Research project: Cybersecurity Awareness and Market Valuation
Henk Berkman, Jonathan Jona, Gladys Lee, and Naomi Soderstrom
[SSRN]
Abstract:
This paper introduces a measure of firm-specific cybersecurity awareness that can be used in empirical research exploring cyber-related issues facing corporations. It extends and updates Gordon et al. (2010), who develop an indicator capturing the existence of disclosures related to “information security” and show a positive association between market valuation and their measure. Since publication of their paper, cyber-related events have become more frequent and salient, and disclosure of cybersecurity issues has become more extensive. Increased disclosure is largely due to a 2011 requirement by the Securities and Exchange Commission, which provides guidance for disclosure of cyber-related issues in 10-K filings. Based upon this post-guidance disclosure, we develop a new measure that captures the extent and relevance of cyber disclosures and show that the market positively values cybersecurity awareness. We also show that a more negative tone in cyber disclosures is associated with lower market values. Our results are robust to inclusion of measures of IT governance and controlling for the firm’s overall disclosure characteristics.
Cybersecurity awareness measure derived from 10-K disclosures:
Cyber-related disclosures in firm’s 10-Ks were identified, categorized and ranked using the rules-based text analysis algorithms. Together with CookESG Research, we developed a keyword list from a core set of keywords contained in a list provided by a glossary of common cybersecurity terminology from the National Initiative for Cybersecurity Careers and Studies (NICCS). We supplemented the NICCS list by including cyber-related legislative Acts, which we obtained from a report on laws relating to cybersecurity prepared by the Congressional Research Service (Fischer, 2014). These keywords and phrases were then incorporated into the disclosure mapping logic to develop an initial corpus of cyber-security disclosures.
The keyword dictionary is structured around a core keyword or keyword phrase and 0 or more additional terms that qualify that core keyword or keyword phrase. The dictionary was refined through an iterative process of testing this original list against samples of disclosures from a variety of industry groupings. As the domain was refined, an effort was made to prune false positives while minimizing the risk of false negatives.
Each excerpt was assigned a relevance score. This score is a function of the amount of relevant language contained within the excerpt as well as a weighting on this language that reflects how directly it addresses the domain of cybersecurity. Specifically, the relevance score reflects the amount of language contained within an excerpt that is relevant to the domain. Some keywords and phrases are relevant wherever they are found in a text (e.g. ‘cyber security’ or ‘digital information’). Some are only relevant only within context (e.g. ‘network security’ or ‘personal information’). The score is derived by the number of times a relevant keyword or keyword phrase occurs within an excerpt, as well as whether it is independently relevant to the domain or contextually relevant, the former being awarded a higher score. Within this logic, language specificity (e.g. ‘Advancing America's Networking and Information Technology Research And Development Act’) is rewarded with a higher key phrase score.
The scores are derived by summing the individual relevance values assigned to each keyword phrase found within the excerpt. Scores are tallied across all excerpts identified as true positives within a particular filing to compute at total score for the whole filing.
This process is similar, except for the textual adjustments for cyber-risk disclosures, to the Climate Risk Disclosure project that was developed by CookESG Research and available through Ceres.
For convenience, the measure used in the paper Cybersecurity awareness and market valuations (2018, JAPP) at the 10-K level is available here below.
Updated data (latest 10-K filing date is March 3, 2023) for downloading:
Download the aggregated annual firm-level cybersecurity measure here (csv format): Cybersecurity Awareness measure, 2009-2023.
Examples:
Coca Cola Consolidated, Inc (ticker "COKE", File name "0001564590-19-005000", filing date Feb 27, 2019) reports nine excerpts with a cybersecurity awareness score of 49 in total.
Church & Dwight CO, Ink, Inc (ticker "CHD", File name "0001564590-19-003587", filing date Feb 21, 2019) reports five excerpts with a total climate risk score of 69. The excerpts and thier associated climate risk scores can be found in the attached file as well as the total score for that year.