When studying for a doctoral degree (PhD), candidates submit a thesis that provides a critical review of the current state of knowledge of the thesis subject as well as the student’s own contributions to the subject. The distinguishing criterion of doctoral graduate research is a significant and original contribution to knowledge.
Once accepted, the candidate presents the thesis orally. This oral exam is open to the public.
This dissertation examines the role of financial analysts in evaluating cybersecurity events within the commercial banking industry. The focus on commercial banks arises from their visibility and attractiveness as cyber attack targets. Although the immediate economic impact of data breaches may not be deemed substantial, the increasing number of such incidents in the past few years has garnered significant public scrutiny, especially from investors and analysts. The situation engenders a sense of ambiguity regarding the outlook of the affected business.
The dissertation comprises two complementary empirical chapters. Chapter 2 presents an exploratory case study on financial analysts’ interactions with top management teams in the context of conference calls following cyber incidents that resulted in data breaches. Such interaction between financial analysts and top management provides insights into cybersecurity incidents, as well as into the kind of information that financial analysts seek from management, information which presumably enters analysts’ decision-making process when forecasting a bank’s financial situation. The case study reveals that financial analysts ask more questions about cyber-related issues such as digital fraud, cloud technology, and technological investments to encourage top management at some banks to discuss their prevention efforts concerning cybersecurity risks and controls. When confronted by financial analysts during conference calls, managers generally discuss cyber incidents upfront.
Chapter 3 examines how cybersecurity events within U.S. commercial banks generate uncertainty for financial analysts, thus affecting their forecast properties. Cybersecurity incidents are extracted from a uniquely comprehensive database. The study contends that financial analysts are more likely to adjust forecasts for banks subjected to cyberattacks than those that are not, thus potentially improving the performance of analysts in the financial market. Moreover, following a cybersecurity event, financial analysts seem more likely to engage in herding behavior in their earnings forecasts.
Cyber incidents affect financial analysts’ information environment on two dimensions: uncertainty and information asymmetry. After security breaches, information asymmetry increases due to management’s standard practice of securing cybersecurity data to mitigate potential negative financial consequences. Despite the growing information asymmetry between managers and financial analysts, analysts remain driven to improve the quality of the information environment and reduce information uncertainty in the financial market.
Furthermore, analysts adjust earnings forecasts for banks that experience cyber attacks when the cyber information environment is poor, and the market uncertainty is high. However, they are not likely to revise earnings forecasts for banks that suffer incidents when the information asymmetry is high. Finally, analysts have different forecasting behaviors based on different cyber events, such as confidentiality, integrity, and availability.
This thesis provides new insight into the information dynamics in cybersecurity by concentrating on financial analysts, a significant intermediary. The thesis contributes to the literature on financial analysts by highlighting analyst demand for information related to cybersecurity issues and analyst reactions to cybersecurity events (earnings forecast revisions, timeliness of the revision, uncertainty). Thus, this thesis advances our understanding of the inputs analysts use in their decision-making and how they respond to events that exacerbate uncertainty in the information environment. In addition, this thesis also contributes to the disclosure literature. For instance, the discussions highlighted between analysts and managers can inform top management more broadly on the cybersecurity-related disclosures that capital markets require and potentially on how to strengthen firm cybersecurity policies. Regulators could use the findings in this thesis to decide how to enhance the required disclosures around or adjust their guidance on cybersecurity issues.