A significant litigation trend is the rise in lawsuits filed against boards of directors following cybersecurity incidents. We perform an experiment to examine factors we predict will influence directors’ litigation risk. We examine whether jurors are more likely to hold directors liable when a company previously experienced an immaterial cyberattack, and whether subsequently implementing the American Institute of Certified Public Accountants’ cybersecurity risk management reporting and assurance framework (the “Framework”) can mitigate the effects of a prior attack. Consistent with counterfactual reasoning theory, we find jurors are more likely to hold directors liable for a cyberattack when a company previously experienced an attack. Importantly, we also find that directors can reduce this liability risk after a prior cyberattack by subsequently implementing the Framework, especially when they obtain external assurance. Our results have important implications for research, boards, regulators and public policymakers, audit firms, and attorneys who handle cybersecurity-related cases.

一个重要的诉讼趋势是网络安全事件后对董事会提起的诉讼增加。我们进行了一项实验，以检验我们预测会影响董事诉讼风险的因素。我们研究了当公司之前经历过非重大网络攻击时陪审员是否更有可能让董事承担责任，以及随后实施美国注册会计师协会的网络安全风险管理报告和保证框架（“框架”）是否可以减轻影响先前的攻击。与反事实推理理论一致，我们发现陪审员更有可能让董事在公司之前经历过网络攻击时对网络攻击负责。重要的，我们还发现，董事可以通过随后实施该框架来降低先前网络攻击后的这种责任风险，尤其是当他们获得外部保证时。我们的结果对处理网络安全相关案件的研究、董事会、监管机构和公共政策制定者、审计公司和律师具有重要意义。