Mandatory Disclosure of Negative Events and Auditor Behavior: Evidence from a Natural Experiment

Abstract

Using the staggered adoption of data breach disclosure (DBD) laws, this paper studies the impact of mandatory disclosure of adverse corporate events on audit fees. DBD laws increase the frequency of disclosed cyber incidents, which adversely impacts firms’ financial condition and operations; this could result in a higher risk of misstatement and reputation loss for auditors. Consistent with this hypothesis, we find that auditors charge higher fees after the adoption of DBD laws. We also find that the increase in audit fees is more pronounced in firms with higher cyber risk and greater auditor reputational concerns. Furthermore, governance mechanisms and resources that are available to auditors can mitigate the rise in audit fees. Robustness tests suggest that the effect is not driven by realized cyber incidents and other contemporaneous events. Overall, our study provides evidence that the mandated disclosure regulation significantly affects audit pricing.

1. Introduction

Disclosure regulation is a key component of the economic environment (Kanodia and Sapra 2016; Leuz and Wysocki 2016). Disclosure regime shifts can significantly alter stakeholders’ incentives, reshaping their behavior. Existing studies have documented the impact of mandatory disclosure on managers’ and investors’ decision-making (e.g., Jin and Leslie 2003; Christensen et al. 2017; Chen et al. 2018; Hansen et al. 2018). However, there is limited understanding of auditors’ response to disclosure regime changes that are not directly related to corporate financial reporting. To fill this void, we examine whether the mandatory disclosure requirements on cyber breaches impact auditors by utilizing the staggered adoption of data breach disclosure (DBD) laws.1

California first adopted DBD laws in 2002, with the 49 other U.S. states following suit between 2003 and 2018 (Perkins Coie 2023). Although the details of the laws vary by state, the laws generally require firms that are impacted by a data breach to inform the affected individuals about the event promptly, resulting in public disclosure of the data breach to the capital markets (Ashraf and Sunder 2023).

Because DBD laws significantly increase cyber incident disclosure (Romanosky et al. 2011; Ashraf and Sunder 2023), they could impact auditors in two ways. First, an incident can damage the auditor’s reputation and harm their client relationships (Asthana et al. 2021). Such incidents are often caused by information technology (IT) control failures, which are linked to financial reporting deficiencies (Lawrence et al. 2018). Auditors may be blamed even if not directly responsible for the failed IT control (e.g., Mintz 2017; McKenna 2018). This criticism may not be without merit. Since IT controls are often centrally managed, many financial reporting control deficiencies relate to IT-dependent control issues (PCAOB 2013). Further, because many of the impacts, such as customer and reputation loss, are difficult to predict and measure, auditors face additional uncertainty when assessing and evaluating cyber incidents. This adversely affects auditors’ own business risk.

DBD laws could also affect an auditor’s assessment of the risk of material misstatement due to increased client business and compliance risk. Disclosed data breaches could threaten firms’ future financial profitability, business stability, and reputation (e.g., Cavusoglu et al. 2004; Gordon et al. 2011; Southwell et al. 2017). The impact of cyber incidents may even go beyond the initial costs of addressing the issues and have further implications for financial reporting and internal control (Li et al. 2020).2 Data breaches are associated with negative market reactions (Gordon et al. 2010; Chai et al. 2011), declines in financial performance and financial health (Kamiya et al. 2021; Hsu et al. 2022), and unfavorable loan terms (Huang and Wang 2021). Financial vulnerability and profit instability can thus increase pressure on firms to manipulate earnings to meet financial targets (Healy and Wahlen 1999). Since managers are incentivized to conceal cyberattack information to avoid these adverse consequences (Amir et al. 2018) and have earnings manipulation such as real earnings management (Liu and Ni 2024), the client’s compliance risk increases. Hence, DBD laws could influence the auditor’s assessment of the risk of material misstatement.

Accordingly, we hypothesize that auditors increase audit fees to respond to increased risk after the adoption of the laws.3 However, mandatory disclosure policy may not impact auditors if they do not change their assessment of the risk of material misstatement when laws are adopted or if they do not suffer reputational loss from clients’ cyber incidents. Furthermore, Ashraf and Sunder (2023) provide evidence that firms have a lower cost of equity after DBD law adoption, suggesting that shareholders benefit from reductions in information asymmetry. If auditors face the same cyber-related information asymmetry, then DBD law adoption may reduce clients’ inherent risks, leading to a reduction in audit fees. Ex ante, it is not clear whether data breach disclosure laws affect audit fees.

Using a difference-in-differences design, we examine our predictions within a sample of 23,043 firm-year observations for U.S.-headquartered firms in states where DBD laws were enacted from 2002 to 2017.4 We find that audit fees increase by 6 percent or USD 126,000 on average for a firm after the adoption of DBD laws. To ensure that the documented effect is a consequence of adopting such laws, we test the parallel trends assumption and find no significant difference in audit fees between the affected and unaffected firms before the adoption of the laws.5 Additional analyses reveal that the realized cyber incidents and other contemporaneous events (e.g., the implementation of the Sarbanes-Oxley Act of 2002) are not the drivers of our findings. Overall, our results indicate that the mandatory disclosure of data breaches increases audit fees.

Using cross-sectional analyses, we examine client- and auditor-level factors associated with audit fee increases. First, we find that audit fees increase more for firms in industries with higher cyber risk. Next, we demonstrate that auditors with higher reputational risk charge higher fees after the adoption of DBD laws. We also find that the rise in audit fees can be partly mitigated by corporate risk management strategies (i.e., the existence of a board-level risk, compliance, or technology committee). Additionally, we examine whether the increase in audit fees varies with auditor resource availability. We find that client importance, auditor industry expertise, and Big-4 auditors mitigate the increase in audit fees due to DBD laws.

Finally, we investigate whether the increased audit fees are driven by additional audit effort or a risk premium. This investigation is crucial because increased effort can enhance audit quality while charging a risk premium, which simply shifts the cost to clients (DeFond and Zhang 2014). Distinguishing between these channels of audit fee increases is important, as the results will provide different implications for changes in audit fees. Using several proxies for audit quality and audit effort (restatements, going-concern opinions, discretionary accruals, earnings response coefficients, and reporting delay), we find no evidence that the adoption of DBD laws is associated with a significant change in audit quality. This is consistent with our hypothesis that auditors charge a higher fee in expectation of the future risk associated with data breach disclosure. Taken together, our results are more likely driven by increased risk premium rather than auditor effort.

Our study contributes to several strands of literature. First, we contribute to the auditor behavior literature. Different than extant research that generally treats transparency (i.e., disclosure) as an outcome of the audit process, our study centers on the impact of mandatory disclosure on auditors’ behavior. Using the staggered adoption of DBD laws, we find that auditors increase audit fees when the disclosure of adverse events becomes mandatory, broadening our understanding of firms’ cyber event disclosure requirements on auditors. These findings are less subject to endogeneity concerns because the staggered adoption of DBD laws is not associated with unobserved auditor characteristics. We add to the mandatory disclosure literature by documenting auditors’ reaction to the mandatory disclosure rule about negative events, complementing studies on the effects of mandatory disclosure on various stakeholders (e.g., Jin and Leslie 2003; Christensen et al. 2017; Hansen et al. 2018; Obaydin et al. 2024).

