Director Experience and Cybersecurity Events

James Nordlund∗

August 30, 2018

Abstract

I study labor market outcomes for, and monitoring activities by, corporate

directors following a data breach. These directors lose shareholder support

at hacked firms, but not at interlocking firms. The interlocking firms exhibit

better cybersecurity risk monitoring after the breach, and hack-experienced

directors receive more appointments at larger, better-governed firms following

the event. The results suggest that, at least when the supply of a specific

skill is particularly sparse, learning on the job following a crisis can dominate

the stigma of failing to prevent that crisis in the labor market for corporate

directors.

∗Louisiana State Univeristy, Ourso College of Business, Baton Rouge, LA 70803, email:nordlund@lsu.edu. I wish to thank Shradha Bindal, Audra Boone, Christa Bouwman, Shane John-son, Adam Kolasinski, Frances Tice, and Nan Yang for helpful comments, and to Texas A&M sem-inar participants for their feedback.

Close to half of the directors we surveyed said “we know [cybersecurity]

is an issue, but we don’t even know what kinds of questions we should be

asking.”

– Jean-Marc Levy, interview for NYSE Governance Services’ Boardroom View

The principal roles of corporate directors are to monitor and advise management.1

In an effort to describe which directors are most likely to be effective at these tasks,

certain traits have been found to characterize particular skills of directors. However,

these traits consider broad aspects of a director’s career and are usually fixed at

the time of appointment to the board, thus ignoring discrete changes in a director’s

skillset following election to the board.2 An important but unanswered question in the

literature on corporate boards is the extent to which the director labor market values

recently acquired skills on top of the longer, more general resume of the director. One

particularly interesting application of this question regards learning from rare crises.

In the labor market for corporate directors, does an increased skillset associated with

handling a crisis offset the reputational penalties borne by failing to prevent the crisis?

This paper answers that question.

A crisis significant to firms and their directors in the modern era is a data breach

that exposes customer/employee private information to unauthorized third parties.

A number of large-scale, high-profile data breaches (Target Corp., Yahoo, Equifax,

et cetera) has pushed cybersecurity risk to the forefront of public attention. Recent

estimates put the average cost of data breach at $7.35 million (Ponemon Institute

LLC 2017). As indicated in the above quote, the supply of cybersecurity-savvy direc-

1See Adams, Hermalin, and Weisbach (2010) and references therein for a survey of this literature.2This set of traits includes directors who are bankers (Guner, Malmendier, and Tate 2008),

venture capitalists (Baker and Gompers 2003), lawyers (Krishnan, Wen, and Zhao 2011), CEOsfrom other firms (Fahlenbrach, Low, and Stulz 2010), experienced in the firm’s industry (Masulis etal. 2012; Von Meyerinck, Oesch, and Schmid 2016; Wang, Xie, and Zhu 2015), or experienced withrelated industries (Dass et al. 2013).

1

tors is remarkably low. Directors acquire first-hand experience with post-data breach

protocol and fallout by sitting on boards of firms that suffer cybersecurity events, and

it is possible that this experience is viewed positively in the director labor market.

Yet anecdotal evidence suggests that shareholders lay part of the blame from data

breaches at the feet of the board, suggesting a reputational penalty for data breach

experience.3 In this paper, I empirically investigate the labor market consequences

and post-data breach monitoring behavior of directors affiliated with a cybersecurity

event, including subsequent cybersecurity risk management at interlocking boards.

After controlling for a number of other observable director characteristics and ad-

dressing multiple forms of endogeneity, the data show that learning on the job after

a data breach leads to a net increase in a director’s reputation in the labor market

and that limited supply in the labor market plays a role in dampening reputational

penalties for monitoring failures.

I use a database of publicly reported cybersecurity events (security breaches)

at U.S. companies over 2005 to 2013.4 This data is provided by Privacy Rights

Clearinghouse, which aggregates reports of cybersecurity events across the country

that are triggered by state and federal data breach notification laws. These laws

are consumer focused, rather than shareholder focused. That is, disclosure is not

restricted to events that firms deem material, but rather encompasses the universe of

cybersecurity events that have the possibility of adversely affecting consumers.

Cybersecurity risk management requires active oversight. A rules-based, “check-

the-boxes” style of cybersecurity management appears to be at best a partial solution

to the problem.5 Dating at least as far back as 2005, federal regulators have required

3See, for example, https://www.wsj.com/articles/iss-calls-for-an-overhaul-of-target-board-after-data-breach-1401285278 or https://www.wsj.com/articles/iss-says-five-equifax-directors-should-be-voted-out-1523901276, accessed 7/31/18.

4The dataset is available for download at www.privacyrights.com.5Target Corp., for example, was certified compliant with the Payment Card Industry’s (PCI)

2

active monitoring, evaluation, and review of information security practices.6 A perva-

sive assumption in the discussion of cybersecurity risk management is that the board

of directors has a positive role to play in mitigating risk. Survey evidence indicates

that directors understand the need for involved review of cybersecurity practices.

Eighty-nine percent of directors report that cybersecurity is regularly discussed in

board meetings (NACD 2017). Members of the Securities and Exchange Commission

have called on boards of directors to become even more proactive in managing cy-

bersecurity risk (Aguilar 2014), and members of Congress seek a legislative effort to

require boards to disclose the presence of a “cybersecurity expert” (Senate Bill 536),

similar to the SOX requirement to disclose the presence of a “financial expert” (Reed,

Collins, and Warner 2017). The presumption is never that directors are themselves

technically sophisticated, but rather there is an expectation that directors be able to

review their firms’ cybersecurity practices and aware of procedures that may reduce

risk.7

I show that directors are significantly more likely to leave their board positions

at a hacked firm, and that those who stay on receive fewer votes in their subsequent

re-election to the board. Evidence from a Cox proportional hazards model shows that

the probability of director turnover rises by 20% following the announcement of a data

breach. Using a Heckman selection model to control for departures that take place

security standards just weeks before it fell victim to a massive malware attack that stole customerpayment information (Bjorhus 2014).

6For example, after failing to encrypt consumer payment information or to delete it in a timelymanner consistent with bank security rules, BJ’s Wholesale Club experienced a data breach thatresulted in millions of dollars of fraudulent purchases. A settlement from June of 2005 with the Fed-eral Trade Commission resulted in BJ’s agreeing to “regular testing or monitoring” and “evaluationand adjustment” of its security protocols (FTC Docket No. C-4148).

7For example, Fontaine and Stark (2018) suggest the following set of questions for directors:“Have we tested how these policies and procedures would operate if we suffered a cyber-attack?”“Where do we store our data?” “What kind of data are we keeping and why?” “What steps havewe taken to validate the adequacy and sufficiency of the procedures we do have?” “How can we bestgauge program effectiveness?” “Do we have adequate cyber insurance coverage in place?” “Are weinvesting in a manner that aligns with our true risk?.”

3

prior to the general shareholders meeting (e.g. departure by directors who choose to

step down, knowing they would not be re-elected), I find that cybersecurity events

lower a director’s re-election vote by 1.3 percentage points. The combined results

are indicative of reputational penalties for poor monitoring, consistent with the work

of Srinivasan (2005), Fich and Shivdasani (2007), Ertimur, Ferri, and Maber (2012),

and Brochet and Srinivasan (2014), amongst others.

I also find that the increased turnover hazard following a data breach is mitigated

when a director has a technology background. This result is suggestive evidence that

the labor pool for directors with technological backgrounds is shallow, making these

directors difficult to replace. As a validation of this conjecture, I show that turnover

risk is larger when the local labor market for directors is larger (Knyazeva, Knyazeva,

and Masulis 2013), and in particular when the pool of local potential directors includes

technology experts.

Because director turnover at hacked firms happens, on average, nine months after

the breach occurred, the director has a front row seat to post-data breach response

efforts by the firm as well as claims of insufficient monitoring filed by litigious con-

sumers. This on the job training may lead to increased monitoring skill, and the

data support this claim. Interlocking firms experience better cybersecurity outcomes:

they are 14% more likely to begin disclosing cybersecurity risk in the annual report

and are 80% less likely to experience a data breach. Because the focus here is on

firms that already employed the director at the time of the data breach, the director

is not endogenously selected because of their experience with this event. The change

in a director’s cybersecurity skillset is effectively exogenous for these interlocking

firms. Moreover, these firms are not endogenously chosen by directors seeking to

avoid another data breach. The results for interlocking firms are robust to exclusion

of interlocks between hacked and un-hacked firms with a high vertical relatedness

4

coefficient (Dass et al. 2013), which rules out the possibility that these are spurious

results generated by vertically related interlocking firms.

If data breach experience is viewed as a positive shock to director skill then one

would expect to see benefits down the road in the labor market for new directorships

(Yermack 2004). Consistent with a perceived increase in skill, I show that directors

affiliated with data breaches are significantly more likely to take on new board ap-

pointments, and these appointments are likely to be at larger firms. To the extent

that firm size proxies for the prestige of the board position, these directors end up at

more prestigious positions than a matched set of directors who do not experience a

data breach. Finally, hacked directors are appointed to firms with lower E-indexes

(Bebchuk, Cohen, and Ferrell 2009), which implies that the new positions are not

the result of entrenched managers seeking out directors with a reputation for poor

monitoring (Levit and Malenko 2016).

These findings contribute to the corporate governance literature in a number of

ways. First, I contribute to the literature on director reputation (Fama 1980; Fama

and Jensen 1983) by documenting the role that supply-side labor market constraints

play in limiting penalties for monitoring failures. Prior authors find an increase in

turnover following financial fraud (Fich and Shivdasani 2007), accounting restate-

ments (Srinivasan 2005; Brochet and Srinivasan 2014), and option backdating (Er-

timur, Ferri, and Maber 2012). In these papers, directors more likely to be responsible

for the oversight failure face harsher reputational penalties. Audit and compensation

committee membership increases the likelihood of turnover in, respectively, cases of re-

statements (Srinivasan 2005; Brochet and Srinivasan 2014) and backdating (Ertimur,

Ferri, and Maber 2012). In contrast, although directors with technology backgrounds

are most likely to be assumed at fault following a data breach, having a technology

background mitigates turnover risk. This can be explained by the limited supply of

5

technically-savvy directors, and complimentary analysis shows that turnover risk is

indeed higher when the local labor pool of tech experts is higher. Limited supply is

much less likely an issue in the market for qualified audit or compensation experts.

Second, I contribute to the literature on director skill sets (e.g. Adams, Akyol, and

Verwijmeren (2018)). Directors have been shown to be valuable for their experience

with acquisitions (Harford and Schonlau 2013; Field and Mkrtchyan 2017), a firm’s

industry (Masulis et al. 2012; Von Meyerinck, Oesch, and Schmid 2016; Wang, Xie,

and Zhu 2015), a firm’s related industries (Dass et al. 2013), or with banking (Guner,

Malmendier, and Tate 2008). Adams, Akyol, and Verwijmeren (2018) point out

that directors are an entire portfolio of skills, and show considerable cross-sectional

variation in board skill sets. My findings show that director experience with data

breaches is also valued in the labor market, as proxied by new board positions and

the size of the new firms at which the director works.

Finally, I contribute to the literature on corporate disclosure by documenting a

mechanism through which firms learn about what risks to disclose: the corporate

director. Campbell et al. (2014) report that firms with more risk factors have higher

market betas following the risk disclosure. Hope, Hu, and Lu (2016) find that more

specific risk disclosure is associated with better analyst assessment of the firm. Thus,

the general conclusion has been that risk disclosure is generally informative about

firm risk. But how managers determine what risks to disclose has heretofore been

unstudied. The increased incidence of cyber risk disclosure at interlocking firms is,

to my knowledge, the first evidence of a channel through which firms learn what risk

factors to consider.

6

2 Data

This section discusses the data used in the paper. Firm-level accounting data come

from Compustat. Director-level data come from Boardex. These databases are linked

by name, ticker, and International Security Identification Numbers using the algo-

rithm described in Engelberg, Gao, and Parsons (2012). Data on shareholder voting

records and a firm’s E-index (Bebchuk, Cohen, and Ferrell 2009) come from Insti-

tutional Shareholder Services. I measure whether a firm discloses cybersecurity as a

form of risk by using Item 1A of the 10-K filing, and pull Item 1A disclosures from

the DirectEdgar database. Data breach records are collected from Privacy Rights

Clearinghouse (PRC). Three features of the combined data are described in detail

here. First, I discuss cybersecurity events as documented by PRC. Next, I outline

the procedure used to identify individual risk factors of a firm’s annual report, since

this is novel to my paper. Finally, I detail the methodology used to classify directors

as “technology experts.”

