 93, 10.2308/accr-51447 Federal Trade Commission (FTC), 2020. Equifax Data Breach Settlement. January. Available at: https://www.ftc.gov/enforcement/cases-proceedings/refunds/equifax-data-breach-settlement. Frank, 2019, How Prior Cyberattacks Influence the Efficacy of Cybersecurity Risk Management Reporting and Independent Assurance, Forthcoming – J. Inform. Syst. Gordon, 2010, Market value of voluntary disclosures concerning information security, MIS Quart., 34, 567, 10.2307/25750692 Grenier, 2012, Speak up or shut up? The moderating role of credibility on auditor remedial defense tactics, Audit.: J. Pract. Theory, 31, 65 Grenier, 2015, The effects of independent expert recommendations on juror judgments of auditor negligence, Audit.: J. Pract. Theory, 34, 157 Grenier, 2015, The effects of accounting standard precision, auditor task expertise, and judgment frameworks on audit firm litigation exposure, Contemp. Account. Res., 32, 336, 10.1111/1911-3846.12092 Grenier, 2018, Researching juror judgment and decision making in cases of alleged auditor negligence: A toolkit for new scholars, Behav. Res. Account., 30, 99, 10.2308/bria-51878 Horton, J., Chilton, L., 2010. The labor economics of paid crowdsourcing. Proceedings of the 11th ACM Conference on Electronic Commerce. New York, NY: ACM. Horton, 2011, The online laboratory: Conducting experiments in a real labor market, Exp. Econ., 14, 399, 10.1007/s10683-011-9273-9 Javers, E., 2013. Cyberattacks: Why Companies Keep Quiet. February 25. Available at: https://www.cnbc.com/2013/02/25/cyberattacks-why-companies-keep-quiet.html. Jollineau, 2014, Evaluating Proposed Remedies for Credit Rating Agency Failures, Account. Rev., 89, 1399, 10.2308/accr-50721 Kadous, 2001, Improving jurors’ evaluations of auditors in negligence cases, Contemp. Account. Res., 18, 425, 10.1506/GM8A-HNPH-LL3L-98FY Klein, 2012, Low hopes, high expectations: Expectancy effects and the replicability of behavioral experiments, Perspect. Psychol. Sci., 7, 572, 10.1177/1745691612463704 Klemash, S.W., Brorsen, L., Seets Jr., C.W., 2018. Cybersecurity disclosure benchmarking. Harvard Law School Forum on Corporate Governance and Financial Regulation. Available at https://corpgov.law.harvard.edu/2018/10/21/cybersecurity-disclosure-benchmarking/. Kline, 1998 LaCroix, K.M., 2015. Guest post: court of appeals warns against complacency in the PSLRA’s safe harbor. Available at https://www.dandodiary.com/2015/08/articles/securities-litigation/guest-post-court-ofappeals-warns-against-complacency-in-the-pslras-safe-harbor/. LaCroix, K.M., 2020. Equifax data breach-related security suit settled for $149 million. Available at https://www.dandodiary.com/2020/02/articles/securities-litigation/equifax-data-breach-related-securities-suit-settled-for-149-million/. Malle, 2014, A theory of blame, Psychol. Inq., 25, 147, 10.1080/1047840X.2014.877340 Maksymov, E., Pickerd, J., Lowe, D. J., Peecher, M., Reffett, A., 2019. The settlement norm in audit legal disputes: Insights from prominent attorneys. Contemporary Accounting Research, (forthcoming). Mautz, 1961 Maksymov, 2016, Malleable standards of care required by jurors when assessing auditor negligence, Account. Rev., 92, 165, 10.2308/accr-51427 McEnroe, 2001, Auditors’ and investors’ perceptions of the “expectation gap”, Account. Horizons, 15, 345, 10.2308/acch.2001.15.4.345 Mercer, 2004, How do investors assess the credibility of management disclosures?, Account. Horizons, 18, 185, 10.2308/acch.2004.18.3.185 Miller, 1986, Counterfactual thinking and victim compensation: a test of norm theory, Pers. Soc. Psychol. Bull., 12, 513, 10.1177/0146167286124014 Miller, 1990, Counterfactual thinking and social perception: Thinking about what might have been, Adv. Exp. Soc. Psychol., 23, 305, 10.1016/S0065-2601(08)60322-6 Monroe, 1994, An empirical investigation of the audit expectation gap: Australia evidence, Account. Finance, 34, 47, 10.1111/j.1467-629X.1994.tb00262.x Morrison, A., Herrygers, S., 2018. The board wants to know: What can the organization do to bypass cyber program ineffectiveness? FEI Daily. Available at https://daily.financialexecutives.org/FEI-Daily/October-2018/The-Board-Wants-To-Know-What-Can-The-Organization.aspx. NICSS (National Initiative for Cybersecurity Careers and Studies), 2017. A glossary of common cybersecurity terminology. Available at: https://niccs.us-cert.gov/glossary#I. Newman, C.A., 2019. Lessons for corporate boardrooms from Yahoo’s cybersecurity settlement. New York Times, January 23. Available at https://www.nytimes.com/2019/01/23/business/dealbook/yahoo-cyber-security-settlement.html. Nunnally, 1978 Olenick, D., 2019. Data breaches cause 10 percent of small businesses to shutter. SC Magazine, October 29. Available at https://www.scmagazine.com/home/security-news/data-breach/data-breach-causes-10-percent-of-small-businesses-to-shutter/. Palmer, D., 2018. Once a target, always a target: If you’re hit by hackers you’re likely to be hit again. Available at https://www.zdnet.com/article/once-a-target-always-a-target-if-youre-hit-by-hackers-youre-likely-to-be-hit-again/. Paolacci, 2010, Running experiments on Amazon Mechanical Turk, Judgment Decision Making, 5, 411, 10.1017/S1930297500002205 Peecher, 2008, Judging audit quality in light of adverse outcomes: Evidence of outcome bias and reverse outcome bias, Contemp. Account. Res., 25, 243, 10.1506/car.25.1.10 Ponemon Institute and Accenture, 2018. 