We also contribute to the audit pricing literature. Existing work emphasizes the role of auditor-and-client-related attributes (e.g., Hay et al. 2006; Lennox and Wu 2018) as well as political, economic, social, technological, legal, and environmental factors (see Eierle et al. 2021 for a review) on audit pricing. We identify another important pricing factor—mandatory disclosure regulation governing clients’ disclosure of negative news.

Additionally, we contribute to the literature on cybersecurity risks. Existing studies not only show that cyber incidents are associated with higher fees (Yen et al. 2018; Rosati et al. 2019; Smith et al. 2019; Li et al. 2020) but also highlight the role of cybersecurity risk disclosure on audit pricing (Calderon and Gao 2021; Jiang 2024). Our study complements these studies that focus on either the ex-post impact of cyber incidents or the impact of cyber risk disclosures by providing evidence that auditors price the risks brought by disclosure laws.

Finally, our findings provide new insight into the externalities of data breach disclosure laws. The Securities and Exchange Commission (SEC), the Public Company Accounting Oversight Board (PCAOB), and the American Institute of CPAs (AICPA) have devoted significant efforts to cybersecurity issues.6 Our study highlights auditors’ response to cyber disclosure laws and informs ongoing regulatory efforts to improve cybersecurity disclosures.

The rest of the paper is organized into six sections. Section 2 describes the institutional background, literature, and hypothesis. Section 3 details the research design and sample selection. Section 4 reports the empirical results. Section 5 illustrates the analyses of auditor efforts. Section 6 presents additional analyses. Section 7 concludes the paper.

2. Background, Literature, and Hypothesis

2.1. Background of DBD Laws

State laws govern data breach disclosure rules in the U.S. California adopted the first security breach notification law in 2002, and the 49 other states passed similar laws between 2003 and 2018 (Perkins Coie 2023).7

Although the specifics of DBD laws vary by state, such laws generally require organizations that are impacted by a data breach to inform affected individuals and entities about the data breach event.8 The state laws usually contain provisions detailing the scope of a breach, disclosure requirements, notification timelines, noncompliance penalties, and enforcement actions. Although the required disclosure is limited to affected individuals, it is still likely to be widespread because many individuals are typically impacted, and preventing the dissemination of related news is challenging. Indeed, the number of disclosed incidents increases sharply after the laws are passed (e.g., Romanosky et al. 2011; Ashraf and Sunder 2023).

2.2. Related Literature

We summarize the existing literature in two areas: (1) mandatory disclosure and (2) cybersecurity and auditor response.

2.2.1. Mandatory Disclosure

Leuz and Wysocki (2016) underscore the importance of understanding the economic consequences of disclosure regulation by calling for research using novel settings to study the causal impact and externalities of disclosure. Existing studies show that mandated disclosure affects the decision-making of managers and shareholders. For example, Jin and Leslie (2003) find that mandated disclosure of product quality information affects firms’ operational decisions. Christensen et al. (2017) document that mandatory disclosure of mine safety information impacts firm labor productivity, market evaluations, and investor decision-making. Chen et al. (2018) argue that while mandated corporate social responsibility disclosure may reduce future profitability, it may also generate positive externalities like reductions in industrial wastewater and sulfur dioxide (SO₂) emissions.

Compared with extant work on the impact of mandatory disclosures on managers and investors, the effect of mandatory disclosure (or, more broadly, transparency) on auditors is relatively unexplored. Most archival auditing research views transparency (e.g., financial reporting quality) as an outcome of the audit process.9 Our paper complements recent work documenting that the reporting regime and media coverage—two crucial sources of transparency—influence audit fees. For example, Kim et al. (2012) studied the impact of the International Financial Reporting Standard (IFRS) adoption on audit fees, highlighting the role of litigation and reputational risk in determining audit fees. Burke et al. (2019) investigated the relationship between media coverage and audit pricing and found that media coverage of negative environmental, social, and governance (ESG) news influences audit fees. We explore the potential effects that mandated DBD laws may have on auditors’ behavior.

A related stream of research examines how auditors assess cyber risk broadly. For example, auditors typically take cybersecurity risk into account during engagement planning (Jiang 2024). Cyber incidents are associated with a rise in audit fees due to the realization of cyber risk (Rosati et al. 2019; Li et al. 2020). While the increase in audit fees due to cyber incidents is less if the auditor has more capacity to assess cybersecurity risks (Yen et al. 2018), easy-to-read cybersecurity risk disclosures (Calderon and Gao 2021) can be mitigated by board-level risk committees and active audit committees (Smith et al. 2019).

2.2.2. Cybersecurity and Associated Costs

Cybersecurity issues have become a critical priority for organizations as well as an interest of academics, practitioners, and regulators (Gordon and Loeb 2002; Ackerman 2015), especially after several well-known data breaches occurred in large U.S. corporations (e.g., Equifax, Target, Yahoo!). The Ponemon Institute (2020) Report estimates that the average total cost of a breach was USD 8.64 million in 2020.

Many studies have identified costs related to data breaches. Disclosed data breaches are associated with negative market reactions (Gordon et al. 2010; Chai et al. 2011). Other costs that are induced by a data breach include litigation costs, proprietary costs, augmented competition, and reputational loss (Cavusoglu et al. 2004; Gordon et al. 2011; Romanosky 2016; Ponemon Institute 2017 ; Southwell et al. 2017).

2.3. Hypothesis Development

The significant costs associated with data breaches can elevate auditors’ assessment of risk and audit pricing in several ways. First, they increase firms’ financial vulnerabilities and profit instabilities, intensifying a firm’s pressure to manipulate earnings to meet financial targets (Healy and Wahlen 1999). Additionally, since the costs related to consumer loss and reputation damage are often difficult to quantify (Romanosky 2016), data breach notification laws can increase not only the client’s business risk but also the auditor’s assessment of the risk of material misstatement. This, in turn, raises audit risk (Johnstone 2000).

Second, managers may be incentivized to withhold unfavorable news, which increases the risk of misstatement. This incentive can stem from concerns about the firm’s valuation (Dye 1985) or the manager’s career concerns (Kothari et al. 2009; Bertomeu et al. 2020). In fact, Hilary et al. (2016) found that, despite growing public scrutiny of cyber issues, disclosure of cyber incidents remains scarce. Amir et al. (2018) demonstrate that managers often withhold cyberattack news to avoid stock price declines and other negative consequences.10 Similarly, companies with a high likelihood of experiencing a cyberattack may face adverse sentiment, even in the absence of an actual breach. As a result, managers might be motivated to manipulate market perception by concealing unfavorable information (Obaydin et al. 2024). Furthermore, firms face additional litigation costs when such incidents are eventually revealed (Skinner 1994, 1997; Kasznik and Lev 1995). For instance, Ireland’s Data Protection Commission (DPC) fined Twitter in 2020 for failing to disclose a data breach in a timely and adequate manner (Lomas 2020). The motivation to withhold information about cyber incidents, along with the potential costs, may influence auditors’ judgment regarding client risks.

