Do Auditors Consider Cybersecurity Insurance in Pricing Audits?

1. Introduction

Gründl, Guxha, Kartasheva, and Schmeiser (2021, p. 868) characterize cybersecurity risk as a “low frequency/high severity” risk, while Gazert, Schmit and Kolb (2016) note that cybersecurity insurance has typically been bundled with coverage for crisis management costs. Recent research has found that firms with higher cybersecurity risk are more likely to implement cyber risk management and that, for banks and insurers, this is seen by investors and impounded into (increased) firm value (Gatzert and Schubert, 2022). This leads us to question whether this perceived reduction in business risk is also reflected in how auditors price firms’ audits. Gatzert and Schubert (2022 p. 727) note that “despite its costs, risk management can be valuable if it contributes to the reduction of profit volatility,” but what if some of the costs of that risk management can be offset by savings elsewhere?

A number of recent investigations have examined the determinants of audit pricing with respect to income smoothing (Chang, Ho, Liu, and Quyang 2021), corporate social responsibility (Du, Xu, and Yu 2020), and the types of equity compensation paid to audit committee members (Shrader and Sun 2019) among others. We expand this line of inquiry further, by investigating whether an association exists between the mitigation of client business risk and audit fees. Specifically, do auditors factor client cybersecurity insurance into the pricing of audits.

The increase in data breach incidents around the world has raised concerns about how organizations can protect proprietary information and maintain the integrity of databases. The existence of cybersecurity risk requires that managers decide on the type of risk profile they are comfortable with. According to Mukhopadhyay, et al. (2013 p.11) Cyber-risk is defined as “the risk involved with a malicious electronic event that causes disruption of business and monetary loss.” In response, risk management systems aim to assess risks and take steps to reduce risk to an acceptable level (Guttman and Roback, 1995). The primary generic framework for risk management in the U.S. comes from the Committee of Sponsoring Organizations of the Treadway Commission [COSO]. Since 2004 COSO has placed an emphasis on promoting Enterprise Risk Management [ERM]. In September 2017, COSO issued the 2017 COSO ERM Framework, entitled Enterprise Risk Management ̶ Integrating with Strategy and Performance. Even though this framework does not target cyber risk specifically, it can aid organizations in assessing and managing cyber risk.

The risk of data breach incidents has become more complex and more common in today’s interconnected business environment. For example, on September 7, 2017, Equifax reported a cybersecurity incident where consumer records from a number of databases were stolen. The primarily information stolen included names, Social Security numbers, birth dates, addresses and, in some instances, the driver’s license numbers of 143 million U.S. consumers. On July 23, 2019 Equifax agreed to pay up to $700 million to settle with the Federal Trade Commission. To Date, this settlement is the largest for a data breach incident.

Risk management can be decomposed into two primary activities: risk assessment and risk mitigation (Guttman and Roback, 1995). In the assessment of risk, managers identify risks based on the organization’s infrastructure. Once threats and risks are identified, managers can ignore, mitigate, transfer, or retain the risk (Vacca, 2012). Risk mitigation involves the selection and implementation of security controls to reduce risk to a level acceptable to management. Even when businesses try to control risk by investing in cybersecurity measures and systems, some risk remains, referred to as residual risks. Organizations may transfer risk, by purchasing specialized insurance. Indeed, Shackelford (2012) argues that the best approach in addressing cyber risk is to address the problem technologically where possible, and to buy insurance for those things you cannot control (such as residual risk) because insurance provides the organization with financial security against risk and uncertainty by helping it to reduce the potential for financial loss (Mukhopadhyay et al. 2013).

The expected loss from association with a risky client increases the auditor’s business risk. Studies have shown that audit firms consider business risk in pricing audits (Brumfield, Elliott, and Jacobson 1983; Bell, Landsman, and Shackelford 2001) and that audit firms charge higher audit fees to firms involved in controversial activities (Lyon and Maher 2005; Koh and Tong 2013). Biener, Eling, and Wirfs (2015) show, however, that the distribution of cyber risk differs significantly from the distribution of other types of operational risk and Smith, Higgs, and Pinsker (2018) find evidence that breaches are associated with increases in audit fees. Other than fees, “…public accounting firms have a simple strategy to reduce their legal losses. By avoiding engagements with clients likely to fail or otherwise fall from grace with the capital markets” (Sellers, Fogerty, and Jadallah 2020). In this study we extend prior research by investigating the association between cybersecurity liability and audit fees. This study also contributes to the literature on the usefulness of disclosing material cybersecurity risks, specifically related with insurance coverage. Third, this study contributes to the disclosure literature by inspecting whether the voluntary disclosure of insurance, mitigates the incidence of breaches in future periods. Lastly, we explore the effect of audit committees that charge their members with specific oversight duties on privacy and data security risk, on audit fees.

2. Literature Review and Hypothesis Development

Today one of the fastest growing threats to any organization is cyber risk. The Risk Based Security report notes that the year 2018 had the second highest number or breaches and exposed records ever, with 6,515 breaches and over 5 billion records exposed. Clearly, the increase in the number of cyber incidents and its impact on companies is a concern for managers. According to the annual Cost of a Data Breach Report by the Ponemon Institute and IBM (2019) the average total cost of a data breach in the U.S. has grown from $3.54 million in 2006 to $8.19 million in 2019. Studies have shown that cyber incidents can also invoke other threats such as business interruption, and reputation and brand damage (Allianz 2015; Camillo 2017 and Xie, Lee and Eling 2019).

