Amanuel Tadesse, Stephanie Walton, and Yiyang Zhang analyze how adopting the COSO 2013 internal control framework affects firms‘ cybersecurity risks. Their study COSO Framework Adoption and Cybersecurity Breaches underscores the framework’s advancements over the 1992 version, highlighting its stronger focus on cybersecurity, governance, and operational risk management, making it a vital tool for mitigating IT-related vulnerabilities in today’s complex business landscape.
The researchers analyze a sample of 40,393 firm-year observations from 2011 to 2019, including 637 breach events, to determine if COSO 2013 adoption reduces cybersecurity breach risks. Their findings reveal that firms adopting the framework experience a lower likelihood of cybersecurity breaches, with a sustained impact observed for up to three years post-adoption. The study attributes this to the framework’s comprehensive approach, which strengthens internal controls over technology and operational risks. It also enables better identification of IT material weaknesses, reducing the probability of breaches due to undetected vulnerabilities.
Adopting the COSO 2013 framework also enhances firms‘ ability to assess and report IT operational risks. Firms that implement the framework are more likely to identify and disclose IT control weaknesses before a breach occurs. This proactive approach fosters greater transparency with stakeholders and mitigates the adverse effects of breach events. Interestingly, while governance factors like institutional ownership do not independently reduce breach risks, firm efficiency significantly amplifies the benefits of the framework.
The study also finds that adopting the COSO framework mitigates the market impact of cybersecurity breaches. Firms using the updated framework experience less severe financial consequences, as evidenced by smaller market return declines post-breach. This suggests that the framework not only reduces breach likelihood but also limits the severity of breaches when they occur.
Overall, the article underscores the value of the COSO 2013 framework in addressing the evolving challenges of cybersecurity. Its broad applicability across industries and integration with existing audit practices make it a vital tool for enhancing internal controls. For more detailed insights, the article is available in the Journal of Information Systems here.