2.1 Cybersecurity Events

This paper uses all security breaches reported between 2005 and 2013 and recorded

by Privacy Rights Clearinghouse (PRC). This dataset aggregates all reports of cyber-

security breaches published according to a state’s breach disclosure law. These laws

require individuals in that state to be notified if their personal information is lost by a

company entrusted with it. The first state to enact such a law was California in 2002.

Following a wave of state-level laws in the mid-2000s, all states except two (Alabama

and South Dakota) have disclosure laws in place. The dataset also includes breaches

reported in accordance with the Gramm-Leach-Bliley Act or the Health Insurance

8A thorough discussion of state and federal regulations on breach notification laws is available at

7

Portability and Accountability Act of 1996, which are federal regulations covering,

respectively, financial institutions and health care plans/providers.8

Although breach notification laws vary by state, many of the fundamental aspects

of the disclosure requirements are similar. Personal information loss that triggers

disclosure includes social security numbers, drivers license numbers, or financial in-

formation, although some states also extend this to include biometric information, a

passport number, date of birth, et cetera.9 The disclosure timeline also varies by state.

For example, California law requires disclosure of a breach be made “in the most expe-

dient time possible and without unreasonable delay” (California Civil Code 1798.29)

while in Ohio the disclosure must be made “in the most expedient time possible but

not later than forty-five days following its discovery” (Ohio Code 1349.19). Note,

however, that the laws are written based on the location of the consumer/employee

whose records were lost, not the firm. A California-based firm conducting business

in Ohio would need to follow Ohio laws in reporting information about a data breach

to customers in Ohio. This is generally not a complication for firm disclosure, since

differences in data breach notification laws are relatively minor across states.

The PRC data categorizes reported data losses by the nature of the event that

caused the loss. All cybersecurity events are classified as either: HACK (electronic

entry by an outside party), CARD (electronic payment fraud, e.g. capturing credit

card terminal data), INSD (data loss due to an insider taking advantage of a system),

PHYS (lost, stolen, or discarded paper documents), PORT (lost, stolen, or discarded

portable electronic devices), STAT (lost, stolen, or discarded electronic devices not

designed to be moved), DISC (unintended/accidental disclosure), or UNKNOWN

(all other events). I use all intentional forms of attack (HACK, CARD, INSD) in

www.steptoe.com/assets/htmldocuments/SteptoeDataBreachNotificationChart.pdf.9https://www.bna.com/complicated-compliance-state-data-breach-notification-laws/

8

my analysis because accidental events – for example, a PORT event resulting from

a company laptop stolen out of an employee’s car – are less likely to be subject to

director level oversight.

The institution name identified by PRC is matched into firm names from Compu-

stat using the Levenshtein algorithm to compare string values. Perfect matches are

kept, and the remainder of the data are reviewed by hand and included when appro-

priate. Most of the observations in PRC do not link to Compustat because they are

small private firms, non-profits (including education), or privately owned health care

providers. Table 1 summarizes the frequency of data breaches for each NAICS sector

over time.

[Table 1 about here]

One limitation of data breach information is that the severity of the breach is

not always clear. A breach in the PRC data will include an estimated number of

records lost (i.e., number of customer’s who lost personal information) where possi-

ble, but this information is not always known. For example, the Heartbleed security

bug found in early 2014 was an exploit that did not leave fingerprints, and therefore

it was impossible to tell which records were stolen. In the event that PRC learns new

information about the number of records that were lost (e.g. when the company up-

dates their initial report after discovering a broader breach than originally believed),

the data in PRC are revised to reflect the new numbers.10 Thus it is impossible to

use PRC details to incorporate the severity of the breach into the analysis for the

following two reasons: first, the severity is often unknown, and second, the timing of

when the severity is disclosed is unclear.

10I thank members of the Privacy Rights Clearinghouse team for responding to email queries toclarify certain aspects of their data collection process.

9

In the analysis that follows, I create an indicator variable that turns on when a

director experiences a data breach at one of her firms. In my sample, 668 directors

are affiliated with a data breach, and 18.7% of these experience more than one data

breach in their careers. Additionally, because about half of corporate boards have

3-year staggered election cycles (Fos, Li, and Tsoutsoura 2018), I allow this dummy

variable to switch on for two years at a time in all of our analysis. I define interlocking

events in a similar fashion: the indicator variable turns on whenever a firm’s board

shares a director with a hacked company, and the variable turns on for two years at

a time.

2.2 Risk Factor Disclosure

Data on firm disclosure of risk factors is extracted from the DirectEdgar database,

which pre-processes 10-K filings and separates out Item 1A into an HTML document

that I parse with Python’s BeautifulSoup html pareser. Item 1A of a firm’s 10-K

filing discloses certain risk factors that a firm faces. I search for terms relating to

cybersecurity risk (e.g. “hackers”). The full list of search terms is provided in the

appendix.

I study both the incidence of cyber disclosure and the way in which cybersecurity

disclosures are added to a firm’s 10-K filing. In the former case, a simple text search of

whether the firm uses any of the aforementioned cybersecurity risk words is sufficient.

In the latter, I am interested in the quality of this disclosure. This is measured by

looking at whether a firm begins disclosing cyber security risk by adding a entirely

new risk factor to the firm’s 1A filing or by adding cybersecurity risk to an existing

disclosure. The former case is more likely to be a transparent and more complete

disclosure of cybersecurity risk, whereas the latter is more likely to be a situation

10

in which the firm sweeps cybersecurity into a kitchen-sink listing of potential risks.

Figure 1 presents examples of each case.

[Figure 1 about here]

In panel A, Bank of Hawaii Corporation adds a risk factor discussing cybersecurity

risk to its 10-K filing for the period ending 12/31/2011. Its previous filing, for the

period ending 12/31/2010, did not include this factor. Thus, I classify Bank of Hawaii

Corporation as including a new cybersecurity disclosure. The risk factor disclosure

by Bank of Hawaii Corporation is three paragraphs long, and it discusses both the

potential cybersecurity threats faced by the firm as well as possible consequences of

a security breach. In panel B, The Empire District Electric Company updates an

existing risk factor to include a discussion of cybersecurity risk. I classify this firm as

updating on old disclosure to include cybersecurity risk. The added disclosure is one

sentence long and recognizes that a cybersecurity threat exists.

To identify the different risk factors in the html document, I analyze the structure

of formatting rules used in the document. The headers to each risk factor are assigned

special formatting as visual cues to the reader. For example, some documents use bold

font, some use italics, some use a different color, et cetera. I look over the distribution

of formatting rules applied to the entire document and assume that the most common

formatting structure are the body paragraphs to a risk factor and that the second most

common formatting rule is the one identifying risk factor headers. Before reviewing

the distribution of formatting rules, I exclude table and list paragraphs (e.g. those

including a <tr> or <li> tag) from the distribution since some factors can include

long bullet lists of sub-items. I place all table text into the preceding body paragraph

so that it is included when searching for cybersecurity words.

After finding the risk factor headers for a firm in years t and t − 1, I vectorize

11

the headers using tf-idf and compute the pairwise cosine similarity between each risk

factor header in t and each risk factor header in t− 1. This yields a matrix of cosine

scores. To determine whether a factor in t is novel, or whether it is an updated

version of a factor in t − 1, I create a mapping between the factors in t and t − 1

that maximizes the total pairwise cosine similarity between the two years. Table 2

provides an example matrix of cosine similarity scores.

[Table 2 about here]

This matrix of cosine similarity scores records how closely each risk factor header

at time t − 1 matches a risk factor header at time t. I determine the best mapping

between the time t − 1 factors and the time t factors by transforming each element

of the matrix, ai,j by |1 − ai,j| and applying the Hungarian Method to the resultant

matrix. This method maps each risk factor in t− 1 to a factor in t such that no two

factors in t − 1 point to the same factor at t, and the total cosine similarity of each

pair of factors is maximized. In the reported analysis, an assigned pair is considered

to be a successful match (the risk factor at t is the same as at t − 1) if the cosine

similarity between the two is at least 0.75 (similarity is measured on a scale of 0 to

1). Results are robust to alternative cutoffs (e.g. 0.6, 0.9). I allow for scores less than

1, a perfect match, in order to allow for the possibility that risk factor headers could

re-phrase or modify text from one year to the next. However, as scores move further

below 1, there is an increased likelihood that the assigned (t−1, t) pair of risk factors

discuss different concepts.

2.3 Committee Membership

There is not a standard committee designation for the subset of directors more di-

rectly responsible for overseeing cybersecurity risk. I follow survey evidence from the

12

National Association of Corporate Directors regarding the allocation of cyber respon-

sibilities at the board (NACD 2017). In this survey, only 5% of directors report that

their firm assigns cyber risk oversight to a technology committee. This is consistent

with the observed rarity of technology committees in the Boardex data.11 Per the

survey, 11% of firms assign the cyber risk oversight role to the risk committee, 51%

assign the role to the audit committee, and 41% assign the responsibility to the full

board (the survey allowed directors to select multiple responses).

In order to define which directors are most likely to be presumed responsible

for monitoring cybersecurity risk, one needs a publicly observable proxy for whether

each director has a technical background. In order to do this systematically for

the 13, 000 directors in my sample without manually reviewing the resumes of each

director, I define an indicator variable, “tech expert,” that takes value one if the

director ever served on a technology committee at any of her present or past board

positions. This approach allows me to pinpoint which directors are most likely to

have a certain technological background that would lend towards being the point

person on cybersecurity risk monitoring (even if a board did not have a specific tech

committee).

3 Reputational Penalties

How do labor market outcomes change in response to breach events? Past work

documents reputational costs (increased turnover) for directors following intentional

misrepresentations at the firm, such as with option backdating or fraud (Ertimur,

Ferri, and Maber 2012; Fich and Shivdasani 2007). Higher turnover risk also ex-

ists for audit committee members following restatements (Srinivasan 2005) because

11These committee assignments are not given standard names in the Boardex database and the

13

restatements indicate a monitoring failure by the directors on this committee. Like-

wise, a director who stays on following a bad event may receive a lower fraction of

the vote in her re-election bid (Ertimur, Ferri, and Maber 2012). In this section, I

investigate turnover and voting outcomes for breach-affiliated directors as two proxies

for reputational penalties following a cybersecurity breach.

3.1 Turnover

I model the turnover likelihood for a director using a Cox proportional hazards model.

A Cox model is preferred to a logistic model of turnover because it more realistically

incorporates the time series of information about a director’s turnover hazard and

recognizes that directors can be at risk without actually turning over (Shumway 2001;

Campbell et al. 2011). The empirical framework is given by equation (1):

h(t|ZF , ZI , X) = h0(t)exp(γZF

j,t + θZIi,j,t + β′Xi,j,t + εi,j,t

)(1)

where h(t) is the hazard of turnover for director i at firm j at time t and ZF and ZI

are, respectively, indicators for whether the firm was hacked or whether the director

experienced a hack at an interlocking company. Time t corresponds to the firm’s

fiscal year end; ZF turns on if the firm has hacked in the 24 months leading up to

the year end t. The vector X corresponds to director and firm controls that may

contribute to a director’s hazard of turnover. I include as controls firm performance

(return on assets) and firm size, as well as a governance characteristics about the

firm: board size, percentage of independent directors, the fraction of institutional

investor holdings at the firm, and the firm’s E-index (Bebchuk, Cohen, and Ferrell

2009). I also control for the director’s age, as well as an indicator for whether the

appendix lists the committee names I use to classify a committee as assigned “tech” or “risk.”

14

director is over 65 to account for non-linearities around the age of retirement, the

number of board positions that the director holds, whether the director is classified

as independent, whether the director is female, whether the director sits on the firm’s

audit committee, and whether the director had any experience with cybersecurity

events prior to her appointment to the board. Finally, I control for two observable

features of the director or the firm that may differentially effect the director’s post-

breach turnover likelihood. First, I control for whether the director could be classified

as a technology expert, as defined in section 2, since this may lead to differential

assumed responsibility for cybersecurity monitoring. Second, I control for whether

the firm disclosed the existence of cybersecurity risk prior to the data breach taking

place.

Table 4 presents the estimated hazard ratios. Recall that in a hazard regression,

a ratio of one indicates no effect. Ratios above one are positive effects, while ratios

below one are negative effects. When a firm reports a data breach, the likelihood of

director turnover rises by 20.5% at the firm (p-value = 0.077). In contrast, turnover

likelihood at a director’s interlocked firms does not change in response to the reported

breach. Thus, director’s face employment consequences for their monitoring failure,

but these consequences are limited to the breached firm. This paper is not the first

to document limited reputational penalties for ineffective monitoring – for example,

directors at firms part of the option backdating scandal of 2006-2007 were not any

more likely to lose their jobs at non-backdating firms (Ertimur, Ferri, and Maber

2012). In the next section, I study post-breach changes in risk management at these

interlocking firms and hypothesize a possible reason for retaining these directors at

interlocking firms.