Prior studies have explored the effect of cyber-attacks on a variety of issues. Ettredge and Richardson (2003) use a sample of internet firms subject to hacker attacks and find a negative market reaction to those firms when compared to similar firms that were not attacked. Cavusoglu, Mishra, and Raghunathan (2004) and Kannan, Rees, and Sridhar (2007) find that the announcement of an Internet security breach is negatively associated with firm value. A recent paper by Amir, Levi, and Livne (2018) find a severe negative market reaction to undisclosed cyber-attacks and a small negative effect for disclosed cyber-attacks. Indeed, studies have demonstrated a negative market reaction to cyber incidents when these events are revealed.

There has been considerable interest from the public related to companies’ protection of customer data, and several states in the U.S. have passed laws that regulate data protection. The state of California, for example, made six amendments to the California Consumer Privacy Act on October 13, 2019. In spirit, those amendments will regulate how businesses retain and use electronic consumer data and will provide the authority to penalize companies for data breaches. Prior to the amendments, the law required only that companies disclose any breach that might impact California residents.

In 2005 the Securities and Exchange Commission (SEC) required that most public companies disclose risk factors annually (SEC 2005). On February 21, 2018 the SEC released guidance on public disclosure requirements on cybersecurity risk. According to this guidance, “companies are required to establish and maintain appropriate and effective disclosure controls and procedures that enable them to make accurate and timely disclosures of material events, including those related to cybersecurity” (pages 6-7). In addition, the guidance recommends that companies disclose the costs associated with maintaining cybersecurity protections (insurance coverage, payments for services, and etc.) (SEC 2018).

A number of studies have explored the disclosure of cybersecurity activities (Gordon, Loeb, Lucyshyn, and Sohail 2006; Wang, Kannan, and Ulmer 2013; Campbell et al. 2014; Li, No, and Wang 2018). Gordon et al. (2006) find that after Sarbanes-Oxley, there is an increase in voluntary disclosure of information security activities. Contrary to the belief that risk factor disclosures are boilerplate, Campbell et al. (2014) find that managers’ risk factor disclosures provide useful information that investors incorporate into firm valuation. Furthermore, managers disclose more risk factors and dedicate a greater portion of their disclosures to these factors when risks are higher and more significant. More recently, Li et al. (2018) find that cybersecurity risk disclosures are not boilerplate. The SEC’s 2018 disclosure rule has, however, also lead to an increase in firms’ cybersecurity risk disclosures regardless of the degree of cybersecurity risk.

Since companies are not immune to cyber risks, businesses might use cyber insurance to mitigate potential losses. Such coverage is not a new. Majuca, Yurcik, and Kesan (2006) mark 1998 as the year when cyber insurance was first introduced. Today cyber insurance products have become more complex due to the increase in regulation and more sophisticated threats. At the high end, these products cover claims arising from internet content, internet security, technology errors, and omissions (Mukhopadhyay et al. 2013).

The purchase of cyber insurance provides risk mitigation for companies. According to Kesan, Majuca, and Yurcik (2005) firms that have recently acquired cyber insurance have identified the transfer of risk, monitoring, fast action against threats, and protection against hacking as advantages of cyber insurance products. Cyber insurance policies may also include first-party and third-party exposure. The first party covers against data destruction, theft, hacking, and extortion. The third-party insurance provides coverage for business that are responsible for clients’ online security against errors or omissions that arise out of the professional service. According to Aon’s U.S. Cyber Market Update (2019), there are a total of 184 insurers that reported cyber insurance premiums in 2017 and, in 2018, cyber insurance premiums totaled over $2 billion.1

Smith et al. (2018) examine whether auditors consider breach risk in their assessment of business risk. Their results show that breaches are associated with an increase in audit fees. In addition, they find evidence that the presence of board-level risk committees mitigates the breach risk and audit fee premium. This leads us to question whether auditors adjust their business risk assessments when client firms purchase cyber insurance products. Although we expect a relation between cyber insurance and audit fees, the direction of that relation is not clear. For instance, Li et al. (2018) document that the disclosure of cyber risk factors is related to future reported cybersecurity incidents. The voluntary disclosure of the purchase of cyber insurance could thus be indicative of a firm’s increased risk and be associated with higher audit fees.

On the other hand, Biener et al. (2015, p.145) note that insurers demand assessments of cyber risk prior to offering coverage and these assessments “may have positive and valuable side-effects in that it may increase company awareness of cyber risk, potentially increasing self-protective efforts.” Indeed, Majuca et al. (2006) conclude that cyber insurance can result in higher security investment by increasing the level of safety for information technology (IT) infrastructure, thus the disclosure of cyber insurance and its risk mitigation could be associated with lower audit fees. Given the above, our first hypothesis regarding an association between cyber insurance and audit fees is non-directional. Similarly, since the auditor, by examining transactions, will be aware of any cyber insurance whether it has been publicly disclosed or not, any association with audit fees will not be dependent on disclosure prior to a breach. Thus, our second hypothesis predicts that any association of audit fees with cyber insurance will not be dependent on disclosure prior to a breach. In null form these hypotheses are:

H1: 

The disclosure of cyber insurance is not associated with audit fees.