Moreover, studies on data breach disclosure (DBD) laws indicate that companies are compelled to disclose a data breach, which may lead to opportunistic insider selling (Chen et al. 2021). Furthermore, following the implementation of DBD laws, companies often engage in increased real earnings management (Liu and Ni 2024). This will increase the misstatement risk, thereby increasing audit risk. Therefore, we anticipate that audit pricing will increase, as auditors typically charge higher fees for riskier engagements (Pratt and Stice 1994; Bell et al. 2001; Stanley 2011; DeFond and Zhang 2014; Frino et al. 2023).11

Finally, auditors are at a greater risk of damaging their reputations after the adoption of DBD laws, which, in turn, leads to higher audit pricing. Compared with the voluntary disclosure regime, mandatory disclosure laws significantly increase the frequency of disclosed incidents (Romanosky et al. 2011; Ashraf and Sunder 2023). A data breach can result from a failure in IT control, which may be linked to deficiencies in financial reporting (Lawrence et al. 2018; PCAOB 2013). Additionally, auditors are not only required to evaluate IT systems and data quality that could impact financial reporting but are also required by AS 1201 to supervise the work of IT specialists who are involved in testing controls (PCAOB 2010). Hence, a client’s cyber incident may increase the auditor’s reputational risk even though auditors may not be directly responsible for the cybersecurity-related internal control. For instance, the 2017 Equifax data breach caused public questioning of EY’s work quality (e.g., McKenna 2018) and led to discussions about auditors’ responsibilities (e.g., Mintz 2017).

Since audit pricing is a function of both auditing efforts and risks (Simunic 1980), and the increased disclosure requirements can also put upward pressure on audit fees (Taylor and Simon 1999), we expect that auditors may increase audit fees in response to the increased risk due to the DBD laws.

However, it is possible that a mandatory disclosure policy may not affect auditors if they do not adjust their assessment of the risk of material misstatement upon the adoption of such laws or if they do not experience reputational damage from their clients’ cyber incidents. If auditors encounter the same cyber-related information asymmetry, then the adoption of DBD laws may lower clients’ inherent risks, resulting in a decrease in audit fees.

Therefore, we state our hypothesis (in null form) as follows:

Hypothesis 1. 

Data breach notification laws have no impact on audit fees.

3. Research Design and Sample Selection

3.1. Sample Selection

The sample selection process begins with firms that are available in the Compustat, CRSP, and Audit Analytics datasets for 2002–2017.12 After merging this sample with the firm headquarters dataset, we retain the firms headquartered within the U.S.13 We further restrict the sample to observations for which we could construct the control variables and observations with positive total assets and total common equity. We exclude firms in the finance and healthcare industry, as these industries are governed by additional cyber-security laws.14 Our final sample consists of 23,043 firm–year observations, with around 1440 observations per year.

3.2. Research Design

Because we exploit state-level staggered shocks, we use a difference-in-differences design to study the effect of DBD laws on audit fees. Specifically, we estimate the following model:

$${Ln(AuditFee}_{i,t})=\alpha + \beta {DBD Laws}_{i,t}+\gamma X_{i,t}+FE+{\epsilon }_{i,t}$$

(1)

where $i$indexes firms, and $t$ indexes years. Consistent with prior research on audit fees, we use the natural logarithm of audit fees (${Ln(AuditFee}_{i,t})$) for firm $i$ in year $t$ as our main dependent variable. $X_{i,t}$ is a vector of control variables. Appendix A includes our variable definitions.

The independent variable, ${DBD Laws}_{i,t}$, is an indicator variable equal to one if firm i’s headquarter is in a state with effective DBD laws in year t and zero otherwise.15 Appendix B provides the year of passage of the laws by state. $\beta$ is a difference-in-differences estimator: if $\beta$ is positive (negative) and statistically significant, then DBD laws are associated with higher (lower) audit fees.

Following prior studies (e.g., Francis et al. 2005; Gul and Goodwin 2010; Hope et al. 2017), we include control variables related to firm and auditor characteristics. Specifically, our control variables include firm size (Size), leverage (Leverage), book-to-market ratio (BTM), profitability (ROA), an indicator for past negative earnings (Loss), an indicator for December fiscal year-end (DecFYEnd), auditor tenure (AuditorTenure), receivables and inventory ratio (RecInv), an indicator for material weakness (MWeakness), an indicator for Big 4 audit clients (Big4), the number of business segments (NumSegments), an indicator for multinational company (MNC), short interest (ShoretInterst), quick ratio (QuickRatio), current ratio (CurrentRatio), and growth of total assets (AssetGrowth).

To further strengthen inference, we use firm and year fixed effects to control for time-invariant unobservable firm characteristics and the macroeconomic environment that vary over time. Additionally, we use state, industry, and year fixed effects in our alternative specifications. As the staggered adoption is at the state level, the state fixed effects can control for the inherent characteristics of firms in the same state. The industry fixed effects capture the unobserved factors of each industry. More importantly, we cluster standard errors at the state level because our independent variable, $DBD Laws$, is at the state level (Bertrand et al. 2004).

4. Results

4.1. Summary Statistics

Table 1. Descriptive statistics.

	Count	Mean	SD	P25	P50	P75
Ln(AuditFee)	23,043	13.69	1.40	12.78	13.77	14.63
Size	23,043	6.32	2.24	4.82	6.35	7.85
Leverage	23,043	0.18	0.18	0.00	0.15	0.31
ROA	23,043	−0.04	0.27	−0.03	0.04	0.08
BTM	23,043	0.58	0.48	0.26	0.46	0.75
Loss	23,043	0.19	0.39	0.00	0.00	0.00
DecFYEnd	23,043	0.69	0.46	0.00	1.00	1.00
AuditorTenure	23,043	1.58	0.83	1.10	1.61	2.30
RecInv	23,043	0.25	0.18	0.09	0.22	0.36
MWeakness	23,043	0.05	0.22	0.00	0.00	0.00
Big4	23,043	0.74	0.44	0.00	1.00	1.00
NumSegments	23,043	2.39	2.05	1.00	1.00	4.00
MNC	23,043	0.53	0.50	0.00	1.00	1.00
ShortInterest	23,043	0.04	0.05	0.01	0.03	0.06
QuickRatio	23,043	2.50	2.77	1.02	1.57	2.77
CurrentRatio	23,043	3.10	2.91	1.43	2.18	3.55
AssetGrowth	23,043	0.13	0.37	−0.02	0.06	0.17
Observations	23,043

Notes: This table reports the summary statistics. The sample consists of 23,043 observations from 2002 to 2017. Section 3 details the sample construction. All continuous variables are winsorized at the 1st and 99th percentiles. Detailed variable definitions are in Appendix A.

reports summary statistics for the key variables. The mean of the natural logarithm of audit fees (Ln(AuditFee)) is 13.69, which means the average audit fee is USD 2.1 million in our sample. On average, the firm size is USD 4,320 million. Note that Big 4 auditors serve about 74 percent of firms in our sample, consistent with the domination of the Big 4 in the U.S. public companies. The variable distributions are consistent with the existing literature (e.g., Hope et al. 2017).