[Table 4 about here]

15

Given the novelty of cybersecurity as a form of risk, many firms do not list cy-

bersecurity in their annual disclosure of risk factors.12 Does part of the observed

reputational penalty for suffering a data breach stem from failure to inform share-

holders that cybersecurity was a potential threat? I test for this by interacting the

data breach indicator variables (ZF and ZI from equation 1) with an indicator for

whether the firm disclosed cybersecurity as a form of risk in its prior 10-K filing. This

is the 10-K report from fiscal year end t − 2, since the indicators for data breaches

flip on for events over the interval (t− 2, t]. An interaction term less than one would

indicate decreased hazard for directors whose firm disclosed cybersecurity risk prior to

a data breach occurring. The regression results from column two of table 4 indicates

that prior disclosure of risk is not a mitigating factor in post-breach turnover – the

interaction term is statistically indistinguishable from one.

I next consider the possibility that director turnover likelihood in response to a

data breach will be higher when the director has a more direct role in overseeing

cybersecurity risk management. Recall that the indicator variable, “tech expert,”

takes value one if the director ever served on a technology committee at any of her

present or past board positions. Directors with experience on technology committees

for corporate boards are likely to be those most knowledgeable about cybersecurity

risk management practices. It is therefore reasonable to assume that they would be

held most directly responsible for reviewing the corporate practices that failed to stop

12Per table 3, roughly 24% of firm-year observations between 2005 and 2013 included a disclosureof cybersecurity risk in Item 1A of a firm’s 10-K filing. Few, if any, firms are completely immunefrom cybersecurity concerns. One may wonder whether firms choose not to disclose cybersecurityrisk because of Item 503(c) in Regulation S-K, which instructs firms to not present shareholderswith a set of generic risk factors applicable to any firm. Evidence from Hu, Johnson, and Liu (2017),however, shows that the majority of firm report “downturn/recession” risk as a risk factor. Thisimplies that generic factors are certainly fair game in corporate risk disclosure. More recently, theSEC provided guidance to clarify their position on cybersecurity as a risk factor, and included an8-point list of items to consider when determining the relevancy of cyber to a company (see ReleaseNo. 33-10459, February 21, 2018).

16

a data breach from occurring. The past literature shows increased turnover hazard

for directors most responsible for monitoring failure (Srinivasan 2005; Ertimur, Ferri,

and Maber 2012; Brochet and Srinivasan 2014). Thus, one may expect that directors

classified as “tech experts” would be more likely to turn over following a data breach.

As reported in column three table 4, a director’s turnover hazard is lower for

technology experts. The total hazard ratio of turnover for a technology expert (the

direct plus the interacted effect) is statistically indistinguishable from one. Outside

penalties at interlocked firms do not change in response to a director’s role at the

breached firm. These results therefore imply that some of the directors most likely

to be held responsible for implementing cybersecurity risk management practices are

the least likely to turn over after a data breach. This is a deviation from prior

work which finds that turnover following monitoring failure is highest among the

group most directly responsible for monitoring. One significant difference between the

“tech experts” of this study and the audit committee remembers more likely to turn

over following restatements (Srinivasan 2005) as well as the compensation committee

members more likely to turn over following backdating (Ertimur, Ferri, and Maber

2012) is that the supply of technology experts in the labor market for corporate

directors is substantially smaller than the pool of qualified audit or compensation

committee members.

The possibility that labor market constraints affect a director’s reputational penalty

(turnover hazard) following a data breach is further explored in columns four and five

of table 4. Following Knyazeva, Knyazeva, and Masulis (2013), I identify the set of

non-competing firms within a 60 mile radius of the firm’s headquarters. Knyazeva,

Knyazeva, and Masulis (2013) show that this pool of potential directors has a strong

impact on board composition. I define the variable “local market” to be the log

transformed count of non-competing firms in the firm’s 60 mile radius, and interact

17

this with the data breach indicator variables “firm breached” and “interlocked firm

breached.” In column four, the positive interaction effect between “local market”

and “firm breached” indicates that the hazard for turnover for directors at hacked

companies increases when the pool of potential replacement directors is higher. In

column five, I focus on a subset of this potential replacement pool. I identify all

inside directors at non-competing firms within a 60 mile radius. These are therefore

directors who are in a firm’s local labor pool. To ensure that they are reasonable can-

didates, I filter to the set of directors who have at most one other board appointment

beyond the insider position at their own firm’s board since directors with multiple

other appointments may be less likely to be willing or able to take on an additional

position. I then define the variable “local expert” equal to the percentage of this set

of directors who are classified as “tech experts”, using a log transform to adjust for

skewness. The interaction of “local expert” is significant and positive, showing that

directors at hacked companies face a higher hazard of turnover when the local pool of

replacement directors includes a higher percentage of directors who have some experi-

ence on a board’s technology committee. Moreover, this interaction is significant and

positive for interlocking positions as well, showing that directors face an increased

hazard of turnover at even their interlocking positions when those interlocking firms

have access to replacement directors with a technology background.

The totality of evidence in the turnover analysis suggests that directors face rep-

utational penalties (increased turnover hazard) following a data breach, but that this

is limited to their breached firm. This effect is mitigated by having a technology

background and exacerbated by working at a firm with a large local pool of poten-

tial replacement options. It is difficult to systematically classify the 3, 661 observed

turnovers in my sample as voluntary or involuntary, especially given the limited infor-

mation that is provided around most turnover announcements. This distinction is not

18

an important one to make, however, since either can follow from shareholder disap-

proval. Shareholder pressure can lead to forced turnover of a director, or, more likely,

the decision of a director to not seek re-election. The most important limiting factor

of the analysis thusfar is that it cannot fully separate turnover resulting from reputa-

tional penalties (i.e. directors leave because shareholders demand it) from turnover

to avoid reputational penalties (i.e. directors leave to separate themselves from bad

press). This latter possibility is consistent with work from Dewally and Peck (2010),

Aharony, Liu, and Yawson (2015), and Fahlenbrach, Low, and Stulz (2017), amongst

others, who argue that directors have an incentive to depart a firm following, or in

advance of, a bad event in order to preserve their reputations. To further distinguish

between these two possibilities and verify, I turn to direct evidence from shareholder

voting.

3.2 Votes Withheld

As direct evidence of whether data breaches affect shareholder approval of board

members, I look to shareholder voting records from ISS.13 The empirical design follows

equation

votes withheldi,j,t = γZFj,t + θZI

i,j,t + β′Xi,j,t + εi,j,t (2)

where the votes withheld from director i at firm j at meeting t is a function of whether

the firm was hacked, ZF , and whether the director experienced a breach at one of

her interlocking positions, ZI . The vector X represents a set of controls. The control

13Names of directors up for election in the ISS voting database are matched to the Boardex-Compustat linked records with the same cusip using the director’s name and the Leven-shtein algorithm. Because a director’s first name may be listed differently in differentdatabases (e.g. “Ronald” in one database may be “Ron” in another), I include all diminu-tive forms of names in the matching procedure, using a diminutive lookup table available at:https://github.com/carltonnorthern/nickname-and-diminutive-names-lookup.

19

vector includes a similar set of observables as in equation 1, with the addition of

variables unique to the ISS voting database. First, I add a control for the fraction of

the vote a director received in her prior election, to account for variation historical

approval of a director. Second, I control for whether the ISS recommends against

voting favorably at meeting t. The variables of interest, ZF and ZI , are measured

over the interval between a director’s election dates. That is, time t is an event-time

for a director where time t is the current re-election vote for the director and time

t− 1 represents the last time that the director was up for election (whether this was

one or more years prior). The indicators ZF and ZI turn on if there is a data breach

at, respectively, firm j or one of director i’s other appointments over the interval

(t − 1, t]. Votes withheld are measured as the sum of votes against and abstentions,

following Aggarwal, Dahiya, and Prabhala (2017).

The results from estimating equation 2 are reported in column one of table 5.

Votes withheld in a director’s re-election are 1.3 percentage points (p-value = 0.014)

higher following a data breach. This corresponds to a 24% increase over the sample

mean, as reported in table 3. As with turnover risk, shareholder voting does not seem

to negatively respond to interlocking data breaches.

[Table 5 about here]

One weakness of the linear model in equation 2 is that it ignores the endogenous

selection issue surrounding the decision to stand for re-election. For directors who

chose to leave prior to the general meeting, or who choose to let their appointment

expire and not seek re-election to the board, one cannot observe what voting would

have been. This corresponds to the classic Heckman framework in which the outcome

of interest is censored according to a decision rule. In this case, the decision rule is

the selection equation that models the decision to stand for re-election. I therefore

20

analyze the system

votes withheldi,j,t = γZFj,t + θZI

i,j,t + β′Xi,j,t + εi,j,t if re-electioni,j,t = 1

re-electioni,j,t = Φ(ω′Xi,j,t + δWi,t + υi,j,t) (3)

using Heckman’s twostep estimator (Heckman 1979; Li and Prabhala 2007). In a

slight abuse of notation, the vector of controls X is the same for the two equations,

save for the ISS recommendation at time t, since this is not observed for directors who

do not stand for re-election. The variable W represents an excluded variable used in

predicting whether or not a director will stand for re-election that is not predictive

of the vote outcome. The outcome of interest is estimated according to

votes withheldi,j,t = γZFj,t + θZI

i,j,t + β′Xi,j,t + πλ(Xi,j,t,Wi,t) + εi,j,t (4)

where λ(X,W ) is the inverse mills ratio that corrects for self-selection from equation

(3).

Strictly speaking, an excluded variable is not required to correctly estimate a

Heckman model. The concern for an excluded variable W is that if the inverse Mills

function λ(·) = − φ(·)Φ(·) is approximately linear over the region of observed X then λ

will be a near-linear function of X and thus π will be estimated to be insignificant

due to collinearity with X. This could lead to the false conclusion that the sample-

selection is irrelevant, since a π coefficient significantly different from zero indicates

a sample-selection problem in the second stage that necessitates use of the Heckman

procedure in place of OLS. In untabulated results, I run the Heckman framework

without an excluded variable W and find a significant π, suggesting that the possible

21

near-linearity problem of λ(·) is not a concern for the analysis here. However, for

my main analysis, I define a W excluded variable as follows. I determine the set

of current director appointments for the month prior to the re-election date or the

reported departure date of the executive (whichever comes earlier). I then determine

the location of each company headquarters for these board positions, and compute a

director’s “travel distance” as the aggregate travel distance a director would have to

travel to visit each board. The conjecture is that a higher aggregate travel distance

would increase the likelihood of the director choosing to give up a board position. The

total travel distance is estimated conservatively by assuming that the director lives

in the center of these geographic positions (the medoid in the set of geo-coordinates),

unless the director is an inside director at a firm in which case I define her home

zip code to be the zip code of the company headquarters at which she is an insider.

Untabulated analysis finds that a director’s “travel distance” is uncorrelated with

votes withheld, and use of the excluded variable lowers the variance inflation factor

of π (a measure of multi-collinearity) by 52%. These facts combined indicate that

travel distance satisfies the conditions needed to be a useful exclusion variable the

Heckman two-step procedure.

Column two of table 5 reports second-stage estimation results for the equation

3. Similar to the linear form given in column one, the Heckman two-step estimation

shows that votes withheld increase following a data breach. A data breach increases

votes withheld by 1.6 percentage points (p-value = 0.017). As in the OLS specifi-

cation, breaches at interlocking firms do not appear to negatively affect a director’s

vote outcome. It is also worthwhile to note that the inverse Mills coefficient is signifi-

cantly different from zero, which indicates that models which estimate votes withheld

without correcting for self-selection surrounding the decision to stand for re-election

are misspecified and suffer an omitted variables problem.

22

Columns three and four of table 5 test for interactive effects between the data

breach indicators ZF and ZI and features which may lead to differential voting out-

comes. In column three, I test interaction terms with the indicator variable for

whether the firm disclosed cyber risk at time t − 1. As with director turnover, dis-

closure of cybersecurity risk in the prior period does not mitigate the reputational

penalty (here, lower shareholder support) of suffering a data breach. However, in-

terlocking breaches now seem to matter. For firms that disclose cybersecurity risk,

directors receive lower shareholder support in re-election if these directors experi-

ence a data breach at one of their interlocking appointments. In column four, I test

interaction terms with an indicator for whether the director can be classified as a

technology expert. Consistent with the turnover analysis the interaction between a

firm data breach and a director’s status as a technology expert is negative, but here

the result is not statistically different from zero.

