Firms and regulators alike have recognized the importance of addressing cyber risks and cyber incidents. In this paper, we investigate whether external auditors respond to cyber incidents by charging higher audit fees and whether they price material cyber risk before the actual event happens when there is no explicit requirement from the regulators. Based on the analysis of 140 cybersecurity breached firms and 29,627 non-breached firms, we find a significant positive relationship between increases in audit fees and cyber incidents. Increases in audit fees are smaller for those with prior cyber risk disclosure, implying that auditors price material cyber risk prior to the cyber-attacks. In addition, we demonstrate that firms with repeated cyber incidents or cyber incidents that involve intellectual property experience the larger increases in audit fees. However, auditor’s concern over cyber incidents is mitigated by monitoring from large and sophisticated external stakeholders. Collectively, evidence in this paper suggests that auditors both price material cyber risk ex-ante and respond to cyber incident ex-post, alleviating regulator’s concern that auditors are not taking cybersecurity seriously.