H2: 

The disclosure of existing cyber insurance after a reported cybersecurity incident is not associated with audit fees.

While the purchase of cyber insurance may be associated with a higher risk profile, it might also convey a company’s commitment to cybersecurity (Majuca et al. 2006, Biener et al. 2015). As a result, firms that purchase cyber insurance may or may not be subject to more cybersecurity incidents in the future. Thus, our third hypothesis is also non-directional.

H3: 

The purchase of cyber insurance is not associated with the likelihood of subsequently reported cybersecurity incidents.

A growing number of companies are revising their audit committee charters to reflect the audit committee’s cybersecurity oversight responsibilities. According to KPMG’s 2015 Global Audit Committee Survey 43% of companies assign the greatest responsibility for cybersecurity risk to the audit committee. Higgs et al. (2016) find that the existence of a technology committee mitigates the negative abnormal stock return associated with a breach, and Smith, et al. (2018) find that when firms audit committees are more active around the report of a breach the firms experience lower audit fees. This leads us to propose the following hypothesis:

H4: 

Audit committee charter provisions regarding cybersecurity oversight will be associated with lower audit fees.

3. Method

3.1. Sample

Our sample period covers the period 2008-2018. We obtain the sample from the intersection of the Audit Analytics and Compustat databases. Table 1 presents the sample selection process. We exclude 11,558 firm-years with missing audit fee and audit opinion data, and 706 firms-years missing data required to estimate our regression models. This results in a total sample of 61,227 firms-years.

We identify our sample of firms that disclose the purchase of cybersecurity insurance from Thomson-Reuters Eikon, annual, interim, proxy & information, SEC U.S. registrations and press documents. We used the following keywords in our search: “Cyber Security Liability” and “Cyber Security Insurance.” This procedure yields a sample of 400 unique firms, with the first disclosure made on December 12, 2008 and the last on December 30, 2018. Merging the firms with insurance disclosure with our full sample yields 341 unique firms (1,043 firm year observations) that have indicated the presence of a cyber insurance policy. Table 2 presents the sample distribution of first-time disclosures. The increase in the number of firms disclosing the presence of a cyber insurance policy for the first time could be explained by the new SEC disclosure requirements on cybersecurity risk.

3.2. Models

We include determinants of audit fees identified in prior literature. We control for financial condition, audit complexity, audit risk, and financial distress. We use the natural log of total assets (LNASSETS) as a proxy for firm size to control for firm characteristics. We include Zmijewski’s (1984) financial distress score (DISTRESS), the ratio of current assets to current liabilities (CR), an indicator variable set equal to 1 if the firm had negative operating income (LOSS), the return-on-assets (ROA), and the ratio of long-term debt to total assets (LEVERAGE) to control for financial condition.

To account for audit complexity, we include the square root of number of segments (SEGMENTS), an indicator variable set equal to 1 if the firm reported foreign earnings (FOREIGN), and book value of equity divided by market value of equity (BTM). To control for the impact of auditor expertise we include auditor specialist (SPECIALIST). We also include an indicator variable set to 1 if the company has a fiscal year-end in December (YE). We include an indicator variable set to 1 if the auditor is among the Big 4 (BIG4), and an indicator set to 1 if the company changed auditors during the year (CHANGE).

We also include variables to account for audit risk factors: the natural log of the number of days from the end of the fiscal year to the audit report date (DELAY), an indicator variable set to 1 if the firm reported a restatement (RESTATE), an indicator variable set to 1 if the company’s internal controls were found to be inadequate (IC), and an indicator variable set to 1 if the audit opinion includes a going concern modification (GC). To control for inherent risk, we use the ratio formed by the sum of inventory and receivables divided by total assets (INVREC).

We investigate the association between cybersecurity insurance and audit fees by estimating the following:

$$\begin{array}{cc}LNAUDITFEES=& {\beta }_0+{\beta }_1{CYBER\_INSURANCE}_{it}+{\beta }_2{TECHNOLOGY}_{it}+{\beta }_3{RISK}_{it}\\ & +{\beta }_4{COMPLIANCE}_{it}+{\beta }_5{BREACH}_{it-1}+{\beta }_6{LNASSETS}_{it}+{\beta }_7{DISTRESS}_{it}\\ & +{\beta }_8{INVRECV}_{it}+{\beta }_{9}LEVERAGE+{\beta }_{10}{ROA}_{it}+{\beta }_{11}{SEGMENTS}_{it}\\ & +{\beta }_{13}{GC}_{it}+{\beta }_{13}{LOSS}_{it}+{\beta }_{14}{FOREIGN}_{it}+{\beta }_{15}{YE}_{it}+{\beta }_{16}{CHANGE}_{it}+{\beta }_{17}{BIG4}_{it}+{\beta }_{18}{IC}_{it}\\ & +{\beta }_{19}{SPECIALIST}_{it}+{\beta }_{20}{CR}_{it}+{\beta }_{21}{BTM}_{it}+{\beta }_{22}{RESTATE}_{it}+{\beta }_{23}{DELAY}_{it}+{\epsilon }_{it}\end{array}$$

(1)

where:

LNAUDITFEES: is the natural log of audit fees;