A natural question following the turnover and shareholder voting analysis is why

interlocking data breaches seem to matter so little to a director’s reputation. Suffering

a data breach at an interlocking appointment does not lead to higher turnover, and

in general does not result in reduced shareholder support at re-election. In the next

section, I investigate post-breach outcomes to determine whether directors alter their

behavior at firms interlocked with a hacked company.

4 Cybersecurity Monitoring

A pervasive assumption in the discussion of cybersecurity risk is that corporate di-

rectors should play a role in mitigating risk.14 Despite this, half of directors report a

14See, for example, reports by the National Association of Corporate Directors (NACD 2017),U.S. Senate Bill 536 (Reed, Collins, and Warner 2017), and SEC guidance (Release No. 33-10459,published 2/21/2018).

23

lack of confidence in management’s ability to address cyber risk.15 The labor market

for corporate directors may value candidates who have direct experience with a data

breach. The average director stays on at a hacked company for 9 months following a

cybersecurity event. Over this time horizon, she is exposed to a variety of cyber risk

management topics. Several events transpire after a data breach that can serve as

first-hand education for the board. The company enters a cleanup period, in which

they manage notification of affected parties, and, sometimes, set up call centers to

answer questions from concerned customers. The company also faces fallout and the

risk of customer loss, which may lead to an understanding of what approaches do and

do not work in reassuring clients/customers. Additionally, the company faces claims

by litigious parties of potential wrongdoing, in which suggestions of what should have

been done better are laid out. The firm may also conduct an internal review of its

current practices to identify where improvements can be made. Each of these could

translate into learning on the job for breach affiliated directors.

To investigate whether data breach experience alters cybersecurity monitoring of

corporate directors, I look to two publicly observable outcomes for a firm. First,

I identify which firms disclose cybersecurity as a risk factor in their annual report.

Second, I look at the empirically observed propensity to suffer a data breach.

The point of emphasis in this section is on interlocking firms. Post-breach be-

havior at a hacked company is less interesting. Firms that suffer a data breach are,

for instance, more likely to discuss cybersecurity risk in their next annual report.

This is not surprising. Many of these disclosures include not only a discussion of the

possibility of future breaches but also a discussion of current breach fallout and, for

example, ongoing litigation risk from the previous breach. Behavior at interlocking

positions provides an interesting laboratory for investigating how a director’s experi-

15See “2017-2018 NACD Public Company Governance Survey” published at www.nacdonline.org.

24

ence with a data breach changes her cybersecurity monitoring. Because the focus is

in interlocks that existed at the time of the data breach, the interlocking firms could

not have endogenously selected the director for her cybersecurity experience. Had the

firm done so, it would be hard to attribute any increased cybersecurity monitoring

to the director. Moreover, these interlocking firms are not endogenously chosen by

the director to be at lower-risk of suffering a data breach, since the appointments

were held prior to the cybersecurity event. Had the director chosen an interlocking

position after the breach occurred, one would wonder whether the director selected

this second position to avoid additional cyber fiascoes. Thus, when zeroing in on

the firms that already employed a director who experiences a data breach somewhere

else, one can cleanly attribute post-breach changes in behavior to director experience

following from learning on the job.

4.1 Disclosure of Cybersecurity Risk

Over my sample period, 24% of firm-year observations include a disclosure of cyber-

security risk in the 10-K filing. How firms determine what to include in their Item

1A filing (disclosure of risk factors) is not well understood. These disclosures only

became mandatory in 2005. Originally, there was concern that the risk factor dis-

closures would include a plethora of boilerplate language (Kravet and Muslu 2013).

On average, firms that disclose more risk factors experience higher market betas and

stock return betas post-disclosure (Campbell et al. 2014) and analysts do a better

job of assessing firm risk when risk factors include named entities rather than general

nouns (Hope, Hu, and Lu 2016). Thus, risk factors are generally thought to be infor-

mative about firm risk. However, the process through which firms uncover sources of

risk is still unclear.

25

Internal governance has been shown to affect corporate transparency in other

areas of disclosure, though much of this literature is focused on the independence

of the board. For example, board independence leads to more precise and accurate

management forecasts (Armstrong, Core, and Guay 2014) and better earnings quality

(Ahmed and Duellman 2007). If first-hand experience with a data breach increases a

director’s awareness of the risk and her ability to identify its presence at interlocking

firms, then one would expect to see interlocking breach experience to be positively

predictive of whether a firm will disclose cybersecurity as a source of risk. I model

this using the logit specification:

logit(Di,t) = γZFi,t + θZI

i,t + β′Xi,t + εi,t (5)

where D is an indicator that takes value 1 if firm i discloses cybersecurity risk in

the annual report at the end of fiscal year t. The indicator Zf takes value 1 if the

firm suffered a data breach in the 24 months ending at the fiscal year end t, and the

indicator ZI takes value 1 if at least one director at firm i experienced a data breach

at one of her interlocking positions over the last 24 months. The vector X contains

firm level controls. Because board structure and composition is thought to affect

transparency, X includes a number of observable governance features: board inde-

pendence, average director age, board size, an indicator for whether the board has a

specifically designated risk committee, an indicator for whether the board is classified

as busy (Fich and Shivdasani 2006), and the firm’s E-index (Bebchuk, Cohen, and

Ferrell 2009). The vector X also includes firm observables that could indicate an

increased risk of cyberattack, namely the size of the firm, the amount of sales at the

firm, and the number of employees. Because disclosure of cybersecurity risk may be

initiated by observing a data breach at a peer firm or from direct past experience, I

26

also control for whether the firm was previously hacked (at any point in its history)

and whether there was a recent data breach at another firm in the industry within

the past 24 months. Additionally, I control for whether the firm previously disclosed

cybersecurity risk, since risk factors are often maintained once added. Finally, all

models include time and industry fixed effects to absorb constant latent time and

industry variation in cybersecurity disclosure.16 Industries are defined at the 2-digit

NAICS level.17

[Table 6 about here]

Table 6 reports the estimation results from equation 5. The estimated coefficient

on the indicator for whether the board is interlocked to a data breach is positive

and significant. A director’s outside experience with a cybersecurity event raises the

estimated propensity to disclose cybersecurity risk by 6.6 percentage points, a 27.7%

increase over the sample average. In column two, I repeat the analysis with a linear

probability model and obtain similar results: a director’s external experience with a

data breach raises the likelihood of a firm to disclose cybersecurity risk.

[Table 7 about here]

One caveat with the analysis thusfar is that it cannot completely rule out spu-

riously significant results that are driven by similarities in interlocked firms that

16Firm fixed effects are not possible, as it would require the sample to be exclusively containedwith firms that had variation in the outcome variable. Over my sample period, many firms alwaysor never disclose cybersecurity risk.

17Although this is a rather coarse definition, it is necessitated by separation problems inducedin maximum likelihood estimates of dichotomous outcomes. At finer levels, one encounters 3-digitor 4-digit NAICS groups that have zero incidence of cyber disclosure. Industry fixed effects atthis granularity thus render the maximum likelihood unsolvable. This is an even more substantialproblem in the next subsection when I turn to the incidence of data breaches, since many finergrouping of NAICS classifications have zero observed data breaches, though their risk of beingbreached is likely nonzero.

27

run deeper than merely sharing a director. Economically related firms often share

directors (Dass et al. 2013). Thus, one concern could be that firm A and B are

economically related, happen to share a director, and the increased propensity for

firm B to disclose cyber risk following a data breach at A reflects firm B learning

to identify cyber risks relevant to B by observing similarities in A and B’s exposure

(rather than the disclosure running through learning by the shared director). To rule

out this possibility, I follow (Dass et al. 2013) and compute a vertical relatedness

coefficient (VRC)using the Bureau of Economic Analysis Input-Output tables. A

high VRC between two firms represents a significant amount of economic activity

between the two firms’ industries. Thus, firms with higher VRCs are more likely to

be economically related. To ensure that economically linked firms are not driving my

results, I exclude interlocking connections between firms with a VRC in excess of 10%

and re-run the analysis. The estimated coefficient on the indicator for whether the

board is interlocked to a data breach remains positive and significant. The results

are reported in the appendix.

Beyond the incidence of cybersecurity risk disclosure, a natural question is whether

director learning increases the quality of the disclosure. Risk factor disclosure is

thought to be of higher quality when it is more specific to the firm; thus, SEC guidance

recommends that factors be as firm-specific as possible, although this is often not

the case (SEC 2016). Table 7 reports the estimated marginal effects of a director’s

outside experience with cybersecurity on a firm’s quality of disclosure of cybersecurity

risk. This is estimated with a multinomial logit model with the same controls that

are used in (5). The outcome variable considers different cases of cyber disclosure

that depend on the quality of that disclosure. I proxy for the quality of a new

cybersecurity disclosure by dividing new disclosures between those that happen via

a new risk factor and those that happen via an addition to an existing risk factor. I

28

assume that new risk factors are more specific descriptions of cybersecurity risk and

therefore of higher quality. The marginal change in the probability of switching from

no cybersecurity disclosure to a cybersecurity disclosure via a new risk factor is a 11.5

percentage point increase (p-value < 0.01) for firms that employ a breach-interlocked

director. The marginal change in the probability of switching from no cybersecurity

disclosure to a new cybersecurity disclosure via an addition to an existing risk factor

is a 6.9 percentage point increase (p-value < 0.01) for firms that employ a breach-

interlocked director. Thus, a new data breach experience for a director significantly

changes the likelihood that a connected firm discloses cybersecurity risk, consistent

with table 6. In the last column, I test whether firms are more likely to initiate

cybersecurity disclosure by using or new risk factor or by adding to an existing risk

factor. The results show that a firm is 4.6 percentage points (p-value = 0.016)

more likely to initiate cybersecurity disclosure with a new risk factor when the firm

employs a director with recent data breach experience. Thus, along with an increased

propensity to disclose cybersecurity risk, firms interlocked with a hacked company are

more likely to have a higher quality disclosure of cybersecurity risk.

4.2 Future Cybersecurity Events

As a second measure of director cybersecurity monitoring, I use the propensity of

the firm to suffer a data breach in the following year. One limitation of cyber risk

disclosure is that it could be cheap talk. The board may encourage the firm to

disclose cyber risk merely in an attempt to limit their liability to shareholders without

taking real steps to ensure cybersecurity events are made less likely. On the other

hand, if data breach experience leads to development of director skill in monitoring

cybersecurity risk, one would expect that the probability of a firm suffering a data

29

breach would decrease. Therefore, in this subsection I study the realized likelihood

of suffering a data breach to learn whether directors with cybersecurity experience

lower their firms propensity to suffer a data breach. Importantly, I again look at

shocks to a director’s experience with cybersecurity and its effect on firms at which

the director is already employed. This removes the potential that breach-affiliated

directors will endogenously seek out less risky board appointments in the future. The

primary analysis here follows a logistic model:

logit(Hi,t+1) = γZFi,t + θZI

i,t + β′Xi,t + εi,t (6)

where H is an indicator that takes value 1 if firm i discloses a data breach over the

interval (t, t + 1]. The indicator Zf takes value 1 if the firm suffered a data breach

in the 24 months ending at the fiscal year end t, and the indicator ZI takes value 1

if at least one director at firm i experienced a data breach at one of her interlocking

positions over the last 24 months. The vector X contains firm level controls. This

is the same set of controls used in (5), since the factors that affect whether a firm

discloses cybersecurity risk should be similar to the set of factors that characterizes

whether the firm is at risk for a data breach.

Table 8 presents the estimated marginal effects on a firm’s propensity to suffer

a data breach. Column one presents results for a logistic regression model. The

data show that firms employing a director who experiences a data breach at an

interlocking firm are 0.6 percentage points (p-value < 0.01) less likely to experience

a data breach. Though a 60 basis point drop in risk may seem small, it represents

a 33% decrease from the sample mean. Because cybersecurity events are rare in the

data, I repeat the analysis with a complimentary log-log model in column two. While

also a dichotomous outcome model, the complimentary log-log model is more robust

30

to sparse outcomes (Cameron and Trivedi 2005). These results are nearly identical to

the logistic specification. Finally, I present the results for a linear probability model

in column three, which has the advantage of easy interpretation of the estimated

coefficients. While the magnitude of the effects appear somewhat smaller (though

still significant) under an OLS estimation, it should be recognized that the linear

probability model predicts negative probabilities of data breaches in 26% of the sample

observations. Therefore, the dichotomous outcome models reported in columns one

or two are more likely a more realistic fit of the data.

[Table 8 about here]

4.3 Robustness of the Interlocking Effects

As discussion in section 4.1, the estimated propensity to disclose cybersecurity risk

is robust to excluding interlocks between economically related firms, defined by the

pairwise vertical relatedness coefficient of Dass et al. (2013). Results are inferentially

similar when the “interlocked breach” indicator is flipped back to zero in all instances

in which the interlocking breach was due to a connection to a vertically related firm.

