Cyber Risk, Regulation, and Firm Resilience

Cyber risk has become one of the defining challenges of the modern digital economy. Firms operate on interconnected networks, rely on vast amounts of sensitive data, and face an evolving landscape of attacks from criminal organisations, state-sponsored actors, and opportunistic intruders. Despite its growing importance for investors, policymakers, and organisations, systematic empirical evidence on corporate cyber vulnerability has long
remained limited. This dissertation addresses this gap by combining regulatory analysis, novel data collection, and modern empirical methods.
The first chapter provides a structured comparison of cyber and data-privacy regulation in the European Union and the United States, highlighting how legal design shapes firms’ incentives and reporting obligations.
The second chapter constructs a unique firm-level dataset linking financial, governance, technological, and cyber-hygiene variables to observed cyber incidents, and develops an empirical framework to identify the determinants of corporate exposure. The third chapter applies machine-learning methods, including XGBoost and SHAP, to predict cyberattacks out of sample and to uncover the financial and organisational characteristics that heighten or mitigate risk. Together, these chapters deepen our understanding of why some firms are more vulnerable than others, how regulation influences cyber behaviour, and how predictive modelling can support risk assessment, corporate strategy, and policy design.