CYBER_INSURANCE: is set equal to 1 if the firm discloses the presence of a cyber-insurance policy in fiscal year t, and 0 otherwise;

RISK: is set equal to 1 if the company discloses the presence of a “Risk” committee in their proxy statement for the current year, and 0 otherwise;

TECHNOLOGY: is set equal to 1 if the company discloses the presence of a “Technology” committee in their proxy statement for the current year, and 0 otherwise;

COMPLIANCE: is set equal to 1 if the company discloses the presence of a “Compliance” committee in their proxy statement for the current year, and 0 otherwise;

BREACH: is set equal to 1 if the company announces a breach disclosed on privacyrights.org during the last fiscal year, and 0 otherwise;

AUDIT_CYBER_OVERSIGHT: is set equal to 1 if the company’s audit committee charter provides a provision regarding cybersecurity oversight, and 0 otherwise;

LNASSETS: is the natural log of total assets;

DISTRESS: Zmijewski’s (1984) financial distress score;

RESTATE: is set equal to 1 if the firm reports a restatement during the current year, and 0 otherwise;

INVRECV: is the ratio of receivables and inventory to total assets;

LEVERAGE: is the ratio of long-term debt to total assets;

ROA: is the ratio of earnings before interest and taxes to total assets;

SEGMENTS: is the square root of the number of business segments;

GC: is set equal to 1 if the firm received a going concern audit report during the current year, and 0 otherwise;

LOSS: is set equal to 1 if the firm reports negative income before extraordinary items, and 0 otherwise;

FOREIGN: is set equal to 1 if the firm reports foreign earnings, and 0 otherwise;

YE: is set equal to 1 if the firm uses calendar year-end reporting, and 0 otherwise;

CHANGE: is set equal to 1 if the firm changed auditors during the year, and 0 otherwise;

BIG4: is set equal to 1 if the auditor is a Big 4 auditor, and 0 otherwise;

IC: is set equal to 1 if the company’s internal controls were found to be inadequate, and 0 otherwise;

SPECIALIST: is the sum of the square root of the total assets of the clients of an auditor in a specific industry divided by the total sum of the square root of the total assets of all clients of the auditor;

CR: is the ratio of current assets to current liabilities;

BTM: is the book value of equity divided by market value of equity; and

DELAY: is the natural log of the number of days from the fiscal year-end to the audit report date.

BREACH_t-1: is set equal to 1 if the company announces a breach disclosed on privacyrights.org in the previous fiscal year, and 0 otherwise;

We add interaction terms to the model to test for differences between the pre and post breach periods (H2). If disclosing the presence of a cyber-insurance policy results in a decrease in audit fees, we expect the coefficient on the interaction term to be negative (CYBER_INSURANCE * POST_BREACH).

POST_BREACH: is equal to 1 if the firm observation is after a data breach, 0 otherwise;

CYBER_INSURANCE * POST_BREACH; is the interaction of CYBER_INSURANCE and POST_BREACH.

$$\begin{array}{cc}LNAUDITFEES=& {\delta }_0+{\delta }_1{CYBER\_INSURANCE}_{it}+{\delta }_2{POST\_BREACH}_{it}\\ & +{\delta }_3{CYBER\_INSURANCE*POST\_BREACH}_{it}+{\delta }_4{TECHNOLOGY}_{it}+{\delta }_5{RISK}_{it}\\ & +{\delta }_6{COMPLIANCE}_{it}+{\delta }_7{BREACH}_{it-1}+{\delta }_8{LNASSETS}_{it}+{\delta }_9{DISTRESS}_{it}\\ & +{\delta }_{10}{INVRECV}_{it}+{\delta }_{11}LEVERAGE+{\delta }_{12}{ROA}_{it}+{\delta }_{13}{SEGMENTS}_{it}+{\delta }_{14}{GC}_{it}\\ & +{\delta }_{15}{LOSS}_{it}+{\delta }_{16}{FOREIGN}_{it}+{\delta }_{17}{YE}_{it}+{\delta }_{18}{CHANGE}_{it}+{\delta }_{19}{BIG4}_{it}+{\delta }_{20}{IC}_{it}\\ & +{\delta }_{21}{SPECIALIST}_{it}+{\delta }_{22}{CR}_{it}+{\delta }_{23}{BTM}_{it}+{\delta }_{24}{RESTATE}_{it}\\ & +{\delta }_{25}{DELAY}_{it}+{\delta }_{25}{LAMBDA}_{it}+{\epsilon }_{it}\end{array}$$

(2)

To test H3, we employ a logit model to predict whether the presence of cyber insurance reduces the likelihood that a firm experiences a data breach. Our test model is:

$$\begin{array}{cc}{BREACH}_{t+1}=& {\alpha }_0+{\alpha }_1{CYBER\_INSURANCE}_{it}+{\alpha }_2{TECHNOLOGY}_{it}+{\alpha }_3{RISK}_{it}\\ & +{\alpha }_4{COMPLIANCE}_{it}+{\alpha }_5{BREACH}_{it-1}+{\alpha }_6{LNASSETS}_{it}+{\alpha }_7{LOSS}_{it}\\ & +{\alpha }_{8}LEVERAGE+{\alpha }_9{INTANGIBLES}_{it}+{\alpha }_{10}{SEGMENTS}_{it}+{\epsilon }_{it}\end{array}$$

(3)

BREACH_t+1: is set equal to 1 if the company announces a breach disclosed on privacyrights.org in the next fiscal year, and 0 otherwise;

MERGER: is set equal to 1 if the company is involved in merger activity in the fiscal year t, and 0 otherwise;

GROWTH: is the one-year growth rate in sales in fiscal year t.

