Welcome to the UPF Digital Repository

Across the pond: how US firms' boards of directors adapted to the passage of the general data protection regulation

Show simple item record

dc.contributor.author Klein, April
dc.contributor.author Manini, Raffaele
dc.contributor.author Shi, Yanting (Crystal)
dc.date.accessioned 2023-07-26T07:15:35Z
dc.date.available 2023-07-26T07:15:35Z
dc.date.issued 2022
dc.identifier.citation Klein A, Manini R, Shi YC. Across the pond: how US firms' boards of directors adapted to the passage of the general data protection regulation. Contemp Account Res. 2022;39(1):199-233. DOI: 10.1111/1911-3846.12735
dc.identifier.issn 0823-9150
dc.identifier.uri http://hdl.handle.net/10230/57672
dc.description.abstract One of the prime responsibilities of the board of directors is to understand and oversee its firm's risk profile. We exploit a recent European Union (EU) regulation, the General Data Protection Regulation (GDPR), as a quasi-exogenous shock to the cyber risk landscape to assess whether boards of US firms changed their focus and governance structures to deal with this new challenge. The GDPR encompasses a sweeping set of regulations aimed at protecting EU citizens from unwanted uses of their personal Internet data. Although an EU regulation, the GDPR applies to all US public firms with at least one EU user. Adopting a difference-in-differences methodology, we use firms that already fall under a US data privacy regulation as a control group and find that boards of treated US firms, on average, increase their focus on cyber risk, add more directors with cyber/IT expertise, and more frequently assign cyber risk oversight to the board or to a board committee. In cross-sectional tests, we show that these changes are positively associated with a firm's ex ante cyber risk, but are unrelated to whether a firm had a large EU presence, suggesting a more global reaction to the GDPR. In addition, we examine some of the consequences of these board changes. We find boards that promptly responded by changing their board focus, expertise, and monitoring assignment of cyber risk around the passage of GDPR had fewer future cyberattacks/data breaches and less related media attention. Our findings suggest that, on average, American corporate boards promptly responded to changes in the cyber risk environment in ways that reduced their firms' overall future cyber risk. Our results have implications for the efficacy and flexibility of US corporate boards to respond to unexpected changes in risk.
dc.format.mimetype application/pdf
dc.language.iso eng
dc.publisher Wiley
dc.relation.ispartof Contemporary Accounting Research. 2022;39(1):199-233.
dc.rights This is the peer reviewed version of the following article: Klein A, Manini R, Shi YC. Across the pond: how US firms' boards of directors adapted to the passage of the general data protection regulation. Contemp Account Res. 2022;39(1):199-233, which has been published in final form at http://dx.doi.org/10.1111/1911-3846.12735. This article may be used for non-commercial purposes in accordance with Wiley Terms and Conditions for Use of Self-Archived Versions.
dc.title Across the pond: how US firms' boards of directors adapted to the passage of the general data protection regulation
dc.type info:eu-repo/semantics/article
dc.identifier.doi http://dx.doi.org/10.1111/1911-3846.12735
dc.subject.keyword corporate governance
dc.subject.keyword board of directors
dc.subject.keyword cyber-risk
dc.subject.keyword GDPR
dc.subject.keyword regulation
dc.rights.accessRights info:eu-repo/semantics/openAccess
dc.type.version info:eu-repo/semantics/acceptedVersion

Thumbnail

This item appears in the following Collection(s)

Show simple item record

Search DSpace


Advanced Search

Browse

My Account

Statistics

In collaboration with Compliant to Partaking