These results are presented in appendix table B1. Likewise, the estimated propensity

to suffer a data breach is robust to exclusion of interlocks between economically

related firms (appendix table B2).

One might ask whether there is some other unobservable factor which explains

why the propensity to disclose cybersecurity risk is higher at interlocking firms. Per-

haps a director happens to be at multiple firms that are at an above-average risk

of suffering a data breach, thus leading to the observed increase in cyber disclosure.

However, absent the presence of director learning, it is hard to rationalize why the

estimated propensity to suffer a data breach becomes lower at these (supposedly,

31

high-risk) interlocking firms. Likewise one might wonder whether there is some un-

observable factor which explains why the propensity to suffer a data breach is lower

at interlocking firms. Perhaps a director naturally lands at some high-risk and some

low-risk firms. The high-risk boards suffer breaches, but the low-risk (interlocking)

firms do not. However, absent the presence of director learning, it is hard to ratio-

nalize why the estimated propensity to disclose cyber risk becomes higher at these

(supposedly, low-risk) interlocking firms.

As an additional approach to verify that the estimated effects found in this section

are in fact due to director learning, I perform a placebo test by temporally shifting

the “interlocked breach” variable. I redefine this indicator variable to turn on if the

firm is interlocked to a company which will report a data breach next year. Thus,

the indicator picks up on the same variation in connection between firms, but it is

time-shifted such that the interlocking directors would not have actually been exposed

to any potential learning at the hacked firm. The results show that the incidence of

cyber risk disclosure (appendix table B3) and the propensity to suffer a data breach

(appendix table B4) are unaffected by a forward-looking version of the “interlocked

breach” indicator. This implies that the timing of the event matters, and gives

additional support to the claim that the interlocking effects of this section are in fact

driven by directors learning on the job.

The combined results of tables 6, 7, and 8 show that directors who experience

data breaches increase their cyber monitoring at their other current firms. These

interlocked firms are more likely to disclose cyber risk, do so in a higher quality fash-

ion, and are less likely to experience a data breach. In the next section, I determine

whether this demonstrated increase in monitoring skill is valued in the labor market

for corporate directors.

32

5 New Board Appointments

Having observed an improvement in cybersecurity risk monitoring by directors at

their interlocking positions following a data breach, a natural question is whether

this experience makes them more valuable in the labor market for corporate director-

ships. In the literature on corporate governance, earning new board appointments is

interpreted as a sign of a good reputation in the labor market (Yermack 2004). Thus,

under the hypothesis that cyber experience is viewed positively in the labor market,

one would expect to see an increase in board seats for directors such experience. I

estimate this using a logistic model:

logit(Ni,t+4) = γZi,t + β′Xi,t + εi,t (7)

where N is an indicator for whether director i receives at least one new board position

over the interval (t, t + 4] and t indexes time at a quarterly frequency. Variable Z

is an indicator for whether director i experienced a data breach over the 24 months

ending at the end of quarter t. The vector X contains publicly observable features

of a director’s resume that may be relevant in obtaining a new position. Here, I

control for director age and sex, as well as the number of board appointments that

the director has at the end of quarter t. I also control for the average size of the

firm at which the director currently works and the average performance of the firm

in order to capture what the director’s employment record.

[Table 9 about here]

The results for equation 7 are reported in the first column of table 9. Marginal

effects are reported. A director is 2.5% (p-value < 0.01) more likely to receive a new

position in the next twelve months if she experiences a data breach. The analysis

33

following equation 7 assumes that the variable Z, an indicator for whether or not

a director experiences a data breach, is distributed randomly. The propensity of a

firm to report a cybersecurity event does indeed appear to be near-random (table 8).

However, as a robustness check I use the doubly-robust matching estimator of Hirano

and Imbens (2001) that matches directors on their propensity to suffer a data breach

and then estimates the propensity to achieve a new board position using the matched

sample. The treatment effect of Z under this econometric framework is reported in

the last line of table 9. This approach yields inferentially similar results. Directors

are significantly more likely to obtain a new directorship in the year following a data

breach.

One caveat to the analysis regarding new directorships is that directors may be

sought out for their reputations as bad monitors, rather than being sought out for

their reputation as being a skilled (good) monitor (Levit and Malenko 2016). Thus,

the new board appointments may reflect the fact that directors who experience data

breaches are understood to be weak monitors, and thus are hired on by firms in which

management has captured the director selection process. While the post-breach mon-

itoring analysis performed in the prior section does seem to rule out this conjecture

(since directors increase their monitoring activity), as an additional check I zero-in

on the directors who receive new positions and compare the E-index of these firms

(Bebchuk, Cohen, and Ferrell 2009) between hacked and un-hacked directors. Firms

with a higher E-index are more likely to have entrenched management. If directors

who experience data breaches are sought out for their reputation as bad monitors,

rather than for their increased skill in cybersecurity risk monitoring, then one would

expect to see them end up at firms with a higher E-index. I show in column two of

table 9 that this is not the case. In fact, of the set of directors who take on new posi-

tions, directors with cybersecurity experience end up at firms with better governance

34

(as proxied by the firm’s E-index).

The fact that directors who experience data breaches obtain more new positions

is not immediately indicative of better director reputation in the labor market and a

perceived increase in a valuable skill. This is because directors may compromise and

take on less prestigious positions following the cybersecurity event. Thus, in order

to better characterize the types of boards at which directors gain appointments, I

look to firm size as a proxy for prestige (Shivdasani 1993; Adams and Ferreira 2008;

Masulis and Mobbs 2014). All else equal, directors should view a board position at a

larger firm to be more valuable than a position at a smaller firm.

6 Conclusion

This paper studies whether the director labor market values smaller, discrete changes

in director skill on top of the broader resume of the director. In particular, I contrast

post-data breach monitoring activities and labor market outcomes against reputa-

tional penalties at existing board appointments. This allows me to uncover whether

an increased skillset in monitoring for cybersecurity risk (a discrete change in a direc-

tor’s skill set) is valued above the possibly damaging news that the director allowed

the data breach to occur.

I find evidence that director turnover hazard at hacked firms is 20% higher follow-

ing a data breach and that votes in favor of re-electing the director are 1.3 percentage

points lower. There is a pervasive assumption in the discussion of cyber policy that

internal governance has a positive role to play in mitigating risk, and anecdotal evi-

dence suggests that shareholders buy in to this notion and assign some of the blame

for a data breach to the board. My results give empirical support to these claims.

However, while directors do suffer some reputational penalties at the hacked firm,

35

I find evidence that a labor pool short on technically skilled directors plays a role in

dampening reputational penalties. Technology experts do not experience increased

turnover risk, and turnover hazard and shareholder support at interlocking firms is

unaffected. Consistent with the hypothesis that learning on the job makes these di-

rectors valuable, thus justifying their retention, I find that post-breach monitoring at

interlocking firms improves. Specifically, the incidence of cybersecurity risk disclosure

increases, the quality of risk disclosure increases, and the propensity to suffer a data

breach decreases.

Finally, I find that directors who experience a data breach are sought out in the

labor market. They take on new positions and at larger (more prestigious) firms. The

results suggest that, at least when the supply of a specific skill is particularly sparse,

learning on the job following a crisis can dominate the stigma of allowing a crisis to

occur in the labor market for corporate directors.

36

References

Adams, R, B. Hermalin, and M. Weisbach (2010). “The role of boards of directors incorporate governance: A conceptual framework and survey”. Journal of EconomicLiterature 48.1, pp. 58–107.

Adams, R. B., A. C. Akyol, and P. Verwijmeren (2018). “Director skill sets”. Journalof Financial Economics.

Adams, R. B. and D. Ferreira (2008). “Do director’s perform for pay?” Journal ofAccounting and Economics 46.1, pp. 154–171.

Aggarwal, R., S. Dahiya, and N. Prabhala (2017). “The Power of Shareholder Votes:Evidence from Director Elections”. Journal of Financial Economics Forthcoming.

Aguilar, L. (2014). Boards of Directors, Corporate Governance and Cyber-Risks:Sharpening the Focus. url: https : / / www . sec . gov / news / speech / 2014 -

spch061014laa (visited on 08/07/2018).Aharony, J., C. Liu, and A. Yawson (2015). “Corporate litigation and executive

turnover”. Journal of Corporate Finance 34, pp. 268–292.Ahmed, A. S. and S. Duellman (2007). “Accounting conservatism and board of direc-

tor characteristics: An empirical analysis”. Journal of Accounting and Economics43.2-3, pp. 411–437.

Armstrong, C. S., J. E. Core, and W. R. Guay (2014). “Do independent directorscause improvements in firm transparency?” Journal of Financial Economics 113.3,pp. 383–403.

Baker, M. and P. A. Gompers (2003). “The Determinants of Board Structure at theInitial Public Offering*”. Journal of Law and Economics XLVI.October.

Bebchuk, L., A. Cohen, and A. Ferrell (2009). “What matters in corporate gover-nance”. Review of Financial Studies 22.2, pp. 783–827.

Bjorhus, J. (2014). Clean Reviews Preceded Target’s Data Breach, and Others. url:http://www.govtech.com/security/Clean-Reviews-Preceded-Targets-

Data-Breach-and-Others.html (visited on 05/12/2017).Brochet, F. and S. Srinivasan (2014). “Accountability of independent directors: Evi-

dence from firms subject to securities litigation”. Journal of Financial Economics111.2, pp. 430–449.

Cameron, A. and P. Trivedi (2005). Microeconometrics: methods and applications.New York: Cambridge University Press.

Campbell, J. L., H. Chen, D. Dhaliwal, H.-m. Lu, and L. Steele (2014). “The Informa-tion Content of Mandatory Risk Factor Disclosures in Corporate Filings”. Reviewof Accounting Studies 19.1, pp. 396–455.

Campbell, T. C., M. Gallmeyer, S. a. Johnson, J. Rutherford, and B. W. Stanley(2011). “CEO optimism and forced turnover”. Journal of Financial Economics101.3, pp. 695–712.

37

Dass, N., O. Kini, V. Nanda, B. Onal, and J. Wang (2013). “Board Expertise: DoDirectors from Related Industries Help Bridge the Information Gap?” Review ofFinancial Studies 27.5, pp. 1533–1592.

Dewally, M. and S. W. Peck (2010). “Upheaval in the boardroom: Outside directorpublic resignations, motivations, and consequences”. Journal of Corporate Finance16.1, pp. 38–52.

Engelberg, J., P. Gao, and C. Parsons (2012). “The Price of a CEO’s Rolodex”.Review of Financial Studies 26.1, pp. 79–114.

Ertimur, Y., F. Ferri, and D. Maber (2012). “Reputation Penalties for Poor Monitor-ing of Executive Pay: Evidence from Option Backdating”. Journal of FinancialEconomics 104.1, pp. 118–144.

Fahlenbrach, R., A. Low, and R. M. Stulz (2010). “Why do firms appoint CEOs asoutside directors?” Journal of Financial Economics 97.1, pp. 12–32.

— (2017). “Do independent director departures predict future bad events?” Reviewof Financial Studies 30.7, pp. 2313–2358.

Fama, E. (1980). “Agency Problems and the Theory of the Firm”. The Journal ofPolitical Economy 88.2, pp. 288–307.

Fama, E. and M. Jensen (1983). “Separation of Ownership and Control”. Journal oflaw and economics 26.2, pp. 301–325.

Fich, E. M. and A. Shivdasani (2007). “Financial Fraud, Director Reputation, andShareholder Wealth”. Journal of Financial Economics 86.2, pp. 306–336.

Fich, E. and A. Shivdasani (2006). “Are busy boards effective monitors?” The Journalof Finance LXI.2.

Field, L. and A. Mkrtchyan (2017). “The Effect of Director Expertise on AcquisitionPerformance”. Journal of Financial Economics 123, pp. 488–511.

Fontaine, D. and J. R. Stark (2018). Cybersecurity: The SEC’s Wake-up Call toCorporate Directors. url: https://corpgov.law.harvard.edu/2018/03/31/cybersecurity-the-secs-wake-up-call-to-corporate-directors.

Fos, V., K. Li, and M. Tsoutsoura (2018). “Do Director Elections Matter?” TheReview of Financial Studies 31.4.

Guner, A. B., U. Malmendier, and G. Tate (2008). “Financial Expertise of Directors”.Journal of Financial Economics 88.2, pp. 323–354.

Harford, J. and R. J. Schonlau (2013). “Does the Director Labor Market Offer Ex PostSettling-Up for CEOs? The Case of Acquisitions”. Journal of Financial Economics110.1, pp. 18–36.