The disclosure of the purchase of a cyber insurance policy represents a selection made by the organization, therefor self-selection bias may be a concern in this study. To address this concern, we follow the Heckman (1979) two-stage approach. To determine the cyber insurance prediction model, we employ a model similar to that in Higgs et al. (2016) and Smith, Higgs, and Pinsker (2018). The model is related to the likelihood of a firm reporting a data breach, which would likely increase the probability a firm would purchase cyber-insurance. The cyber insurance prediction model is:

$$\begin{gathered} Prob\left(CYBER\_INSURANCE=1\right) \\ \hspace{1em}\hspace{1em}\hspace{1em}={\gamma }_0+{\gamma }_1{INTANGIBLES}_{it}+{\gamma }_2{TECHNOLOGY}_{it}+{\gamma }_3{RISK}_{it}+{\gamma }_4{COMPLIANCE}_{it} \\ \hspace{1em}\hspace{1em}\hspace{1em}+{\gamma }_5{BREACH}_{\mathrm{i}\mathrm{t}-1}++{\gamma }_6{LNASSETS}_{it}+{\gamma }_7{DISTRESS}_{it}+{\gamma }_8{INVRECV}_{it} \\ \hspace{1em}\hspace{1em}\hspace{1em}+{\gamma }_{9}LEVERAGE+{\gamma }_{10}{ROA}_{it}+{\gamma }_{11}{SEGMENTS}_{it}+{\gamma }_{12}{GC}_{it}+{\gamma }_{13}{LOSS}_{it} \\ \hspace{1em}\hspace{1em}\hspace{1em}+{\gamma }_{14}{FOREIGN}_{it}+{\gamma }_{15}{YE}_{it}+{\gamma }_{16}{CHANGE}_{it}+{\gamma }_{17}{BIG4}_{it}+{\gamma }_{18}{IC}_{it} \\ \hspace{1em}\hspace{1em}\hspace{1em}+{\gamma }_{19}{SPECIALIST}_{it}+{\gamma }_{20}{CR}_{it}+{\gamma }_{21}{BTM}_{it}+{\gamma }_{22}{RESTATE}_{it}{+\gamma }_{23}{DELAY}_{it}+{\epsilon }_{it} \end{gathered}$$

(4)

where:

INTANGIBLES: is the natural log of (1+ total intangible assets), measured at the beginning of the year.

Since the Heckman selection model requires the identification of an exogenous independent variable, we follow Smith et al. (2018) and use the natural log of 1 plus total intangible assets (INTANGIBLES) in the first-stage model. We exclude this variable from the second-stage model and include a vector of the same control variables included in Equation (1).

We also conduct propensity score matching to control for observation differences between firms with and without cyber insurance. We obtain the predicted probabilities from the first stage logistic model from Equation (4). We match one-to-one without replacement. This results in 1,043 matched pairs (2,086 total observations). The comparison of variable means for the matched pairs is presented in Table 7.

To test H4 we use equation 2 and include the AUDITCOMMITTEECYBEROVER variable. This variable is an indicator variable which equals 1 for those instances where the charter of the audit committee includes cybersecurity oversight duties.

4. Results

Table 3 provides descriptive statistics for the key variables used in the audit fee test. All variables are winsorized at the 1st and 99th percentiles. The mean (median) audit fee for the sample is $2,200,000 ($730,000). Approximately 2 percent of the firms make a cyber-insurance policy disclosure (CYBER_INSURANCE). On average 0.5 percent of our sample firms experience a data breach incident (BREACH). The mean (median) size is 5.99 (6.33). Of the total sample, 5 percent of the firms have a risk committee (RISK). We find that 40.4 percent of the firm year observations report losses (LOSS). We also observe that 61 percent of the firm year observations are audited by Big 4 accounting firms (BIG4). Overall, about 11% of the sample reported a going concern (GC) opinion. The average book to market ratio is 0.414.

Table 4 reports the correlation coefficients for the variables used in the main model. We note that LNAUDITFEES is correlated with CYBER_INSURANCE suggesting a positive relation. This correlation provides univariate support for the auditor increasing fees in response to the disclosure of cybersecurity insurance in the current year. We note that three of the independent variables (INTANGIBLES, LNASSETS, and BIG4 ) are highly correlated (correlation > 0.5) with LNAUDITFEES, indicating possible collinearity issues. It is not unexpected that the size of a firm (LNASSETS) is correlated with higher audit fees. It is also not surprising that hiring a BIG4 is correlated with higher audit fees. Given that intangibles are often hard to valuate, it is not surprising that a higher level of intangibles is correlated with higher audit fees. To check if this leads to problems of multicollinearity, we next calculate variance inflation factors (VIF) for the variables used in the regression model, the highest of which is 4.42. Values under five suggest moderate multicollinearity, which may not be problematic. These results serve to ease concerns over severe multicollinearity adversely impacting our inferences.

