When a company suffers a cybersecurity breach, the consequences often reach far beyond its own firewall. The article The Role of Internal Controls in Reducing Cybersecurity Contagion Effects by Kelton and Yang (2024) reveals that even nonbreached firms in the same industry, so-called „bystander firms“, can suffer significant stock market losses following a peer’s cyber incident. This phenomenon, known as the cybersecurity contagion effect, should be on the radar of every internal auditor.
The study shows that not all bystander firms are equally affected. Firms that reported accounting losses in the previous year are particularly vulnerable. Investors tend to apply a “loss heuristic,” assuming that firms already perceived as financially weaker are more likely to be hit next. This triggers a stronger negative market reaction when a peer in the industry is breached – despite the firm itself having suffered no incident.
Here’s where internal controls come into play. Kelton and Yang provide compelling evidence that strong internal control quality—defined as the absence of material weaknesses—can significantly cushion these contagion effects, especially for loss firms. For internal auditors, this finding reinforces the strategic value of robust internal control systems beyond compliance or financial reporting.
This is more than a technical detail. In an environment of increasing cybersecurity threats and heightened investor sensitivity, the perception of internal control effectiveness can shape how markets react under uncertainty. Auditors must therefore ensure not only that controls are well designed and implemented but also that management communicates their effectiveness transparently and credibly.
The authors also point to a rising regulatory awareness. The U.S. SEC’s recent enforcement actions and guidance highlight how internal control failures, even outside traditional financial systems, can have regulatory consequences. For internal auditors, this expands the scope of ICFR assessments to include cybersecurity considerations, particularly where systems process sensitive data or control critical infrastructure.
Ultimately, this research strengthens the case for internal auditors to adopt a broader perspective when assessing control environments. It’s not just about detecting control deficiencies anymore, it’s about understanding how internal controls shape stakeholder perceptions, protect firm value, and reduce systemic exposure in an interconnected risk landscape. For loss-making firms in particular, strengthening internal controls may be the most effective way to prevent becoming the next victim of both cyberattack and contagion.
For further insights, you can find the complete article here.