4.2. Main Results

Table 2. Data breach disclosure laws and audit fees.

	(1)	(2)
	Ln(AuditFee)	Ln(AuditFee)
DBDLaws	0.060 ***	0.066 **
	(3.92)	(2.67)
Size	0.377 ***	0.511 ***
	(25.91)	(41.48)
Leverage	0.023	−0.059
	(0.44)	(−0.83)
ROA	−0.193 ***	−0.429 ***
	(−5.75)	(−9.79)
BTM	0.011	−0.054 ***
	(0.71)	(−3.72)
Loss	0.034 **	0.086 ***
	(2.18)	(3.28)
DecFYEnd	0.087	0.120 ***
	(1.05)	(5.89)
AuditorTenure	−0.034 ***	−0.032 **
	(−3.52)	(−2.46)
RecInv	0.337 ***	0.719 ***
	(5.64)	(9.38)
MWeakness	0.129 ***	0.098 ***
	(5.70)	(4.18)
Big4	0.300 ***	0.423 ***
	(7.64)	(12.69)
NumSegments	0.014 ***	0.028 ***
	(3.07)	(5.58)
MNC	0.109 ***	0.264 ***
	(5.98)	(10.81)
ShortInterest	0.076	−0.148
	(0.68)	(−1.00)
QuickRatio	−0.012	0.090 ***
	(−1.32)	(5.49)
CurrentRatio	−0.003	−0.105 ***
	(−0.34)	(−7.23)
AssetGrowth	−0.035 ***	−0.081 ***
	(−2.96)	(−8.11)
Observations	23,043	23,043
Adj R-Squared	0.91	0.83
Fixed Effects	Firm and Year	State, Ind, and Year

Notes: Table 2 reports the impact of DBD laws on audit fees. We use the Fama–French 48 industries to define industries. Standard errors are clustered by state. T-statistics are in parentheses. ** and *** indicate significance at the 0.05 and 0.01 levels, respectively.

reports the main results. Column (1) presents the regression results when Equation (1) is estimated with firm and year fixed effects. The coefficients on $DBD Laws$ are positive and statistically significant at the 1% level. The magnitude of adjusted $R^2$ (91 percent) and the signs of the control variables are similar to prior literature (e.g., Hope et al. 2017). Audit fees are positively associated with Size, Loss, RecInv, MWeakness, Big 4, NumSegments, and MNC, as well as negatively associated with ROA, AuditorTenure, QuickRatio CurrentRatio, and AssetGrowth.16 Column (2) reports the regression results when Equation (1) is estimated with state, industry, and year fixed effects. The magnitude of the coefficient on $DBD Laws$ increases slightly but remains statistically at the 5% level. In terms of economic significance, the adoption of DBD laws raised the audit fees by 6 percent (i.e., on average, USD 126,000 for a firm) relative to firms in a state without a DBD law. The findings suggest that the litigation and reputation costs dominate the benefits of the improvement of reporting quality.

4.3. Cross-Sectional Analyses

To shed light on the channel through which the mandatory disclosure of adverse events impacts audit pricing, we examine how the impact of DBD laws on audit fees varies with firms’ cybersecurity risk and auditors’ reputation risk in this section. Additionally, we study the role of corporate governance (i.e., the board-level committees) in managing cybersecurity risk by testing how our results vary with the existence of the board-level committee. We also investigate the role of auditors by examining how our results vary with the auditors’ capability in assessing and managing risk.

4.3.1. Cybersecurity Risk

In this subsection, we study whether and how the impact of DBD laws varies with cybersecurity risk. Although cybersecurity risk affects all corporations and individuals at some level, certain types of firms face more cybersecurity risk than others.17 Because firms with higher cybersecurity risk are more likely to incur data breaches and to be affected by DBD laws, auditors of those firms bear augmented concerns about loss of reputation. Therefore, we expect that the effect of DBD laws on audit fees is more pronounced for firms with higher cyber risk. To test this hypothesis, we follow Ashraf and Sunder (2023) and define firms’ cyber risk based on their industry classification.18 Specifically, we define the indicator variable $HighCyber$ equal to one if a firm is in a high cyber risk industry and zero otherwise. We add the interaction term (i.e., $DBD Laws\times HighCyber$) and $DBD Laws$ in Equation (1) and then estimate this new equation.

Table 3. Cross-sectional analysis: cyber risk.

	(1)	(2)
	Ln(AuditFee)	Ln(AuditFee)
DBDLaws × HighCyber	0.071 **	0.088 ***
	(2.41)	(3.50)
DBDLaws	0.012	0.007
	(0.56)	(0.20)
Size	0.379 ***	0.510 ***
	(26.32)	(40.73)
Leverage	0.024	−0.051
	(0.45)	(−0.71)
ROA	−0.195 ***	−0.425 ***
	(−5.76)	(−9.68)
BTM	0.011	−0.053 ***
	(0.72)	(−3.56)
Loss	0.035 **	0.084 ***
	(2.29)	(3.18)
DecFYEnd	0.082	0.121 ***
	(1.00)	(5.98)
AuditorTenure	−0.033 ***	−0.031 **
	(−3.48)	(−2.33)
RecInv	0.336 ***	0.730 ***
	(5.60)	(9.44)
MWeakness	0.128 ***	0.097 ***
	(5.68)	(4.13)
Big4	0.300 ***	0.423 ***
	(7.64)	(12.69)
NumSegments	0.014 ***	0.028 ***
	(3.09)	(5.67)
MNC	0.108 ***	0.263 ***
	(5.86)	(10.69)
ShortInterest	0.065	−0.160
	(0.58)	(−1.05)
QuickRatio	−0.011	0.093 ***
	(−1.28)	(5.73)
CurrentRatio	−0.003	−0.108 ***
	(−0.41)	(−7.54)
AssetGrowth	−0.036 ***	−0.083 ***
	(−3.02)	(−8.16)
Observations	23,043	23,043
Adj R-Squared	0.91	0.83
Fixed Effects	Firm and Year	State, Ind, and Year

Notes: Table 3 reports the cross-sectional variation in the impact of data breach disclosure laws on audit fees based on firms’ cybersecurity risk. We use the Fama–French 48 industries to define industries. Standard errors are clustered by state. T-statistics are in parentheses. ** and *** indicate significance at the 0.05 and 0.01 levels, respectively.

presents the corresponding results.19 The coefficients for $DBD Laws x HighCyber$ are positive and significant at the 5% level when controlling for firm and year fixed effects (column 1) and significant at 1% level when controlling for state, industry, and year fixed effects (column 2). Note that the coefficients on $DBD Laws$ are not statistically significant, suggesting that the effect of DBD laws on audit fees only exists for firms with high cyber risk.

