SEC's cybersecurity disclosure guidance and disclosed cybersecurity risk factors

Abstract

Cybersecurity risk disclosure has received great attention in the past several years, especially after the passage of the Securities and Exchange Commission's (SEC's) cybersecurity disclosure guidance published on October 13, 2011. In this study, we examine the usefulness of cybersecurity-related risk factors disclosed in 10-K filings. We document that the presence of these risk factors in the pre-guidance period and length of these risk factors are related to future reported cybersecurity incidents. The association between the presence of cybersecurity risk disclosure and subsequently reported cybersecurity incidents becomes insignificant after the passage of the SEC's cybersecurity disclosure guidance. Our findings, in general, support the SEC's decision on emphasizing cybersecurity risk disclosure. However, SEC's disclosure guidance may unintentionally encourage firms to disclose cybersecurity risks regardless of the level of risks.