Public companies' cybersecurity risk disclosures

Abstract

Though cybersecurity risks are significant and could materially affect business operations and the integrity of financial reporting, there is limited empirical research on the cybersecurity risk disclosure trends and practices of public companies. In this study, we conduct a longitudinal study of the content and linguistic characteristics of public companies' cybersecurity risk disclosure practices as well as factors that may drive disclosure trends. The results show that the two most commonly disclosed cybersecurity risks are risks of service/operation disruption and risks of data breach. Item 1A of the 10-K Report is the most commonly used disclosure location, but some companies also use Items 1 and 7 to disclose regulation risks and cyber incidents, respectively. The length of cybersecurity risk disclosures increases linearly during the period of our study. This increase is associated with the issuance of SEC guidance (2011 and 2018), industry, overall cybersecurity risks in the general environment, company size, and prior cybersecurity breach incidents. Disclosures have also become more difficult to read in general. They are more difficult to read as firm size increases and are easier to read as the proportion of intangible assets increases or after an executive change. Firms have increased their usage of litigious words in their disclosures. Bigger firms, on average, tend to use less litigious language, but companies in industries with high business information technology intensity (e.g., consumer services, software and services, and banking) tend to use more litigious language than other companies.