2018 Cost of Cyber Crime Study. Available at https://www.ponemon.org/blog/2018-cost-of-cyber-crime-study. PricewaterhouseCoopers, 2016. Global State of Information Security Survey 2016. Available at https://www.pwc.com/gsiss2016. Reffett, 2010, Can identifying fraud risks increase auditors’ liability?, Account. Rev., 85, 2145, 10.2308/accr.2010.85.6.2145 Riggi, J., 2020. The importance of cybersecurity in protecting patient safety: A High-Level Guide for Hospital and Health System Senior Leaders. Available at: https://www.aha.org/center/emerging-issues/cybersecurity-and-risk-advisory-services/importance-cybersecurity-protecting-patient-safety#:~:text=Aligning%20cybersecurity%20and%20patient%20safety,negative%20impact%20on%20clinical%20outcomes. Robinson, 1995 Roese, 1997, Counterfactual thinking, Psychol. Bull., 121, 133, 10.1037/0033-2909.121.1.133 Roese, 1995, Outcome controllability and counterfactual thinking, Pers. Soc. Psychol. Bull., 21, 620, 10.1177/0146167295216008 Rosenthal, 1976 Rubin, G., 2019. Many Company Hacks Go Undisclosed to SEC Despite Regulator Efforts. February 26. Available at: https://www.wsj.com/articles/many-company-hacks-go-undisclosed-to-sec-despite-regulator-efforts-11551218919. Securities and Exchange Commission (SEC), 2011. CF Disclosure Guidance: Topic No. 2 (Cybersecurity), U.S. Securities and Exchange Commission, 13 October. Available at: https://www.sec.gov/divisions/corpfin/guidance/cfguidance-topic2.htm. Securities and Exchange Commission (SEC), 2018. Commission Statement and Guidance on Public Company Cybersecurity Disclosures (February 26). Release Nos. 33-10459; 34-82746. Washington, DC: SEC. Available at https://www.sec.gov/rules/interp/2018/33-10459.pdf. Sheehan, 2015, Meeting expectations for SEC disclosures of cybersecurity risks and incidents, Cybersecurity Law Report, 1, 1 Shoemaker, R., 2019. From Data Breach to Bankruptcy – A Cautionary Tale for Those Without Cyber Insurance. July 16. Available at: https://www.jdsupra.com/legalnews/from-data-breach-to-bankruptcy-a-17755/. Simnett, 2009, Assurance on sustainability reports: An international comparison, Account. Rev., 84, 937, 10.2308/accr.2009.84.3.937 Smith, 1987, Experimental economics and auditing, Audit.: J. Pract. Theory, 1, 71 Sporkin, T.A., Leeson, M., 2020. SEC Risk Factors: A single word could cost millions. Business Law Today. January17. Available at: https://www.americanbar.org/groups/business_law/publications/blt/2020/02/sec-risk-factors/. Steblay, 2006, The impact on juror verdicts of judicial instruction to disregard inadmissible evidence: A meta-analysis, Law Human Behavior, 30, 469, 10.1007/s10979-006-9039-7 Tan, 1995, Sunk cost effects: The influence of instruction and future estimates, Org. Behavior Human Decision Processes, 63, 311, 10.1006/obhd.1995.1082 Trautman, 2017, Corporate Directors’ and Officers’ Cybersecurity Standard of Care: The Yahoo Data Breach, Am. Univ. Law Rev., 66, 1231 Varlan, P., 2017. The growing risk of director liability for cyberattacks. Compliance Enforcement. Available at: https://wp.nyu.edu/compliance_enforcement/2017/09/04/the-growing-risk-of-director-liability-for-cyberattacks/. Wallace, 1987, The economic role of the audit in free and regulated markets: A review, Res. Account. Regulat., 1, 7 Wallace, P. E., Schroth, R. J., Delone, W. H., 2015. Cybersecurity Regulation and Private Litigation Involving Corporations and their Directors and Officers: A Legal Perspective. Available at: https://dra.american.edu/islandora/object/auislandora%3A74038. Wang, 2013, The association between the disclosure and the realization of information security risk factors, Inform. Syst. Res., 24, 201, 10.1287/isre.1120.0437 Willis Towers Watson, 2018. 2018 Management Liability (Directors and Officers) U.S. Survey: Insights on risk perceptions, D&O programs, purchases and claims. Available at: https://www.willistowerswatson.com/en-US/Insights/2018/07/2018-management-liability-d-o-us-survey. Wu, 2014, The interactive effects of internal control audits and manager legal liability on managers’ internal control decisions, investor confidence, and market prices, Contemp. Account. Res., 31, 444, 10.1111/1911-3846.12029