DescriptionThis dissertation consists of three essays that examine cybersecurity-related matters. In the first essay, I investigate whether external auditors respond to cyber incidents by charging higher audit fees and whether they price cybersecurity risk before the actual event happens when there is no explicit requirement from the regulators. Findings in the essay suggest that cyber incidents lead to increase in audit fees, and the increase is smaller for firms with prior cybersecurity risk disclosures. In addition, firms with repeated cyber incidents or cyber incidents that involve intellectual property experience larger increases in audit fees. However, auditor’s concern over cyber incidents is mitigated by monitoring from large and sophisticated external stakeholders. The second essay examines the informativeness of cybersecurity risk disclosure and provides three main results. First, both the presence and length of cybersecurity risk disclosure are informative of future reported cyber incidents. Second, market participants are using information conveyed by the presence of cybersecurity risk disclosure, but not the information content which is measured by the adjusted length of the disclosure. Third, the presence of cybersecurity risk disclosure is no longer significantly associated with subsequently reported cyber incidents after the passage of cybersecurity disclosure guidance. However, the essay fails to find a significant association between firm-specific disclosure and cyber incidents. In the third essay, issues regarding assurance on cybersecurity are discussed. In particular, I argue that data analytics should be an integral part of cybersecurity assurance, and introduce a process of using data analytics in testing cybersecurity controls. Illustrative examples of the process using synthetic data are provided to demonstrate that data analytics is a well-suited approach for providing assurance on cybersecurity. A set of critical challenges for applying data analytics in the assurance engagement are also discussed.