4.3.2. Reputation Risk

We further test whether the impact on audit fees varies with reputation risk, proxied by auditor experience. Experience plays a vital role in the impact of transparency. Because a rookie (new agent) is usually associated with more information asymmetry in career concern models, less experienced auditors (agents) are likely to be more affected by the transparency requirement due to their reputation concerns (Holmström 1999; Hansen et al. 2018). Thus, less experienced agents have more incentive to react to the increased disclosure requirement (Holmström 1999). Consistent with this argument, the effect of mandatory disclosure should be more pronounced for less experienced auditors.

To test this argument, we create an indicator variable, $LessExperiencedAuditor$, defined as a binary indicator variable equal to one if the length of auditor–client tenure is below the sample median in a given year. We then add $LessExperiencedAuditor$ and its interaction term $(DBD Laws x LessExperiencedAuditor$) in Equation (1). The estimated coefficients for this new equation are reported in

Table 4. Cross-sectional analysis: reputation risk.

	(1)	(2)
	Ln(AuditFee)	Ln(AuditFee)
DBDLaws × LessExperiencedAuditor	0.083 ***	0.067 **
	(3.40)	(2.40)
LessExperiencedAuditor	−0.006	0.013
	(−0.19)	(0.42)
DBDLaws	0.033 *	0.043 *
	(1.92)	(1.84)
Size	0.377 ***	0.511 ***
	(25.94)	(41.86)
Leverage	0.032	−0.061
	(0.59)	(−0.87)
ROA	−0.191 ***	−0.429 ***
	(−5.74)	(−9.89)
BTM	0.011	−0.055 ***
	(0.66)	(−3.72)
Loss	0.034 **	0.085 ***
	(2.21)	(3.25)
DecFYEnd	0.090	0.119 ***
	(1.10)	(5.77)
AuditorTenure	−0.009	0.003
	(−0.62)	(0.18)
RecInv	0.339 ***	0.721 ***
	(5.62)	(9.31)
MWeakness	0.127 ***	0.097 ***
	(5.64)	(4.12)
Big4	0.311 ***	0.429 ***
	(7.89)	(12.55)
NumSegments	0.014 ***	0.029 ***
	(3.01)	(5.55)
MNC	0.111 ***	0.265 ***
	(6.08)	(10.81)
ShortInterest	0.072	−0.157
	(0.64)	(−1.06)
QuickRatio	−0.011	0.092 ***
	(−1.24)	(5.63)
CurrentRatio	−0.003	−0.106 ***
	(−0.40)	(−7.39)
AssetGrowth	−0.035 ***	−0.081 ***
	(−2.91)	(−8.01)
Observations	23,043	23,043
Adj R-Squared	0.91	0.83
Fixed Effects	Firm and Year	State, Ind, and Year

Notes: Table 4 reports the cross-sectional variation in the impact of data breach disclosure laws on audit fees based on reputation risk. We use the Fama–French 48 industries to define industries. Standard errors are clustered by state. T-statistics are in parentheses. *, **, and *** indicate significance at the 0.1, 0.05, and 0.01 levels, respectively.

. The coefficients on $DBD Laws x LessExperiencedAuditor$ are positive and statistically significant at the 1% level in both columns (1) and (2), supporting the point that the impact of transparency on adverse events is stronger for an auditor with a greater reputation concern.

4.3.3. Board-Level Committee

Next, we study how our findings vary with the presence of the risk, compliance, or technology committee at the corporate board level. Because board-level risk/compliance/technology committees oversee and manage operational and cyber risks, the existence of the board committee is likely to mitigate the auditors’ reputational concern about cyber incidents.

To identify the presence of such committees on the corporate board, we search for relevant keywords in the proxy statements following Smith et al. (2019). The variable Committee is a binary variable to indicate the existence of the risk, compliance, or technology committee. We then add the variable $Committee$ and the interaction term $DBD laws\times Committee$ to Equation (1).

Table 5. Cross-sectional analysis: board committee.

	(1)	(2)
	Ln(AuditFee)	Ln(AuditFee)
DBDLaws × Committee	−0.115 ***	−0.156 ***
	(−3.37)	(−3.53)
Committee	0.083 ***	0.139 ***
	(2.79)	(3.66)
DBDLaws	0.075 ***	0.086 ***
	(4.56)	(3.23)
Size	0.378 ***	0.511 ***
	(26.19)	(41.72)
Leverage	0.023	−0.060
	(0.43)	(−0.84)
ROA	−0.195 ***	−0.431 ***
	(−5.84)	(−9.91)
BTM	0.012	−0.054 ***
	(0.76)	(−3.73)
Loss	0.034 **	0.086 ***
	(2.22)	(3.28)
DecFYEnd	0.092	0.120 ***
	(1.10)	(5.89)
AuditorTenure	−0.034 ***	−0.032 **
	(3.53)	(−2.44)
RecInv	0.333 ***	0.720 ***
	(5.63)	(9.45)
MWeakness	0.130 ***	0.099 ***
	(5.71)	(4.32)
Big4	0.301 ***	0.423 ***
	(7.73)	(12.86)
NumSegments	0.014 ***	0.028 ***
	(3.02)	(5.59)
MNC	0.107 ***	0.264 ***
	(5.83)	(10.73)
ShortInterest	0.074	−0.154
	(0.66)	(−1.05)
QuickRatio	−0.011	0.090 ***
	(−1.29)	(5.55)
CurrentRatio	−0.003	−0.105 ***
	(−0.42)	(−7.33)
AssetGrowth	−0.036 ***	−0.082 ***
	(−3.05)	(−8.08)
Observations	23,043	23,043
Adj R-Squared	0.91	0.83
Fixed Effects	Firm and Year	State, Ind, and Year

Notes: Table 4 presents how the impact of data breach disclosure laws on audit fees varies with the existence of a risk/compliance/technology committee at the board level. We use the Fama–French 48 industries to define industries. Standard errors are clustered by state. T-statistics are in parentheses. ** and *** indicate significance at the 0.05 and 0.01 levels, respectively.

reports the results. The coefficients of the interaction term ($DBD laws\times Committee$) are negative and significant at the 1% level under both fixed effect specifications, suggesting that firms with better internal governance mechanisms mitigate the increase in audit fees due to the adoption of DBD laws.

4.3.4. Auditor Characteristics

We next investigate whether the effect of DBD laws on audit fees varies with auditor characteristics that affect auditors’ ability to evaluate and manage the cyber-related risk of their clients. We focus on three dimensions: industry expertise, client importance, and Big N auditors. Auditors can better assess and manage risk related to cybersecurity incidents if they are equipped with better industry knowledge, better client-specific information, or more usable resources (Yen et al. 2018). We expect that DBD laws will have less impact on audit fees when auditors are more able to evaluate and manage clients’ cyber-related risks.

To test this hypothesis, we define an indicator variable $IndExpert$ to represent industry expertise. It equals one if the auditor has more than 50 percent of the market share in the client’s industry in a year and zero otherwise.20 We use $HighCI$ to represent the importance of a certain client and the auditor’s familiarity with this client.21 We utilize $Big$ 4 to denote clients of Big 4 auditors who have more resources to assess and manage their risk.22 We then estimate the augmented Equation (1) with $IndExpert$, $HighCI$, and $Big 4$ and their interaction terms ($DBDLaws\times IndExpert$, $DBDLaws\times HighCI$, $DBDLaws\times Big 4$) added, respectively. As reported in

Table 6. Cross-sectional analysis: auditor characteristics.

