Cyber risk management in the US banking and insurance industry: A textual and empirical analysis of determinants and value

Abstract

In this paper, we first construct a cyber risk consciousness score using a text mining algorithm, applied to annual reports of large- and mid-cap US banks and insurers from 2011 to 2018. We next categorize the firms' cyber risk management based on keywords to study determinants and value-relevance. Our results show an increasing cyber risk consciousness, regardless of the industry. In addition, for the entire sample we find that firms belonging to the banking industry, with a higher cyber risk consciousness score and a higher general risk awareness are more likely to implement cyber risk management, which also holds for both industries separately. We find the opposite in the case of profitable firms for the entire sample and the insurer subsample. Finally, we observe a significant positive relationship between cyber risk management and firm value measured by Tobin's Q for the entire sample and the subsamples of banks and insurers.