Table 4. Panel B: Correlation Variables GC to LAMBDA.

Table 4. Panel B: Correlation Variables GC to LAMBDA.

Variables		14	15	16	17	18	19	20	21	22	23	24	25	26
14	GC	1.00
15	LOSS	0.40	1.00
16	FOREIGN	-0.09	-0.03	1.00
17	YE	-0.06	0.00	-0.03	1.00
18	CHANGE	0.13	0.09	-0.05	-0.02	1.00
19	BIG4	-0.34	-0.23	0.23	0.09	-0.22	1.00
20	IC	-0.01	0.03	0.04	0.00	0.03	0.02	1.00
21	SPECIALIST	0.26	0.15	-0.11	-0.09	0.19	-0.46	0.00	1.00
22	CR	-0.10	0.13	0.07	-0.04	0.00	-0.01	0.00	0.01	1.00
23	BTM	-0.34	-0.22	-0.02	0.05	-0.01	0.02	-0.01	-0.07	-0.04	1.00
24	RESTATE	-0.01	0.00	-0.03	0.01	0.02	-0.02	0.02	0.00	-0.02	0.01	1.00
25	DELAY	0.35	0.29	0.00	-0.03	0.16	-0.36	0.08	0.24	0.01	-0.06	0.01	1.00
26	LAMBDA	0.31	0.28	0.05	-0.18	0.07	-0.29	-0.02	0.22	0.33	-0.08	-0.05	0.34	1.00

The choice of a firm disclosing the presence of a cyber insurance policy introduces a possible self-selection bias into our analysis. We control for potential self-selection bias by including the Heckman variable (LAMBDA). The results of the first stage regression are presented in Table 5. We include LAMBDA in our main analysis. We estimate a significant coefficient forour exclusion variable INTANGIBLES, thus providing support for our choice. This is consistent with the results of Smith, et al. (2019)—in their case, they were testing the probability of a breach where we are testing the probability of that a firm will disclose the acquisition of cyber insurance. The area under the ROC curve of 0.882 suggests this model explains a significant amount of the variation in the disclosure of cyber insurance.

$$\begin{gathered} Prob\left(CYBER\_INSURANCE=1\right) \\ \hspace{1em}\hspace{1em}\hspace{1em}={\gamma }_0+{\gamma }_1{INTANGIBLES}_{it}+{\gamma }_2{TECHNOLOGY}_{it}+{\gamma }_3{RISK}_{it}+{\gamma }_4{COMPLIANCE}_{it} \\ \hspace{1em}\hspace{1em}\hspace{1em}+{\gamma }_5{BREACH}_{it-1}+{\gamma }_6{LNASSETS}_{it}+{\gamma }_7{DISTRESS}_{it}+{\gamma }_8{INVRECV}_{it} \\ \hspace{1em}\hspace{1em}\hspace{1em}+{\gamma }_{9}LEVERAGE+{\gamma }_{10}{ROA}_{it}+{\gamma }_{11}{SEGMENTS}_{it}+{\gamma }_{12}{GC}_{it}+{\gamma }_{13}{LOSS}_{it} \\ \hspace{1em}\hspace{1em}\hspace{1em}+{\gamma }_{14}{FOREIGN}_{it}+{\gamma }_{15}{YE}_{it}+{\gamma }_{16}{CHANGE}_{it}+{\gamma }_{17}{BIG4}_{it}+{\gamma }_{18}{IC}_{it} \\ \hspace{1em}\hspace{1em}\hspace{1em}+{\gamma }_{19}{SPECIALIST}_{it}+{\gamma }_{20}{CR}_{it}+{\gamma }_{21}{BTM}_{it}+{\gamma }_{22}{RESTATE}_{it}{+\gamma }_{23}{DELAY}_{it}+{\epsilon }_{it} \end{gathered}$$

Table 6 presents the result for our test of H1 that examines the association between the presence of a cyber insurance policy and audit fees on our full sample, both with and without the LAMBDA variable. Our variable of interest is CYBER_INSURANCE. The coefficient in Column (1) Table 6 is positive and significant, which suggests that firms that disclose the presence of a cyber insurance policy pay higher audit fees. Column (2) Table 6 presents the regression with LAMBDA. After controlling for selection-bias, we find, consistent with the results presented in Column (1), a positive and significant coefficient on CYBER_INSURANCE. We also estimate a significant coefficient designed to capture the likelihood of a firm reporting cyber insurance (negative), providing additional support for the use of LAMBDA. These results reveal that the disclosure of a cyber insurance policy is associated with a 3.9% increase in audit fees.