	(1)	(2)	(3)	(4)	(5)	(6)
	Ln(AuditFee)	Ln(AuditFee)	Ln(AuditFee)	Ln(AuditFee)	Ln(AuditFee)	Ln(AuditFee)
DBDLaws × InExpert	−0.155 ***	−0.218 ***
	(−2.48)	(−2.56)
InExpert	0.489 ***	0.552 ***
	(7.28)	(5.49)
DBDLaws × HighCI			−0.053 ***	−0.125 ***
			(−2.02)	(−4.06)
HighCI			0.364 ***	0.378 ***
			(11.42)	(11.84)
DBDLaws × Big4					−0.229 ***	−0.148 ***
					(−5.37)	(−2.82)
DBDLaws	0.063 ***	0.078 ***	0.086 ***	0.126 ***	0.258 ***	0.193 ***
	(4.21)	(3.21)	(3.83)	(3.95)	(6.62)	(3.65)
Observations	23,043	23,043	23,043	23,043	23,043	23,043
Controls	Yes	Yes	Yes	Yes	Yes	Yes
Adj R-Squared	0.91	0.91	0.91	0.84	0.91	0.83
Fixed Effects	Firm, Year	State, Ind, Year	Firm, Year	State, Ind, Year	Firm, Year	State, Ind, Year

Notes: This table reports the cross-sectional variation in the impact of data breach disclosure laws on the audit fees based on auditors’ characteristics. We use the Fama–French 48 industries to define industries. Standard errors are clustered by state. T-statistics are in parentheses. *** indicates significance at the 0.01 level. Coefficients of control variables and constants are not tabulated for brevity. Variables are defined in Appendix A.

, the coefficients on $DBD Laws\times IndExpert$, $DBD Laws\times HighCI$, and $DBDLaws\times Big 4$ are negative and statistically significant at the 5%, 5%, and 1% level, respectively. Meanwhile, the baseline coefficients of DBD laws are positive and significant at the 1% level. This suggests that while DBD laws still increase audit fees on average, the increase is mitigated by the auditor’s capacity to evaluate and manage clients’ cyber risk.

5. Risk Premium and Increased Effort

Since auditors may charge a risk premium or increase their effort when facing an increase in reputation risk (e.g., Simunic 1980; Hoitash et al. 2008), we investigate whether increased audit fees in response to DBD laws are due to augmented effort or risk premium. The distinction between these alternatives is critical: increased audit effort can lead to improved audit quality, but charging a risk premium only passes the auditor’s cost to the client (DeFond and Zhang 2014). If audit quality does not change, then the increase in audit pricing could be driven by auditors’ risk assessments due to the implementation of the law rather than by the actual workload and effort involved in the audit. To differentiate between these two forces, we follow Hope et al. (2017) and examine whether audit quality increases after the passage of DBD laws. Because we acknowledge that no single measure of audit quality is perfect as they are inherently noisy, we employ multiple proxies in our analysis. Specifically, we use the following audit quality measures: issuance of restatement, discretionary accruals, issuance of going-concern opinions, investors’ perceptions23, and reporting lag.24 

Table 7. Data breach disclosure law and audit effort/risk premium.

	(1)	(2)	(3)	(4)	(5)	(6)
	Restatement	GoingConcern	DiscrAccruals	ERC	ReportLag	Ln(AuditFee)
DBDLaws	−0.005	0.001	0.001	−0.050	−0.008	0.060 ***
	(−0.45)	(0.40)	(0.26)	(−1.18)	(−0.41)	(4.17)
Restatement						0.189 ***
						(5.43)
GoingConcern						0.053
						(1.48)
DiscrAccruals						0.046
						(0.83)
ERC						−0.001
						(−0.72)
Report Lag						−0.084 ***
						(−3.12)
Observations	23,043	23,043	23,043	23,043	23,043	23,043
Controls	Yes	Yes	Yes	Yes	Yes	Yes
Adj R-Squared	0.12	0.57	0.30	0.00	0.20	0.91
Fixed Effects	Firm, Year	Firm, Year	Firm, Year	Firm, Year	Firm, Year	Firm, Year

Notes: This table reports the effect of data breach disclosure laws on audit efforts. We use the Fama-French 48 industries to define industries. Standard errors are clustered by state. T-statistics are in parentheses. *** indicates significance at the 0.01 level. Coefficients of control variables and constants are not tabulated for brevity. Variables are defined in Appendix A.

reports the results.

5.1. Restatement

Audit effort is negatively associated with the restatement of annual reports (Lennox and Pittman 2010; Lobo and Zhao 2013). We define Restatement as an indicator variable that equals one if a firm has a restatement of annual reports for a given year and zero otherwise. We then regress $Resstatement$ on $DBD Laws$. Column (1) of Table 7 reports the results. The coefficient on $DBD Laws$ is not significant, suggesting that audit quality—evidenced by restatements—was not affected by the passage of DBD laws.

5.2. Going-Concern Opinions

The issuance of a going-concern opinion reflects auditors’ ability and power to issue an unbiased opinion; it is thus associated with high audit quality (DeFond et al. 2002). We define $GoingConcern$ as an indicator variable equal to one if a firm receives a going-concern opinion in a given year and zero otherwise. We change the outcome variable, $Ln\left(AuditFee\right)$, in Equation (1) to the issuance of going-concern opinions ($GoingConcern$) and re-estimate the model. Column (2) of Table 7 shows the results. The coefficient on $DBD Laws$ is not significant, providing additional evidence that DBD laws do not affect audit quality.

5.3. Discretionary Accruals

Discretionary accruals are a commonly used proxy for financial reporting quality. Higher audit effort is expected to improve financial reporting quality, thus reducing discretionary accruals (Caramanis and Lennox 2008). Absolute discretionary accruals ($DiscrAccruals$) are the absolute value of discretionary accruals, which are the residuals from the modified Jones model (Dechow et al. 1995). We change the dependent variable, $Ln\left(AuditFee\right)$, to discretionary accruals ($DiscrAccruals$) in Equation (1) and re-estimate the regression. Column (3) of Table 7 shows the results. The coefficient of $DBD Laws$ is not significant, providing evidence that DBD laws do not alter perceived audit quality.

5.4. Earnings Response Coefficients

In addition, we use investors’ perceptions of audit quality—earnings response coefficient (ERC)—to measure audit quality (Teoh and Wong 1993). Different from previous actual audit quality measures (i.e., restatement, discretionary accruals, going-concern opinions), ERC proxies for perceived audit quality (Burnett et al. 2018). Following Hope et al. (2017), we estimate the ERC at the industry–year level. Specifically, we regress the three-day cumulative abnormal return (CAR) on firms’ unexpected earnings in the same SIC four-digit industry in a given year, and ERC is defined as the estimated coefficient on unexpected earnings in the regression. We replace the outcome variable, $Ln\left(AuditFee\right)$, in Equation (1) with ERC and re-estimate the model. Column (4) of Table 7 presents the results. We find that the coefficient on $DBD Laws$ is not significant, providing evidence that the adoption of DBD laws is not connected with perceived audit quality.