Heckman, J. J. (1979). “Sample Selection Bias as a Specification Error”. Econometrica47.1, pp. 153–161.

Hirano, K. and G. Imbens (2001). “Estimation of Causal Effects using PropensityScore Weighting: An Application to Data on Right Heart Catheterization”. HealthServices & Outcomes Research Methodology 2, pp. 259–278.

Hope, O. K., D. Hu, and H. Lu (2016). “The Benefits of Specific Risk-Factor Disclo-sures”. Review of Accounting Studies 21.4, pp. 1005–1045.

38

Hu, S., S. A. Johnson, and Y. Liu (2017). “Asset Pricing under Uncertainty”. SSRNWorking Paper.

Knyazeva, A., D. Knyazeva, and R. Masulis (2013). “The Supply of Corporate Di-rectors and Board Independence”. Review of Financial Studies 26.6, pp. 1561–1605.

Kravet, T. and V. Muslu (2013). “Textual risk disclosures and investors’ risk percep-tions”. Review of Accounting Studies 18.4, pp. 1088–1122.

Krishnan, J., Y. Wen, and W. Zhao (2011). “Legal expertise on corporate auditcommittees and financial reporting quality”. Accounting Review 86.6, pp. 2099–2130.

Levit, D. and N. Malenko (2016). “The Labor Market for Directors and Externalitiesin Corporate Governance”. Journal of Finance 71.2, pp. 775–808.

Li, K. and N Prabhala (2007). “Self-selection models in corporate finance”. Handbookof Empirical Corporate Finance. Ed. by B. E. Eckbo. 1st ed. Vol. 1. Oxford:Elsevier. Chap. 2, pp. 37–86.

Masulis, R, C Ruzzierb, S. Xiao, and S. Zhao (2012). “Do Independent Expert Di-rectors Matter?” Working paper.

Masulis, R. W. and S. Mobbs (2014). “Independent Director Incentives: Where doTalented Directors Spend Their Limited Time and Energy”. Journal of FinancialEconomics 111.2, pp. 406–429.

NACD (2017). Cyber-Risk Oversight. Tech. rep. National Association of Corporate Di-rectors. url: https://www.nacdonline.org/files/FileDownloads/NACDCyber-RiskOversightHandbook2017.pdf.

Ponemon Institute LLC (2017). “2017 Cost of Data Breach Study”. March, pp. 1–34.url: https://www-01.ibm.com/common/ssi/cgi-bin/ssialias?htmlfid=SEL03130WWEN\&.

Reed, J., S. Collins, and M. Warner (2017). Cybersecurity Disclosure Act of 2017.url: https://www.congress.gov/bill/115th-congress/senate-bill/536(visited on 05/12/2017).

SEC (2016). Concept Release on Business and Financial Disclosure Required by Reg-ulation S-K. url: https://www.sec.gov/comments/s7-06-16/s70616-25.pdf(visited on 12/05/2017).

Shivdasani, A. (1993). “Board composition, ownership structure and hostile takeovers”.Journal of Accounting and Economics 16, pp. 167–198.

Shumway, T. (2001). “Forecasting Bankruptcy More Accurately: A Simple HazardModel”. Journal of Business 7.1, pp. 101–124.

Srinivasan, S. (2005). “Consequences of Financial Reporting Failure for Outside Direc-tors: Evidence from Accounting Restatements and Audit Committee Members”.Journal of Accounting Research 43.May, pp. 291–334.

Von Meyerinck, F., D. Oesch, and M. Schmid (2016). “Is Director Industry ExperienceValuable?” Financial Management 45.1, pp. 207–237.

39

Wang, C., F. Xie, and M. Zhu (2015). “Industry Expertise of Independent Directorsand Board Monitoring”. Journal of Financial and Quantitative Analysis 50.05,pp. 929–962.

Yermack, D. (2004). “Remuneration , Retention , and Reputation”. Jounral of Fi-nance LIX.5, pp. 2281–2308.

40

A Word Lists for Classifying Cyber Disclosure and

Board Committees

Cybersecurity words. I search 10-K item 1A filings for the following words related to

cybersecurity risk: cyber, data?breach*, cyber?security, cyber?attack*, computer?hack*,

hack*, information?security, unauthorized?access, security?breach*. I use ? as a wild-

card to mean either “” or “ ” since some firms use the spelling “cybersecurity” while

others use “cyber security” or “cyber-security” (I convert hyphens to spaces in pre-

processing). The wildcard * denotes any number of trailing alphabetic characters so

that plurals (e.g. “data breaches”) are picked up in the analysis.

Boardex committee names. The following is a list of all committee names in

the Boardex database that I use to classify a director as having a technology role:

cyber security, technology, technology environmental social responsibility, technol-

ogy & development, technology & products, technology advisory, technology risk,

technology strategy and innovation, technology strategy and investment, technology

and acquisition, technology and competition, technology and corporate responsibil-

ity, technology and environment, technology and quality, technology and reserves,

technology and safety, technology and science, technology and strategy, technology

and transactions, e-commerce and technology, health it, health safety environment

and technology, it, it oversight, it steering, information systems, information systems

steering committee, information technology, information technology and security, risk

and information security, safety environment and technology, science and technology,

science and technology advisory, scientific and technology, technical, technical health

safety and environmental, technical advisory, technical services, technical and com-

mercial oversight, technical and operations, technical and projects, technical and

reserves, technical and resources, technical and safety.

41

The following is a list of all committee names in the Boardex database that I use to

classify a director as having a risk role: corporate risk, enterprise risk management,

governance & risk, governance nominating & risk oversight, governance and risk,

risk, risk compliance and planning, risk & credit, risk assessment, risk capital and

subsidiaries, risk management, risk management & compliance, risk management

and finance, risk oversight, risk oversight and management, risk policy, risk policy

and capital, risk review, risk review investment and loan, risk and capital, risk and

credit policy, risk and public policy, risk and regulatory, risk and return, risk and

safety health and environment.

B Robustness Checks

This section reports the estimates for the robustness checks discussed in sections 4.1

and 4.3. In the first set of tests, I verify that the estimated effects of sharing a director

with a hacked company are not due to economic connections between the firms. I flip

the indicator “interlocked breach” back to zero in instances in which the interlocking

hacked firm has a pairwise vertical relatedness coefficient (Dass et al. 2013) of greater

than 10%. In the second set of tests, I temporally shift the indicator of “interlocked

breach” so that it turns on in the year before the breach at the interlocking firm. This

maintains variation in pairwise connections between firms, but turns the indicator on

prior to any possibility of learning on the job by the interlocking director.

42

Table B1: Estimated Propensity to Disclose Cybersecurity RiskThis table estimates the probability of a firm including cybersecurity risk in its disclosed set ofrisk factors in its 10-K filing. Column one presents marginal effects from a logistic regression,whereas column two reports coefficients from a linear probability model. The effect of interest ison “interlocked breach,” an indicator for whether the firm employs a director affiliated with a databreach at another company. Both “firm breach” and “interlocked breach” are indicators that turnon for a duration of 24 months. To verify that interlocking effects are not driven by economiclinks between the two firms, I turn off the indicator for connections between firms with a verticalrelatedness coefficient in excess of 10%. Regressions include industry and time fixed effects andcluster on industry (standard errors reported in parentheses).

Interlocked breach (excl. related firms) 0.078*** 0.057**(0.027) (0.021)

Firm breach 0.145 0.124(0.107) (0.077)

Firm was previously hacked 0.229*** 0.150***(0.028) (0.021)

Percent independent 0.009 0.006(0.021) (0.015)

ROA 0.023 0.012(0.015) (0.013)

log(total assets) -0.058** -0.045*(0.029) (0.021)

log(sales + 1) 0.035 0.022(0.023) (0.018)

log(number of employees) 0.025 0.024(0.033) (0.028)

Number of breached peer firms 0.030** 0.025**(0.014) (0.011)

Avg. director age -0.004 -0.003(0.004) (0.003)

Number of directors -0.002 -0.002(0.010) (0.007)

Hack in industry 0.001 0.001(0.002) (0.002)

E-index 0.009 0.003(0.010) (0.008)

Previously disclosed cyber risk 1.088*** 0.480***(0.186) (0.055)

Busy board 0.019 0.004(0.048) (0.032)

Firm has risk committee -0.014 -0.012(0.029) (0.023)

N 2318 2318Industry and time fixed effects not reported.Marginal effects on the probability of the outcome variable are reported.Standard errors (clustered on industry) in parentheses.* p <0.10, ** p <0.05, *** p <0.01.

43

Table B2: Probability of Reporting a Data BreachThis table reports estimates of the probability of a firm experiencing a data breach. Column oneshows marginal effects from a logistic regression where the outcome variable is an indicator forwhether the firm reports a cybersecurity event. Column two repeats the analysis with a compli-mentary log-log model as a sparse-outcome robust alternative to the logit regression. Column threereports coefficients from a linear probability model. The effect of interest is on “interlocked breach,”an indicator for whether the firm employs a director affiliated with a data breach at another com-pany. Both “firm breach” and “interlocked breach” are indicators that turn on for a duration of 24months. To verify that interlocking effects are not driven by economic links between the two firms,I turn off the indicator for connections between firms with a vertical relatedness coefficient in excessof 10%. Regressions include industry and time fixed effects and cluster on industry (standard errorsreported in parentheses).

Interlocked breach (excl. related firms) -0.007*** -0.008*** -0.024**(0.002) (0.002) (0.008)

Firm breach -0.000 -0.000 0.031(0.003) (0.003) (0.027)

Firm was previously hacked 0.005** 0.005** 0.042**(0.002) (0.002) (0.016)

Percent independent -0.001* -0.001 -0.004(0.001) (0.001) (0.003)

ROA 0.001 0.001 0.001(0.001) (0.001) (0.002)

log(total assets) 0.000 -0.000 -0.004(0.002) (0.003) (0.011)

log(sales + 1) 0.004 0.004 0.012(0.002) (0.003) (0.010)

log(number of employees) 0.001 0.001 0.007(0.002) (0.002) (0.008)

Number of breached peer firms 0.000 0.000 0.000(0.001) (0.001) (0.004)

Avg. director age -0.000** -0.000** -0.001(0.000) (0.000) (0.001)

Number of directors 0.000 0.000 0.000(0.000) (0.000) (0.001)

Hack in industry -0.001*** -0.001*** -0.002***(0.000) (0.000) (0.001)

E-index 0.001 0.001 0.003(0.001) (0.001) (0.003)

Previously disclosed cyber risk -0.000 -0.000 0.002(0.002) (0.002) (0.009)

Busy board -0.004 -0.004 -0.013(0.005) (0.005) (0.009)

Firm has risk committee -0.002 -0.002 -0.006(0.003) (0.003) (0.007)

N 2318 2318 2318Industry and time fixed effects not reported.Marginal effects on the probability of the outcome variable are reported.Standard errors (clustered on industry) in parentheses.* p <0.10, ** p <0.05, *** p <0.01.

44

Table B3: Estimated Propensity to Disclose Cybersecurity RiskThis table estimates the probability of a firm including cybersecurity risk in its disclosed set ofrisk factors in its 10-K filing. Column one presents marginal effects from a logistic regression,whereas column two reports coefficients from a linear probability model. The effect of interest ison “interlocked breach,” an indicator for whether the firm employs a director affiliated with a databreach at another company. Both “firm breach” and “interlocked breach” are indicators that turnon for a duration of 24 months. As a placebo test, the “interlocked breach” variable is temporallyshifted so that it turns on in the year prior to a breach. Regressions include industry and time fixedeffects and cluster on industry (standard errors reported in parentheses).

Interlocked breach (t+1) 0.034 0.030(0.056) (0.045)

Firm breach 0.146 0.119(0.107) (0.076)

Firm was previously hacked 0.236*** 0.153***(0.027) (0.021)

Percent independent 0.010 0.007(0.022) (0.015)

ROA 0.024 0.013(0.015) (0.013)

log(total assets) -0.058* -0.043*(0.030) (0.021)

log(sales + 1) 0.040* 0.026(0.022) (0.017)

log(number of employees) 0.024 0.022(0.033) (0.027)

Number of breached peer firms 0.035** 0.027**(0.015) (0.012)

Avg. director age -0.004 -0.003(0.004) (0.003)

Number of directors -0.003 -0.002(0.010) (0.007)

Hack in industry 0.001 0.001(0.002) (0.002)

E-index 0.009 0.003(0.010) (0.008)

Previously disclosed cyber risk 1.092*** 0.480***(0.183) (0.054)

Busy board 0.020 0.007(0.050) (0.032)

Firm has risk committee -0.015 -0.013(0.031) (0.023)

N 2318 2318Industry and time fixed effects not reported.Marginal effects on the probability of the outcome variable are reported.Standard errors (clustered on industry) in parentheses.* p <0.10, ** p <0.05, *** p <0.01.

