COSO Framework Adoption and Cybersecurity Breaches
Amanuel Tadesse, Stephanie Walton, Yiyang ZhangABSTRACT
The COSO 2013 framework presents a substantial change for firms utilizing the previous (1992) internal control framework. Consequently, adopting the updated COSO 2013 framework could expand the reach of information technology controls, particularly relating to a firm’s cybersecurity activities. However, the transition and integration of the new framework into existing control systems could fail to meet the framework’s guiding principles, potentially increasing a firm’s risks. We examine whether COSO 2013 framework adoption is associated with lower cybersecurity risk exposure. We expect and find that COSO framework adoption is associated with lower breach risk, up to three years in the future. We further provide evidence that utilizing the updated framework can benefit a firm’s internal control evaluation practices, resulting in the identification of information technology material weaknesses prior to breach occurrence. Our study contributes new knowledge to the burgeoning COSO framework and cybersecurity literatures.