5.5. Reporting Lag

Reporting lag ($ReportLag$) is another proxy for audit effort because it is a measure of audit efficiency (Knechel and Payne 2011). It is calculated as the number of days between the fiscal year-end and the audit report date. Column (5) of Table 7 reports the results of regressing reporting lag on DBD Laws. The coefficient on $DBD Laws$ is not significant, providing evidence that the adoption of DBD laws is unlikely to be related to auditing efficiency.

5.6. Adding Audit Quality Measures as Control Variables

To further test how the impact of DBD laws on audit fees varies after controlling for audit quality, we incorporated audit quality measures as additional control variables in Equation (1). The results are illustrated in column (6) of Table 7. The coefficient on $DBD Laws$ is 0.060 and significant at the 1% level. This coefficient is very close to that of $DBD Laws$ reported in Table 2 (0.060), suggesting that the increase in audit fees is unlikely to be driven by audit efforts.25

Collectively, our findings suggest that increased audit fees are not due to increased audit effort or audit quality. Accordingly, we infer that the increase in audit fees in response to DBD law adoption is likely to be a function of risk premium rather than audit effort.26 This aligns with our hypothesis development that non-financial reporting disclosure mandates (DBD laws) can increase audit risk, thereby influencing auditor pricing.

6. Additional Analyses

This section presents several robustness tests, including tests of the parallel trends assumption.

6.1. Robustness Tests

Our findings suggest that the adoption of DBD laws increases audit fees, and the results are more likely driven by risk premium than by audit effort. In this section, we conduct analyses to address alternative explanations. Particularly, there are two concerns. First, because prior work finds that audit fees increase with the occurrence of cyber incidents, one concern is that the documented increase in audit fees around DBD law adoption could be driven by more frequently reported cyber incidents. A second concern is that other contemporaneous events, such as the Sarbanes–Oxley Act of 2002 or those that may correspond to law adoption in certain states in the sample period, may contribute to the observed effect.

6.1.1. Cyber Incidents

To address the concern that reported cyber incidents are driving our results, we exclude firms that have experienced cyber incidents from the main sample and then re-estimate the effect of DBD laws on audit fees. The estimated results are reported in

Table 8. Robustness tests.

Panel A
	(1)		(2)
	Ln(AuditFee)		Ln(AuditFee)
DBDLaws	0.058 ***		0.065 **
	(3.81)		(2.65)
Size	0.373 ***		0.520 ***
	(26.52)		(40.14)
Leverage	0.022		0.047
	(0.39)		(0.54)
ROA	−0.207 ***		−0.427 ***
	(−5.97)		(−9.14)
BTM	0.004		−0.065 ***
	(0.21)		(−3.38)
Loss	0.034 **		0.087 ***
	(2.21)		(3.25)
DecFYEnd	0.079		0.124 ***
	(0.94)		(5.72)
AuditorTenure	−0.036 ***		−0.030 ***
	(−3.64)		(−2.44)
RecInv	0.435 ***		0.394 ***
	(7.81)		(5.00)
MWeakness	0.124 ***		0.102 ***
	(5.49)		(4.14)
Big4	0.311 ***		0.427 ***
	(7.94)		(14.62)
NumSegments	0.014 ***		0.030 ***
	(2.97)		(6.30)
MNC	0.106 ***		0.256 ***
	(5.67)		(9.76)
ShortInterest	0.070		−0.291 *
	(0.63)		(−1.86)
QuickRatio	0.005 ***		−0.017 ***
	(−2.85)		(−7.71)
CurrentRatio	−0.122 **		0.282 ***
	(−2.44)		(3.73)
AssetGrowth	−0.034 ***		−0.079 ***
	(−2.92)		(−0.09)
Observations	22,304		22,304
Adj R-Squared	0.90		0.83
Fixed Effects	Firm, Year		State, Ind, Year
Panel B
	(1)	(2)	(3)	(4)
	Ln(AuditFee)	Ln(AuditFee)	Ln(AuditFee)	Ln(AuditFee)
DBDLaws	0.039 **	0.059 ***	0.042 **	0.066 ***
	(2.17)	(3.86)	(2.16)	(3.29)
Size	0.386 ***	0.377 ***	0.378 ***	0.381 ***
	(20.93)	(25.80)	(19.58)	(20.43)
Leverage	0.065	0.022	0.075 *	0.029
	(1.47)	(0.41)	(1.83)	(0.54)
ROA	−0.232 ***	−0.193 ***	−0.221 ***	−0.197 ***
	(7.89)	(−5.74)	(−6.85)	(−5.08)
BTM	0.019	0.011	0.025	−0.008
	(1.25)	(0.72)	(1.52)	(−0.46)
Loss	0.040 *	0.034 **	0.040 *	0.029 *
	(1.94)	(2.18)	(1.81)	(1.70)
DecFYEnd	0.091	0.087	0.072	0.100
	(0.99)	(1.05)	(0.76)	(1.45)
AuditorTenure	−0.032 ***	−0.034 ***	−0.030 **	−0.029 **
	(2.72)	(−3.53)	(−2.37)	(−2.54)
RecInv	0.382 ***	0.337 ***	0.343 ***	0.303 ***
	(5.79)	(5.61)	(5.09)	(5.11)
MWeakness	0.117 ***	0.129 ***	0.109 ***	0.127 ***
	(4.81)	(5.64)	(4.42)	(5.29)
Big4	0.286 ***	0.301 ***	0.283 ***	0.152 **
	(6.13)	(7.64)	(5.71)	(2.65)
NumSegments	0.016 ***	0.014 ***	0.015 ***	0.013 **
	(2.97)	(3.00)	(2.76)	(2.52)
MNC	0.116 ***	0.107 ***	0.105 ***	0.080 ***
	(5.46)	(5.90)	(4.69)	(3.43)
ShortInterest	0.024	0.069	0.055	−0.083
	(0.19)	(0.61)	(0.42)	(−0.80)
QuickRatio	−0.012	−0.012	−0.015	−0.016 *
	(−1.00)	(−1.30)	(−1.27)	(−1.69)
CurrentRatio	−0.003	−0.003	−0.000	0.002
	(−0.27)	(−0.36)	(−0.03)	(0.32)
AssetGrowth	−0.037 **	−0.035 ***	−0.034 **	−0.045 ***
	(2.38)	(−2.91)	(−2.08)	(−3.77)
Observations	18,980	22,885	17,799	21,073
Adj R-Squared	0.91	0.91	0.91	0.91
Fixed Effects	Firm, Year	Firm, Year	Firm, Year	Firm, Year

Notes: The table presents robustness tests. Panel A presents the results controlling for the cyber incidents. Panel B shows the results of eliminating various states or years. Column (1) ignores observations of firms headquartered in California. Column (2) omits observations of firms headquartered in states that adopt DBD laws after 2016 (i.e., NM, AL, and SD). Column (3) excludes observations of firms headquartered in states from the Ninth Circuit (i.e., AK, AZ, CA, HI, ID, MT, NV, OR, and WA). Column (4) excludes observations prior to 2004. We use the Fama–French 48 industries to define industries. Standard errors are clustered by state. T-statistics are in parentheses. *, **, and *** indicate significance at the 0.1, 0.05, and 0.01 levels, respectively. Variables are defined in Appendix A.