45

Table B4: Probability of Reporting a Data BreachThis table reports estimates of the probability of a firm experiencing a data breach. Column oneshows marginal effects from a logistic regression where the outcome variable is an indicator forwhether the firm reports a cybersecurity event. Column two repeats the analysis with a compli-mentary log-log model as a sparse-outcome robust alternative to the logit regression. Column threereports coefficients from a linear probability model. The effect of interest is on “interlocked breach,”an indicator for whether the firm employs a director affiliated with a data breach at another com-pany. Both “firm breach” and “interlocked breach” are indicators that turn on for a duration of 24months. As a placebo test, the “interlocked breach” variable is temporally shifted so that it turnson in the year prior to a breach. Regressions include industry and time fixed effects and cluster onindustry (standard errors reported in parentheses).

Interlocked breach (t+1) -0.002 -0.002 -0.008(0.003) (0.003) (0.015)

Firm breach 0.001 0.001 0.033(0.002) (0.002) (0.027)

Firm was previously hacked 0.004* 0.004* 0.041**(0.002) (0.002) (0.016)

Percent independent -0.001* -0.001* -0.004(0.001) (0.001) (0.003)

ROA 0.001 0.001 0.001(0.001) (0.001) (0.002)

log(total assets) 0.000 0.000 -0.005(0.002) (0.002) (0.011)

log(sales + 1) 0.003 0.003 0.011(0.002) (0.003) (0.010)

log(number of employees) 0.001 0.001 0.007(0.001) (0.001) (0.008)

Number of breached peer firms -0.000 -0.000 -0.001(0.001) (0.001) (0.004)

Avg. director age -0.000** -0.000** -0.001(0.000) (0.000) (0.001)

Number of directors 0.000 0.000 0.000(0.000) (0.000) (0.001)

Hack in industry -0.001*** -0.001*** -0.002***(0.000) (0.000) (0.001)

E-index 0.001 0.001 0.003(0.001) (0.001) (0.003)

Previously disclosed cyber risk 0.000 0.001 0.002(0.003) (0.003) (0.009)

Busy board -0.004 -0.004 -0.014(0.004) (0.004) (0.010)

Firm has risk committee -0.001 -0.001 -0.005(0.002) (0.002) (0.007)

N 2318 2318 2318Industry and time fixed effects not reported.Marginal effects on the probability of the outcome variable are reported.Standard errors (clustered on industry) in parentheses.* p <0.10, ** p <0.05, *** p <0.01.

46

Tab

le1:

Data

Bre

ach

Even

tsT

his

tab

led

ocu

men

tsth

efr

equ

ency

of

data

bre

ach

even

tsby

yea

ran

dN

AIC

Sse

ctor.

Th

ed

ata

set

incl

ud

esal

lcy

ber

secu

rity

even

tsre

port

edby

Pri

vacy

Rig

hts

Cle

ari

ngh

ou

sew

hic

hm

erge

into

the

Com

pu

stat

un

iver

se,

usi

ng

the

matc

hin

gp

roce

du

red

escr

ibed

inse

ctio

n2.1

.

NA

ICS

Sec

tor

2005

2006

2007

2008

2009

2010

2011

2012

2013

Tot

alU

tiliti

es0

20

00

00

00

2C

onst

ruct

ion

00

10

00

10

02

Man

ufa

cturi

ng

47

128

14

15

648

Whol

esal

eT

rade

01

00

03

00

04

Ret

ail

Tra

de

13

72

06

75

940

Tra

nsp

orta

tion

and

War

ehou

sing

02

10

12

30

09

Info

rmat

ion

11

51

85

16

533

Fin

ance

and

Insu

rance

613

97

616

72

571

Rea

lE

stat

ean

dR

enta

lan

dL

easi

ng

11

20

02

21

211

Pro

fess

ional

,Sci

enti

fic,

and

Tec

hin

cal

Ser

vic

es1

04

21

10

20

11A

dm

inis

trat

ive

Supp

ort

01

10

01

13

310

Educa

tion

alSer

vic

es0

10

00

00

00

1H

ealt

hca

reSer

vic

es0

30

20

20

22

11A

ccom

modat

ion

and

Food

Ser

vic

es1

11

20

55

20

17T

otal

1536

4324

1747

2828

3227

0

47

Table 2: Example Mapping of Risk Factors Between t− 1 and tThis table provides an example mapping between risk factors for a firm at time t and time t − 1.Each cell reports the cosine similarity between rf i

t and rf jt−1. In this example, rf b

t−1 maps to rfCt ,

rfat−1 maps to rfB

t , and rfAt is classified as a new risk factor. To establish a mapping between t− 1

and t I convert each element, ai,j in the matrix (a cosine similarity) by |1 − ai,j | and apply theHungarian Method to the resultant matrix.

rfAt rfBt rfCt

rfat−1 0.032 0.95 0.09

rf bt−1 0.12 0.21 0.99

48

Table 3: Summary StatisticsThis table reports summary statistics of the data used. Panel A reports director-level variables, whilepanel B reports firm-level variables. All variables are defined in the text. The primary variables ofinterest in this paper are indicators for whether a firm suffers a data breach of whether an interlockingfirm suffers a data breach.

Panel A

Mean Std. DeviationData breach 0.043 0.202Age 61.892 8.036Age over 65 0.346 0.476Female 0.146 0.353Num. directorships 1.735 0.956Independent dir. 0.940 0.238Previous cyber exp. 0.015 0.122On audit committe 0.538 0.499Tech expert 0.045 0.206Votes withheld 5.418 7.876ISS against 0.109 0.312Travel distance 681.734 1352.244

Panel B

Mean Std. DeviationInterlocked breach 0.143 0.350Firm breach 0.018 0.132Firm was previously hacked 0.066 0.249Percent independent 0.845 0.074Number of directors 9.302 2.392E-index 0.023 1.042Discloses cyber risk 0.238 0.426ROA 0.057 0.083log(total assets) 7.775 1.538log(sales + 1) 7.323 1.436log(number of employees) 1.949 1.275Hack in industry 10.350 8.477Number of breached peer firms 15.492 10.370Avg. director age 60.924 4.222Busy board 0.044 0.205Firm has risk committee 0.085 0.278Local market 2.131 1.818Local expert 0.010 0.031

49

Table 4: Hazard of Director Turnover Following a Cybersecurity EventThis table reports hazard ratios for the variables used in predicting a director’s turnover. The primary interest is in the hazardsfor “firm breached,” an indicator for whether the firm had a data breach within the last two years and “interlocked firm breached,”an indicator for whether the director experienced a data breach at one of her other firms in the last two years. The table showsthat directors are more likely to turn over at a firm that reports a data breach (standard errors reported in parentheses).

Firm breach 1.205* 1.160 1.288** 1.195* 1.086(0.127) (0.138) (0.139) (0.129) (0.135)

... × Disclosed cyber risk 1.214(0.300)

... × Tech expert 0.411**(0.182)

... × Local market 1.300***(0.124)

... × Local expert 2.369**(0.806)

Interlocked firm breach 1.019 1.113 1.048 1.017 1.014(0.140) (0.161) (0.154) (0.143) (0.141)

... × Disclosed cyber risk 0.529(0.219)

... × Tech expert 0.794(0.304)

... × Local market 1.019(0.123)

... × Local expert 1.263***(0.108)

Return on assets 0.961** 0.961** 0.961** 0.962** 0.962**(0.016) (0.016) (0.016) (0.016) (0.016)

log(total assets) 0.999 0.999 0.999 0.998 0.998(0.023) (0.023) (0.023) (0.023) (0.023)

Institutional holdings 0.770*** 0.770*** 0.770*** 0.769*** 0.769***(0.015) (0.015) (0.015) (0.015) (0.015)

Local market 1.085*** 1.085*** 1.085*** 1.092*** 1.088***(0.021) (0.021) (0.021) (0.021) (0.021)

Local expert 1.047*** 1.047*** 1.047*** 1.047*** 1.048***(0.012) (0.012) (0.012) (0.012) (0.012)

Age 0.984*** 0.984*** 0.984*** 0.984*** 0.984***(0.004) (0.004) (0.004) (0.004) (0.004)

Num. directorships 0.969 0.969 0.970 0.970 0.970(0.019) (0.019) (0.019) (0.019) (0.019)

Pct. board indep. 6.741*** 6.744*** 6.721*** 6.732*** 6.681***(1.674) (1.675) (1.669) (1.670) (1.657)

Board size 1.002 1.002 1.002 1.002 1.002(0.008) (0.008) (0.008) (0.008) (0.008)

50

E-index 0.956*** 0.955*** 0.956*** 0.957*** 0.957***(0.015) (0.015) (0.015) (0.015) (0.015)

Previous cyber exp. 2.325*** 2.343*** 2.317*** 2.306*** 2.311***(0.394) (0.398) (0.392) (0.392) (0.393)

Female 1.024 1.023 1.024 1.022 1.024(0.056) (0.056) (0.056) (0.056) (0.056)

Age over 65 1.338*** 1.339*** 1.338*** 1.337*** 1.340***(0.075) (0.075) (0.075) (0.075) (0.075)

Independent dir. 1.571*** 1.571*** 1.575*** 1.572*** 1.571***(0.144) (0.144) (0.144) (0.144) (0.144)

Audit committee 0.905*** 0.905*** 0.905*** 0.905*** 0.906***(0.032) (0.032) (0.032) (0.032) (0.032)

Disclosed cyber risk 1.349*** 1.353*** 1.347*** 1.349*** 1.349***(0.067) (0.069) (0.067) (0.067) (0.067)

Tech expert 1.215** 1.213** 1.274*** 1.216** 1.211**(0.102) (0.102) (0.110) (0.102) (0.101)

N 51065 51065 51065 51065 51065N directors 13282 13282 13282 13282 13282N turnovers 3661 3661 3661 3661 3661

Hazard ratios reported.

Standard errors (clustered on director) in parentheses.

* p <0.10, ** p <0.05, *** p <0.01.

51

Table 5: Votes Withheld in Re-Election Bids Following a Cybersecurity EventThis table reports estimated coefficients for the variables used in predicting the percentage of votes withheld in a director’s re-election bid. The first column shows estimates from an ordinary least squares regression. The remaining columns report secondstage coefficients from a two-step Heckman estimator that controls for the endogenous selection into choosing to seek re-election.The primary interest is in the hazards for “firm breached,” an indicator for whether the firm had a data breach within the lasttwo years and “interlocked firm breached,” an indicator for whether the director experienced a data breach at one of her otherfirms in the last two years. The table shows that directors receive fewer votes following a data breach (standard errors reportedin parentheses).

Firm breach 1.325** 1.601** 1.339* 1.786**(0.538) (0.671) (0.745) (0.696)

... × Disclosed cyber risk 0.878(1.165)

... × Tech expert -1.687(1.703)

Interlocked firm breach -0.014 0.394 -0.109 0.344(0.580) (0.741) (0.786) (0.787)

... × Disclosed cyber risk 2.927**(1.450)

... × Tech expert 0.198(1.512)

Votes withheld (prior election) 0.208*** 0.223*** 0.223*** 0.223***(0.008) (0.013) (0.013) (0.013)

ISS Against 17.150*** 17.167*** 17.164*** 17.167***(0.198) (0.195) (0.195) (0.195)

Return on assets -14.627*** -15.119*** -15.052*** -15.135***(1.878) (2.269) (2.277) (2.273)

log(total assets) 0.125*** 0.054 0.052 0.053(0.043) (0.066) (0.066) (0.066)

Institutional holdings 1.739*** -0.893 -0.923 -0.905(0.162) (1.441) (1.443) (1.442)

Age 0.048*** 0.049*** 0.048*** 0.049***(0.011) (0.013) (0.013) (0.013)

Age over 65 -0.424** -0.519** -0.507** -0.519**(0.191) (0.241) (0.242) (0.242)

Female 0.187 0.121 0.122 0.117(0.203) (0.249) (0.250) (0.249)

Independent dir. 0.422** 0.563** 0.561** 0.562**(0.194) (0.247) (0.248) (0.248)

Num. directorships 0.181*** 0.121 0.121 0.121(0.061) (0.083) (0.083) (0.083)

Tenure 0.038*** 0.058*** 0.058*** 0.058***(0.010) (0.017) (0.017) (0.017)

Previous cyber exp. -0.233 0.012 -0.006 0.031(0.613) (0.745) (0.749) (0.747)

52

Audit committee 0.168 -0.063 -0.066 -0.065(0.131) (0.205) (0.206) (0.206)

Tech expert 0.295 0.491 0.493 0.557(0.355) (0.442) (0.443) (0.458)

Disclosed cyber risk -0.102 0.964 0.924 0.966(0.165) (0.600) (0.602) (0.601)

Pct. board indep. 1.914** 5.197** 5.249*** 5.207**(0.801) (2.031) (2.036) (2.033)

Board size -0.194*** -0.191*** -0.190*** -0.191***(0.031) (0.038) (0.038) (0.038)

E-index 0.133** 0.336** 0.336** 0.336**(0.063) (0.132) (0.132) (0.132)

Inverse Mills -7.323* -7.404* -7.360*(3.964) (3.971) (3.967)

N 9863 9863 9863

Standard errors in parentheses.