$$\begin{array}{cc}LNAUDITFEES=& {\beta }_0+{\beta }_1{CYBER\_INSURANCE}_{it}+{\beta }_2{TECHNOLOGY}_{it}+{\beta }_3{RISK}_{it}\\ & +{\beta }_4{COMPLIANCE}_{it}+{\beta }_5{BREACH}_{it-1}+{\beta }_6{LNASSETS}_{it}+{\beta }_7{DISTRESS}_{it}\\ & +{\beta }_8{INVRECV}_{it}+{\beta }_{9}LEVERAGE+{\beta }_{10}{ROA}_{it}+{\beta }_{11}{SEGMENTS}_{it}\\ & +{\beta }_{13}{GC}_{it}+{\beta }_{13}{LOSS}_{it}+{\beta }_{14}{FOREIGN}_{it}+{\beta }_{15}{YE}_{it}+{\beta }_{16}{CHANGE}_{it}+{\beta }_{17}{BIG4}_{it}+{\beta }_{18}{IC}_{it}\\ & +{\beta }_{19}{SPECIALIST}_{it}+{\beta }_{20}{CR}_{it}+{\beta }_{21}{BTM}_{it}+{\beta }_{22}{RESTATE}_{it}+{\beta }_{23}{DELAY}_{it}+{\epsilon }_{it}\end{array}$$

We also control for self-selection bias by creating a matched sample based on the predicted probabilities from the first-stage regression (Table 5), also known as a propensity score matching, to control for differences between firms with and without the cyber insurance disclosure. The propensity score matching controls for factors related with firms choosing to disclose a cyber insurance policy and for firm performance. Table 7 presents the difference in means between the treatment and control group. There are no significant differences between the two groups, consistent with an effective matching procedure. Our PSM results, presented in Table 8, are similar to those presented in Table 6. These results again indicate that companies with CYBER_INSURANCE pay higher audit fees (an approximately 9% premium).

$$\begin{array}{cc}LNAUDITFEES=& {\beta }_0+{\beta }_1{CYBER\_INSURANCE}_{it}+{\beta }_2{TECHNOLOGY}_{it}+{\beta }_3{RISK}_{it}\\ & +{\beta }_4{COMPLIANCE}_{it}+{\beta }_5{BREACH}_{it-1}+{\beta }_6{LNASSETS}_{it}+{\beta }_7{DISTRESS}_{it}\\ & +{\beta }_8{INVRECV}_{it}+{\beta }_{9}LEVERAGE+{\beta }_{10}{ROA}_{it}+{\beta }_{11}{SEGMENTS}_{it}\\ & +{\beta }_{13}{GC}_{it}+{\beta }_{13}{LOSS}_{it}+{\beta }_{14}{FOREIGN}_{it}+{\beta }_{15}{YE}_{it}+{\beta }_{16}{CHANGE}_{it}+{\beta }_{17}{BIG4}_{it}+{\beta }_{18}{IC}_{it}\\ & +{\beta }_{19}{SPECIALIST}_{it}+{\beta }_{20}{CR}_{it}+{\beta }_{21}{BTM}_{it}+{\beta }_{23}{RESTATE}_{it}+{\beta }_{23}{DELAY}_{it}+{\epsilon }_{it}\end{array}$$

To test H2 whether the disclosure of an existing cyber insurance policy after a reported cybersecurity incident is associated with audit fees, we add an indicator variable POST_BREACH. POST_BREACH set equal to one if the observation falls in a period subsequent to the data breach, otherwise it is set equal to zero. We also include the interaction of POST_BREACH and CYBER_INSURANCE.

Our regression results for these tests are presented in Table 9. Here, the CYBER_INSURANCE and POST_BREACH variables are positively and significantly associated with audit fees. The coefficient for the main effect of CYBER_INSURANCE and POST_BREACH is, however, negative and significantly associated with lower audit fees. To determine how the disclosure of a cyber insurance policy affects audit fees in the post breach period, we conduct a joint test of the coefficients for CYBER_INSURANCE and CYBER_INSURANCE * POST_BREACH. The joint test is negative and significant (${\delta }_1+{\delta }_3=-0.156$, p-value = 0.071). This result indicates that firms disclosing a cyber insurance policy after experiencing a data breach pay lower audit fees (i.e., the auditor has a lower risk assessment relative to firms without cyber insurance). As an additional robustness check on H2, we use our matched sample firms to control for observable differences between firms with a cyber insurance policy and those without so that our conclusions are not biased. The results of these tests are presented in Table 10. Consistent with our initial results, the coefficient of the interaction of CYBER_INSURANCE and POST_BREACH is negative, with the magnitude being nearly twice as large, and significantly associated with lower audit fees. The findings reported in Table 9 and 10 provide robust proof for H2.

$$\begin{array}{cc}LNAUDITFEES=& {\delta }_0+{\delta }_1{CYBE{R}_{INSURANCE}}_{it}+{\delta }_2{POS{T}_{BREACH}}_{it}\\ & +{\delta }_3{CYBER\_INSURANCE*POST\_BREACH}_{it}+{\delta }_4{TECHNOLOGY}_{it}+{\delta }_5{RISK}_{it}\\ & +{\delta }_6{COMPLIANCE}_{it}+{\delta }_7{BREACH}_{it-1}+{\delta }_8{LNASSETS}_{it}+{\delta }_9{DISTRESS}_{it}\\ & +{\delta }_{10}{INVRECV}_{it}+{\delta }_{11}LEVERAGE+{\delta }_{12}{ROA}_{it}+{\delta }_{13}{SEGMENTS}_{it}+{\delta }_{14}{GC}_{it}\\ & +{\delta }_{15}{LOSS}_{it}+{\delta }_{16}{FOREIGN}_{it}+{\delta }_{17}{YE}_{it}+{\delta }_{18}{CHANGE}_{it}+{\delta }_{19}{BIG4}_{it}+{\delta }_{20}{IC}_{it}\\ & +{\delta }_{21}{SPECIALIST}_{it}+{\delta }_{22}{CR}_{it}+{\delta }_{23}{BTM}_{it}+{\delta }_{24}{RESTATE}_{it}+{\delta }_{25}{DELAY}_{it}\\ & +{\delta }_{25}{LAMBDA}_{it}+{\epsilon }_{it}\end{array}$$