, panel A. The coefficients on $DBD Laws$ remain significant at the 1% level and are qualitatively and quantitatively similar to those reported in Table 2. This suggests that increasing audit fees around DBD law adoption are not driven by realized cyber incidents.

6.1.2. Exclusion of Various States and Years

An additional concern is that the documented effects only exist in certain states and years. We note that year fixed effects included in all specifications should help control for regulatory changes that impact all firms over the sample periods. To further mitigate this concern, we perform several additional robustness tests. The results are reported in Table 8, panel B.

We first exclude observations of firms headquartered in California, the state with the largest number of observations (17.6 percent of the sample observations). This is to check whether our results are driven by only one influential state in the sample. The results are shown in column (1) of panel B, and the coefficient on DBD Laws is positive and significant at the 5% level.

Next, we exclude the observations of firms headquartered in states that adopted DBD laws after 2016 (i.e., New Mexico, Alabama, and South Dakota) to remove the firm with few observations after the passage of DBD laws. As shown in column (2) of panel B, the coefficient on DBD laws remains significantly positive at the 1% level.

We then exclude the observations of firms headquartered in states from the Ninth Circuit (i.e., Arkansas, Arizona, California, Hawaii, Idaho, Montana, Nevada, Oregon, and Washington) to eliminate potential confounding effects from those states. Houston et al. (2019) find that a ruling from the Ninth Circuit Court of Appeals in 1999 increased the threshold for shareholder litigation, which reduced litigation risk for firms headquartered there. The results are reported in column (3) of panel B. The coefficient on DBD laws is still positive and significant at the 5% level.

Finally, Raghunandan and Rama (2006) document that SOX is associated with a substantial increase in audit fees, evidenced by the rise in audit fees from fiscal 2003 to fiscal 2004. To alleviate the confounding effect from SOX, we omitted the observations prior to 2004 in the sample and re-estimated the model. The results are reported in column (4) of panel B. The estimated coefficient on $DBD Laws$ remained positive and statistically significant at the 1% level, reducing the concern that the result is primarily driven by the implementation of SOX.

6.1.3. Parallel Trends Assumption

In this section, we perform analyses to test the parallel trends assumption, a key assumption in a difference-in-differences design (Roberts and Whited 2013). Specifically, we estimate Equation (2) and allow the effect of DBD laws to vary by year relative to the year of passage of the laws. The following equation is estimated:

$$\begin{gathered} Ln(AuditFee{)}_{i,t}= \alpha +{\beta }_0 {DBD Laws}_{i,t=T-1}+{\beta }_1 {DBD Laws}_{i,t=T}+{\beta }_2 {DBD Laws}_{i,t=T+1} \\ +{\beta }_3 {DBD Laws}_{i,t=T+2}+{\beta }_4 {DBD Laws}_{i,t\ge T+3}+\lambda Controls+Fixed Effects+ {ϵ}_t \end{gathered}$$

(2)

where $i$indexes firms, and $t$ indexes years. ${Ln(AuditFee}_{i,t})$is the natural logarithm of audit fees for firm $i$ in year $t$. $Controls$ is the same vector of control variables defined in Equation (1).

Table 9. Trend tests: effect of DBD laws on audit fees.

	(1)
	Ln(AuditFee)
DBDLaws (=−1)	0.012
	(0.48)
DBDLaws (=0)	0.017
	(0.83)
DBDLaws (=1)	0.056 ***
	(2.74)
DBDLaws (=2)	0.072 ***
	(3.26)
DBDLaws (≥3)	0.132 ***
	(3.27)
Observations	23,043
Adj R-Squared	0.91
Fixed Effects	Firm, Year

Notes: This table reports the trend tests regarding the impact of DBD laws on audit fees. Specifically, we estimate the following regression: Ln(AuditFee)_i,t = α + β₁·DBDLaw_i,t=T−1 + β₂·DBDLaw_i,t=T + β₃·DBDLaw_i,t=T+1 + β₄·DBDLaw_i,t=T+2 + β₅·DBDLaw_i,t=T≥3 + λ·Controls + Fixed Effects + ϵ_t. Coefficients of control variables and constants are not tabulated for brevity. T-statistics are in parentheses. *** indicates significance at the 0.01 level. Variables are defined in Appendix A.

presents the results. None of the first two coefficients (t = T − 1 and t = T) are significantly different from the reference period. At the same time, the three coefficients after the passage of the laws (t = T + 1, t = T + 2, and t ≥ T + 3) are all positive and significant at the 1% level, suggesting the effect of DBD laws on audit fees are realized one year after the adoption of the laws. Taken together, the findings shown in Table 9 provide support for the parallel trends assumption and reinforce the documented impact of DBD laws on audit fees.

7. Conclusions

Disclosure regulation plays an important role in the economic environment of firms, but the externalities of such regulation are often unclear, particularly as they relate to the auditors of these firms. Exploiting a natural experiment resulting from state-level staggered adoption of DBD laws, we investigate the economic effects of mandatory DBD laws on auditors. We find that audit fees increase by 6 percent (i.e., on average, USD 126,000 for a firm) after the adoption of DBD laws. To shed light on the mechanism through which DBD laws affect audit pricing, we perform cross-sectional analyses. The results suggest that the documented effect is more pronounced in firms with higher exposure to cyber risks and for auditors with higher reputation concerns. In addition, the impact on audit fees can be partly mitigated by strong corporate governance practices (i.e., establishing board-level risk, compliance, or technology committees) and auditor capacity in assessing and managing clients’ risk. Examining several proxies for audit quality and audit effort (restatements, going-concern opinions, discretionary accruals, earnings response coefficients, and reporting delay), we find that the increase in audit fees is driven by an augmented risk premium rather than increased audit effort or increased audit quality. Additional tests suggest our findings are not driven by the realized cyber incidents or other contemporaneous events. The staggered shocks in our setting and difference-in-differences design reduces the concern of endogeneity.

Overall, our paper contributes to disclosure and auditing literature, providing evidence that auditors are affected by the mandatory disclosure requirements for negative events—they incorporate the risks from enhanced disclosure requirements into the audit pricing even before the actual occurrence of negative events. That is, they charge a risk premium in expectation of future risks associated with a potential data breach disclosure. Our paper contributes to the understanding of the relationship between auditors’ behavior and the transparency of cybersecurity risk, adding to the information asymmetry literature. More importantly, our evidence draws attention to a potentially unanticipated externality of mandatory disclosure of cyber events, informing regulators about auditors’ responses to enhanced disclosure of such incidents. This is particularly helpful as regulators analyze the potential benefits and drawbacks of disclosure requirements. However, we caution against generalizing our findings to understand other disclosure regulations. We acknowledge that our study only focuses on one specific setting—data breach disclosure laws. Additional externalities associated with disclosure regulation are important avenues for future research.