* p <0.10, ** p <0.05, *** p <0.01.

53

Table 6: Estimated Propensity to Disclose Cybersecurity RiskThis table estimates the probability of a firm including cybersecurity risk in its disclosed set ofrisk factors in its 10-K filing. Column one presents marginal effects from a logistic regression,whereas column two reports coefficients from a linear probability model. The effect of interest ison “interlocked breach,” an indicator for whether the firm employs a director affiliated with a databreach at another company. Both “firm breach” and “interlocked breach” are indicators that turnon for a duration of 24 months. Regressions include industry and time fixed effects and cluster onindustry (standard errors reported in parentheses).

Interlocked breach 0.066** 0.049*(0.031) (0.022)

Firm breach 0.147 0.125(0.107) (0.077)

Firm was previously hacked 0.230*** 0.152***(0.028) (0.020)

Percent independent 0.009 0.005(0.021) (0.015)

ROA 0.023 0.012(0.015) (0.013)

log(total assets) -0.058** -0.045*(0.029) (0.021)

log(sales + 1) 0.036 0.023(0.022) (0.017)

log(number of employees) 0.023 0.023(0.033) (0.028)

Number of breached peer firms 0.031** 0.025**(0.014) (0.011)

Avg. director age -0.004 -0.003(0.004) (0.003)

Number of directors -0.002 -0.002(0.010) (0.007)

Hack in industry 0.001 0.001(0.002) (0.002)

E-index 0.009 0.003(0.010) (0.008)

Previously disclosed cyber risk 1.088*** 0.479***(0.186) (0.055)

Busy board 0.016 0.003(0.047) (0.031)

Firm has risk committee -0.013 -0.011(0.029) (0.023)

N 2318 2318Industry and time fixed effects not reported.Marginal effects on the probability of the outcome variable are reported.Standard errors (clustered on industry) in parentheses.* p <0.10, ** p <0.05, *** p <0.01.

54

Table 7: Quality Cybersecurity DisclosureThis table shows estimates of the probability of a firm adding a cybersecurity risk disclosure toits 10-K filing by considering categorical outcomes proxying for the quality of a new disclosure.Marginal effects computed from a multinomial logistic regression are reported. Controls, time fixedeffects, and industry fixed effects are included but not reported below to conserve space. Controlvariables are identical to those in table 6. Standard errors are clustered on the industry and reportedin parentheses below the marginal effects.

Case 1: No cybersecurity disclosure (baseline)Case 2: At least one new factor disclosing cyber is addedCase 3: The only new cyber disclosure addition is through updating an existing factor

Pr(2)-Pr(1) Pr(3)-Pr(1) Pr(3)-Pr(2)Interlocked breach 0.115∗∗∗ 0.069∗∗∗ -0.046∗∗

(.031) (.013) (.019)

55

Table 8: Probability of Reporting a Data BreachThis table reports estimates of the probability of a firm experiencing a data breach. Column oneshows marginal effects from a logistic regression where the outcome variable is an indicator forwhether the firm reports a cybersecurity event. Column two repeats the analysis with a compli-mentary log-log model as a sparse-outcome robust alternative to the logit regression. Column threereports coefficients from a linear probability model. The effect of interest is on “interlocked breach,”an indicator for whether the firm employs a director affiliated with a data breach at another com-pany. Both “firm breach” and “interlocked breach” are indicators that turn on for a duration of 24months. Regressions include industry and time fixed effects and cluster on industry (standard errorsreported in parentheses).

Interlocked breach -0.006*** -0.006*** -0.021**(0.002) (0.002) (0.008)

Firm breach -0.000 -0.000 0.030(0.003) (0.003) (0.027)

Firm was previously hacked 0.005** 0.005** 0.041**(0.002) (0.002) (0.016)

Percent independent -0.001 -0.001 -0.004(0.001) (0.001) (0.003)

ROA 0.001 0.001 0.001(0.001) (0.001) (0.002)

log(total assets) 0.000 0.000 -0.004(0.002) (0.003) (0.011)

log(sales + 1) 0.004 0.004 0.012(0.003) (0.003) (0.010)

log(number of employees) 0.001 0.001 0.007(0.002) (0.002) (0.008)

Number of breached peer firms -0.000 0.000 0.000(0.001) (0.001) (0.004)

Avg. director age -0.000** -0.000** -0.001(0.000) (0.000) (0.001)

Number of directors 0.000 0.000 0.000(0.000) (0.000) (0.001)

Hack in industry -0.001*** -0.001*** -0.002***(0.000) (0.000) (0.001)

E-index 0.001 0.001 0.002(0.001) (0.001) (0.003)

Previously disclosed cyber risk 0.000 0.000 0.002(0.002) (0.002) (0.009)

Busy board -0.003 -0.002 -0.012(0.004) (0.004) (0.009)

Firm has risk committee -0.002 -0.002 -0.006(0.003) (0.003) (0.007)

N 2318 2318 2318Industry and time fixed effects not reported.Marginal effects on the probability of the outcome variable are reported.Standard errors (clustered on industry) in parentheses.* p <0.10, ** p <0.05, *** p <0.01.

56

Table 9: New Board Positions after a Data BreachIn this table, columns one through three report, respectively, the estimated marginal effects in (1) alogistic prediction of whether or not a director will obtain a new board position in the next twelvemonths, (2) a linear prediction of the average E-index of the new board position(s), and (3) a linearprediction of the average firm size of the new board position(s). The variable of interest is “Breachin last 2 years,” which is an indicator variable that turns on if the director has experienced a databreach at any of her current board appointments in the last two years. The last line of the tablereports estimated treatment effects for a double-robust matching estimator implementation of theregressions in which directors who do and do not experience data breaches are matched on theirpropensity to experience a data breach (Hirano and Imbens 2001).

Breach in last 2 years 0.025*** -0.143* 0.460**(0.008) (0.075) (0.182)

Number of board positions 0.036*** -0.015 -0.035(0.001) (0.011) (0.024)

Avg. firm size of current board positions (log) 0.005*** -0.014** 0.596***(0.001) (0.006) (0.013)

Avg. ROA of current board positions -0.177*** 0.131* 1.293***(0.006) (0.068) (0.171)

Tech expert 0.036*** -0.016 -0.341**(0.006) (0.059) (0.170)

Audit expert 0.026*** 0.006 -0.093***(0.001) (0.009) (0.020)

Risk expert -0.038*** 0.015 0.772***(0.006) (0.069) (0.144)

Age -0.005*** 0.000 -0.017***(0.000) (0.002) (0.004)

Age > 65 -0.047*** -0.037 -0.326***(0.003) (0.034) (0.079)

Female -0.008*** 0.052* 0.298***(0.003) (0.028) (0.062)

N 728693 31304 31304Matched Avg. Treatment Effect .055** -.247*** .690**

Standard errors (clustered on director) in parentheses.* p <0.10, ** p <0.05, *** p <0.01

57

Panel A: Example case of a firm adding a new risk factor that discloses cyber risk

An interruption or breach in security of our information systems may result in financial losses, loss of customers, or

damage to our reputation. We rely heavily on communications and information systems to conduct our business. In addition, we rely

on third parties to provide key components of our infrastructure, including loan, deposit and general ledger

processing, internet connections, and network access. These types of information and related systems are critical to

the operation of our business and essential to our ability to perform day-to-day operations, and, in some cases, are

critical to the operations of certain of our customers. The risk of a security breach or disruption, particularly through

cyber attack or cyber intrusion, including by computer hackers, has increased as the number, intensity and

sophistication of attempted attacks and intrusions from around the world have increased. As a financial institution,

we face a heightened risk of a security breach or disruption from threats to gain unauthorized access to our and our

customers' data and financial information, whether through cyber attack, cyber intrusion over the internet, malware,

computer viruses, attachments to e-mails, spoofing, phishing, or spyware.

Our customers have been, and will continue to be, targeted by parties using fraudulent emails and other

communications to misappropriate passwords, credit card numbers, or other personal information or to introduce

viruses or other malware through "trojan horse" programs to our customers' computers. These communications

appear to be legitimate messages sent by the Bank, but direct recipients to fake websites operated by the sender of

the e-mail or request that the recipient send a password or other confidential information via e-mail or download a

program. Despite our efforts to mitigate these tactics through product improvements and customer education, such

attempted frauds remain a serious problem that may cause customer and/or Bank losses, damage to our brand, and

increase in our costs.

Although we make significant efforts to maintain the security and integrity of our information systems and

we have implemented various measures to manage the risk of a security breach or disruption, there can be no

assurance that our security efforts and measures will be effective or that attempted security breaches or disruptions

would not be successful or damaging. Even the most well protected information, networks, systems and facilities

remain potentially vulnerable because attempted security breaches, particularly cyber attacks and intrusions, or

disruptions will occur in the future, and because the techniques used in such attempts are constantly evolving and

generally are not recognized until launched against a target, and in some cases are designed not to be detected and,

in fact, may not be detected. Accordingly, we may be unable to anticipate these techniques or to implement

adequate security barriers or other preventative measures, and thus it is virtually impossible for us to entirely

mitigate this risk. A security breach or other significant disruption could: 1) Disrupt the proper functioning of our

networks and systems and therefore our operations and/or those of certain of our customers; 2) Result in the

unauthorized access to, and destruction, loss, theft, misappropriation or release of confidential, sensitive or

otherwise valuable information of ours or our customers, including account numbers and other financial

information; 3) Result in a violation of applicable privacy and other laws, subjecting the Bank to additional regulatory

scrutiny and expose the Bank to civil litigation and possible financial liability; 4) Require significant management

attention and resources to remedy the damages that result; or 5) Harm our reputation or cause a decrease in the

number of customers that choose to do business with us. The occurrence of any such failures, disruptions or security

breaches could have a negative impact on our results of operations, financial condition, and cash flows.

10-K Filing by Bank of Hawaii Corporation for fiscal year end December 31, 2011

Figure 1: Two Example Disclosures of Cybersecurity Risk

Panel B: Example case of a firm updating an existing risk factor to include cyber risk

Operations risks may adversely affect our business and financial results.

The operation of our electric generation, and electric and gas transmission and distribution systems involves

many risks, including breakdown or failure of expensive and sophisticated equipment, processes and personnel

performance; operating limitations that may be imposed by equipment conditions, environmental or other

regulatory requirements; fuel supply or fuel transportation reductions or interruptions; transmission scheduling

constraints; and catastrophic events such as fires, explosions, severe weather or other similar occurrences. In

addition, our information technology systems and network infrastructure may be vulnerable to internal or external

cyber attack, unauthorized access, computer viruses or other attempts to harm our systems or misuse our

confidential information.

We have implemented training and preventive maintenance programs and have security systems and

related protective infrastructure in place, but there is no assurance that these programs will prevent or minimize

future breakdowns, outages or failures of our generation facilities or related business processes. In those cases, we

would need to either produce replacement power from our other facilities or purchase power from other suppliers

at potentially volatile and higher cost in order to meet our sales obligations, or implement emergency back-up

business system processing procedures.

10-K Filing by The Empire District Electric Company for fiscal year end December 31, 2011

Operations risks may adversely affect our business and financial results.

The operation of our electric generation, and electric and gas transmission and distribution systems involves

many risks, including breakdown or failure of expensive and sophisticated equipment, processes and personnel

performance; operating limitations that may be imposed by equipment conditions, environmental or other

regulatory requirements; fuel supply or fuel transportation reductions or interruptions; transmission scheduling

constraints; and catastrophic events such as fires, explosions, severe weather or other similar occurrences.

We have implemented training, preventive maintenance and other programs, but there is no assurance

that these programs will prevent or minimize future breakdowns, outages or failures of our generation facilities. In

those cases, we would need to either produce replacement power from our other facilities or purchase power from

other suppliers at potentially volatile and higher cost in order to meet our sales obligations.

These and other operating events may reduce our revenues, increase costs, or both, and may materially

affect our results of operations, financial position and cash flows.

10-K Filing by The Empire District Electric Company for fiscal year end December 31, 2010