With the rapid increase in major cybersecurity breaches in recent years, cybersecurity risk has become one of the top global concerns, leading regulators and firms to strengthen cybersecurity risk management and disclosure practices. Recognizing the escalating threat landscape, the U.S. Securities and Exchange Commission (SEC) and U.S. state governments have implemented stricter disclosure regulations. The increasing regulatory pressure on firms now requires them to disclose not only cybersecurity breaches but also their risk management practices and board oversight. This dissertation investigates how firms communicate cybersecurity risk information in their disclosures, how these disclosures respond to both the firm’s own breach incidents and those of industry peers, whether they carry predictive signals of future breaches, and how markets react to cybersecurity breaches.

The first chapter introduces a firm-level cybersecurity awareness score constructed from annual 10-K filings to capture how firms respond to cybersecurity breaches. By using firm-specific filing timelines, the chapter examines how firms update their cybersecurity awareness following breach incidents. The finding shows that firms significantly increase the use of cybersecurity-related terms in their 10-K fillings after experiencing either their own breaches or those of peers, indicating that the cybersecurity awareness score reflects perceived cybersecurity risk. Notably, higher cybersecurity awareness scores are positively associated with the likelihood of future breaches, suggesting that firms recognize and communicate their heightened exposure to cybersecurity risks. However, while a firm’s own past breaches predict future incidents, competitor breaches do not.

The second chapter evaluates the capability of Large Language Models (LLMs), including GPT-4, Llama3, and finBERT, for sentiment analysis of cybersecurity-related disclosures in 10-K filings. These models are compared to traditional dictionary approaches. The findings show that sentiment scores generated by GPT-4 and finBERT significantly predict future breaches, with a more negative tone associated with a lower likelihood of being breached. This suggests that firms using more cautious language around cybersecurity risks may be more proactive in managing those risks. However, it remains difficult to discern whether firms systematically adjust the tone of their 10-K fillings following their own breach incidents. When examining peer effects, evidence of sentiment spillover emerges, but only under certain models. Specifically, Llama3 and traditional dictionary-based models detect modest tone adjustments in response to competitor breaches, while GPT-4 and finBERT do not, indicating that spillover effects in sentiment are subtle and model-dependent.

The third chapter investigates stock market responses to cybersecurity breaches, focusing on changes in abnormal returns, volatility, and intra-industry and inter-industry spillover effects. Empirical analysis reveals significant negative market responses, with increased volatility and decreased abnormal returns. Notably, peer firms often benefit from malicious breaches within the same industry, exhibiting higher abnormal returns and reduced volatility, suggesting competitive effects rather than contagion. These spillover effects are primarily driven by malicious breaches and are significant at the firm level than at the industry level, likely due to the presence of private firms in the dataset. Overall, the findings highlight the diverse ways in which cybersecurity breaches influence financial markets and underscore the importance of distinguishing between breach types and levels of analysis.

These essays contribute to the growing literature related to cybersecurity risks by offering novel insights into firms' behavior to cybersecurity risks, measurement, and financial market reaction.