How Do Investors Perceive System and Organization Controls (SOC) for Cybersecurity?
Rebecca R. Perols
Abstract
SUMMARY Regulators, investors, and boards of directors are increasingly demanding information about companies’ cybersecurity risk management. Consequently, companies are increasingly requesting voluntary third-party cybersecurity assurance services. In response to this demand, the American Institute of Certified Public Accountants (AICPA) offers a System and Organization Controls (SOC) for Cybersecurity assurance service. However, SOC for Cybersecurity faces competition from less comprehensive and less costly assurance services in a nonstandardized assurance market, and it is unclear if investors will recognize the value provided by the more comprehensive service. This article summarizes a study examining how investors perceive SOC for Cybersecurity (Perols 2024). The study finds that investors indeed value more comprehensive third-party cybersecurity assurance services when voluntarily disclosed in response to a reported cybersecurity incident but not when the SOC for Cybersecurity is proactively disclosed by management in the absence of a cybersecurity incident. This article highlights implications for audit practitioners, companies, and regulators.
Evidence weight
Balanced mode · F 0.40 / M 0.15 / V 0.05 / R 0.40
| F · citation impact | 0.50 × 0.4 = 0.20 |
| M · momentum | 0.50 × 0.15 = 0.07 |
| V · venue signal | 0.50 × 0.05 = 0.03 |
| R · text relevance † | 0.50 × 0.4 = 0.20 |
† Text relevance is estimated at 0.50 on the detail page — for your query’s actual relevance score, open this paper from a search result.