Next, we examine the association between cyber security and future breaches. Even when businesses invest in cybersecurity measures and systems and hire teams of security professionals to operate these systems, some risk remains, residual risks. Many firms choose a pragmatic approach to residual risks and transfer the risk of a cyber breach to an insurance company for a fee. There is also the concern that risk disclosures may provide information to hackers. We test whether cyber insurance disclosure is associated with future breaches (H3). This test is of concern because the disclosure of a cyber insurance policy should lower residual risks and risks that might contain information for hackers seeking high risk targets. The results of these tests are presented in Table 11. CYBER_INSURANCE is not significantly associated, either positively or negatively, with future data breaches.

$$\begin{array}{cc}{BREACH}_{t+1}=& {\alpha }_0+{\alpha }_1{CYBER\_INSURANCE}_{it}+{\alpha }_2{TECHNOLOGY}_{it}+{\alpha }_3{RISK}_{it}\\ & +{\alpha }_4{COMPLIANCE}_{it}+{\alpha }_5{BREACH}_{it-1}+{\alpha }_6{LNASSETS}_{it}+{\alpha }_7{LOSS}_{it}\\ & +{\alpha }_{8}LEVERAGE+{\alpha }_9{INTANGIBLES}_{it}+{\alpha }_{10}{SEGMENTS}_{it}+{\epsilon }_{it}\end{array}$$

But what if the firm has a diligent internal audit committees, one with cyber security oversight? Does this change the effect of cyber insurance on future breaches? The answer appears to be yes. Table 12 presents the results for H4, that tests the association of cyber insurance and the audit committee cybersecurity oversight responsibilities with audit fees. Smith, et al. (2019) finds that firms with more active audit committees experience lower audit fee premiums. Outside auditors being less inclined to price breach risk when firms have diligent internal governance mechanisms in place. Our variable of interest is AUDITCOMMITTEECYBEROVER which is 1 if a company’s audit committee charter provides a provision regarding cybersecurity oversight. We find that firms that disclose having cyber insurance in the post breach period lower their audit premiums by 8.7%. This is a statistically and economically significant result. This result suggests that firms where the audit committee has cyber security oversight duties are charged lower audit fees by their auditor. This supports the notion that stronger governance is associated with lower fees.

$$\begin{array}{cc}LNAUDITFEES=& {\delta }_0+{\delta }_1{CYBER\_INSURANCE}_{it}+{\delta }_2{POST\_BREACH}_{it}\\ & +{\delta }_3{CYBER\_INSURANCE*POST\_BREACH}_{it}\\ & +{\delta }_{4}AUDITCOMMITTEECYBEROVER+{\delta }_5{TECHNOLOGY}_{it}+{\delta }_6{RISK}_{it}\\ & +{\delta }_7{COMPLIANCE}_{it}+{\delta }_8{BREACH}_{it-1}+{\delta }_9{LNASSETS}_{it}+{\delta }_{10}{DISTRESS}_{it}\\ & +{\delta }_{11}{INVRECV}_{it}+{\delta }_{12}LEVERAGE+{\delta }_{13}{ROA}_{it}+{\delta }_{14}{SEGMENTS}_{it}+{\delta }_{15}{GC}_{it}\\ & +{\delta }_{16}{LOSS}_{it}+{\delta }_{17}{FOREIGN}_{it}+{\delta }_{18}{YE}_{it}+{\delta }_{19}{CHANGE}_{it}+{\delta }_{20}{BIG4}_{it}+{\delta }_{21}{IC}_{it}\\ & +{\delta }_{22}{SPECIALIST}_{it}+{\delta }_{23}{CR}_{it}+{\delta }_{24}{BTM}_{it}+{\delta }_{25}{RESTATE}_{it}+{\delta }_{26}{DELAY}_{it}+{\epsilon }_{it}\end{array}$$

5. Conclusions

We investigate whether auditors adjust their business risk assessments when client firms purchase cyber insurance products, specifically the association between the purchase of cyber insurance and audit fees. We find that overall, while firms that purchase cyber insurance experience higher audit fees. This is likely the result of an overall greater risk profile for those firms that deem it prudent to purchase this product. We control for endogeneity via both an instrumental variable approach and via propensity score matching. Neither method produces results that differ from those reported above.

We also find that after a breach, the disclosure of an existing cyber insurance policy is associated with lower audit fees. This is no doubt because the auditor was aware of the policy and thus reduced the company’s risk assessment relative to other high-risk firms without such policies. Finally, we find that firms where the audit committee has cyber security oversight duties are charged lower audit fees by their auditor. We conclude that the purchase of cyber insurance is indicative of an overall higher risk profile, but that having that insurance after experiencing a breach reduces perceived risk. Similarly, assignment of risk oversight to the audit committee reduces perceived risk. Together these results should provide guidance to firms and regulators as they seek to address and mitigate the business risks associated with information technology.