۱- Introduction

۲- Background and hypotheses development

۳- Empirical design and sample selection

۴- Results

۵- Concluding remarks

References

Abstract

Cybersecurity risk disclosure has received great attention in the past several years, especially after the passage of the Securities and Exchange Commission’s (SEC’s) cybersecurity disclosure guidance published on October 13, 2011. In this study, we examine the usefulness of cybersecurity-related risk factors disclosed in 10-K filings. We document that the presence of these risk factors in the pre-guidance period and length of these risk factors are related to future reported cybersecurity incidents. The association between the presence of cybersecurity risk disclosure and subsequently reported cybersecurity incidents becomes insignificant after the passage of the SEC’s cybersecurity disclosure guidance. Our findings, in general, support the SEC’s decision on emphasizing cybersecurity risk disclosure. However, SEC’s disclosure guidance may unintentionally encourage firms to disclose cybersecurity risks regardless of the level of risks.

Introduction

Cybersecurity has attracted a lot of attention in the past ten years.1 Both the general public and the business world are concerned about the growing cybercrimes that expose sensitive personal information, cause business disruptions, or steal trade secrets, especially after a series of high-profile data breaches such as the ones at Equifax, Sony, and Target.2 According to a recent Annual Cybersecurity Report, > 20% of the breached firms experienced substantial loss of revenues, customer base, and business opportunities, and most of the breached firms spent millions of dollars improving security solutions and expanding security procedures following the attacks (CISCO, 2017). Due to the potential impact on firm value and operations, cybersecurity is becoming one of the top priorities for the board and executives. For instance, about 88% of U.S. Chief Executive Officers (CEOs) are concerned that cyber threats could hinder the growth of their firms (Loop, 2016). Likewise, investors are clamoring for more information about cybersecurity risks and data breaches, and how firms are addressing those risks (Shumsky, 2016). To respond to the increasing cyber threats, the Securities and Exchange Commission (SEC) held a roundtable discussion to deliberate on cybersecurity landscape and cybersecurity disclosure issues (SEC, 2014). The Standing Advisory Group of the Public Company Accounting Oversight Board (PCAOB) also discussed the potential implications of cybersecurity on financial reporting and auditing (PCAOB, 2014).