• View

  • Download

Embed Size (px)


  • 1




    Cybersecurity risk disclosure has received great attention in the past several years,

    especially after the passage of SEC’s cybersecurity disclosure guidance. In this study, we

    examine the informativeness of cybersecurity risk disclosure and provide three main results.

    First, both the presence and length of cybersecurity risk disclosure are informative of future

    reported cyber incidents. Second, market participants are only using information conveyed

    by the presence of cybersecurity risk disclosure. Third, the presence of cybersecurity risk

    disclosure is no longer significantly associated with subsequently reported cyber incidents

    after the passage of cybersecurity disclosure guidance. Together, our evidence supports

    regulator’s decision to emphasize cybersecurity risk disclosure, but cautions that the SEC’s

    disclosure guidance could unintentionally force more firms to make cybersecurity risk

    disclosures even if they do not face higher cyber risks.

    Keywords: cybersecurity, cybersecurity risk disclosure, disclosure guidance, cyber


  • 2


    Cybersecurity has attracted much attention in the past ten years. Both the general

    public and the business world are concerned about the growing cybercrimes that expose

    sensitive personal information, cause business disruptions, or steal trade secrets, especially

    after a series of high-profile data breaches such as the ones at Target, Home Depot, and

    Yahoo. According to a recent Annual Cybersecurity Report, more than 20% of the

    breached firms experienced substantial loss of revenue, customer base, and business

    opportunities, and most of the breached firms spent millions of dollars improving defense

    technologies and expanding security procedures following the attacks (CISCO 2017). Due

    to the potential impact on firm value and operation, cybersecurity is becoming one of the

    top priorities for firm executives. About 88% of U.S. Chief Executive Officers (CEOs) are

    concerned that cyber threats could hinder the growth of their firms (Loop 2016). Likewise,

    investors are clamoring for more information about cybersecurity risks and data breaches,

    and how firms are addressing those risks (Shumsky 2016).

    To respond to the increasing cyber threats, the Securities and Exchange

    Commission (SEC) held a roundtable discussion to deliberate cybersecurity landscape and

    cybersecurity disclosure issues (SEC, 2014). The Standing Advisory Group of the Public

    Company Accounting Oversight Board (PCAOB) also discussed the potential implications

    of cybersecurity on financial reporting and auditing (PCAOB, 2014). Particularly, the

    SEC’s Division of Corporation Finance issued a disclosure guidance regarding

    cybersecurity in 2011 to assist firms in assessing what, if any, disclosures should be

    provided related to cybersecurity risks and cyber incidents (SEC, 2011). Although the

    guidance is not technically a ruling, the SEC has issued comment letters to several firms

    pointing out the inadequacies of their cybersecurity risk disclosures by referring to the

  • 3

    guidance. Therefore, some have argued that the guidance is becoming a de facto ruling

    (Grant and Grant 2014).

    In this paper, we investigate the informativeness of cybersecurity risk disclosures

    in the risk factor section of annual report (thereafter cybersecurity risk disclosure).

    Informativeness of cybersecurity risk disclosures is defined in this study as “the ability to

    help stakeholders assess the probability of future adverse events (i.e. cyber incidents).”

    Understanding the information conveyed by cybersecurity risk disclosures is important as

    it can help investors to assess firm’s cybersecurity risk, and shed light on any potential

    subsequent legislative rules regarding cybersecurity disclosures. Two aspects of

    cybersecurity risk disclosure are considered: presence and length. Specifically, we examine

    whether the presence of cybersecurity risk disclosure in a firm’s annual report signals

    higher cybersecurity risk as measured by subsequent cyber incidents, and whether the

    relative length of the disclosure is associated with increased likelihood of subsequent cyber

    incidents. The findings suggest that both the presence and the length of cybersecurity risk

    disclosure are associated with subsequent cyber incidents, indicating that cybersecurity risk

    disclosure is informative. There is a substantial increase in the percentage of firms that

    disclose cybersecurity risks following the SEC’s disclosure guidance, and that the presence

    of cybersecurity risk disclosure is no longer associated with subsequent cyber incidents in

    the post-guidance period, suggesting that the SEC’s guidance led to more cybersecurity

    risk disclosures by firms regardless of their degree of cybersecurity risk. To examine the

    SEC’s concern that more firm-specific disclosure may compromise firms’ cybersecurity

    efforts by providing a roadmap to malicious parties, two measures based on the bag-of-

    words approach are created to capture firm-specific disclosure. We fail to find a significant

  • 4

    association between cyber incidents and any of the two measures, demonstrating that

    cybersecurity risk disclosures in firm’s annual report are far from the level of detail that

    could eventually hurt the firm.

    An important question not addressed in the above findings is whether the market

    participants are utilizing information in cybersecurity risk disclosures. Contrary to Hilary,

    Segal, and Zhang (2017), we find evidence that abnormal return calculated over the three

    days around the disclosure of a cyber incident is positively associated with firm’s prior

    presence of cybersecurity risk disclosure. However, the relative length of the disclosure is

    not incorporated by the market participants as the amount of disclosures describing

    cybersecurity risk is not associated with the market reaction. The consequences of

    cybersecurity risks and cyber incidents that firms are most concerned about are further

    examined. The topic analyses show that business disruption and financial performance are

    the two major concerns and remain relatively steady over time. Concerns over intellectual

    property and reputation, on the other hand, are relatively low but are increasing rapidly in

    recent years.

    The findings of this study make several contributions to the existing literature. First,

    the study contributes to the cybersecurity disclosure literature. Early studies on

    cybersecurity focus on the market reaction following cyber incidents and have examined a

    set of contingency factors such as type of breaches (Gordon, Loeb, and Zhou 2011, Yayla

    and Hu 2011), firm characteristics (Ettredge and Richardson 2003), and distribution

    channels (Benaroch, Chernobai, and Goldstein 2012) that could deepen or mitigate the

    market reaction. We extend this literature by showing that the investors are less surprised

    when there is prior disclosure of cybersecurity risks. Specific to cyber-related disclosure,

  • 5

    Gordon, Loeb, and Sohail (2010) find that on average, voluntary disclosure relating to

    information security increases stock prices by more than 6 percent, and the voluntary

    disclosure concerning proactive security measures have the greatest impact on the firm’s

    stock price, followed by the disclosure of vulnerabilities. This study complements Gordon,

    Loeb, and Sohail (2010) by exclusively focusing on cybersecurity risks (vulnerabilities)

    and providing evidence that cybersecurity risk disclosure is informative of future cyber

    incidents, and that the market reaction following cyber incidents is contingent on the

    presence of cybersecurity risk disclosure. Wang, Kannan, and Ulmer (2013) examined the

    ex-post odds of cyber incidents and market reaction following voluntary disclosures,

    revealing that firms that disclose information security risk factors in their annual reports

    with actionable information are less likely to be associated with future cyber incidents.

    Firms that did not provide any actionable plans will be punished more severely when an

    actual incident happens than firms that disclosed actionable information. The paper

    complements Wang, Kannan, and Ulmer (2013) in at least three key ways. Our sample

    includes 326 cyber incidents, which is much larger than 62 cyber incidents in their study.

    More importantly, the sample covers both the pre-guidance period and the post-guidance

    period, which enables us to examine the changes in disclosure informativeness. Different

    from Wang, Kannan, and Ulmer (2013), the identification of individual cybersecurity risk

    factors is automated by benefiting from text mining techniques, especially taking

    advantage of the contextual clues in HyperText Markup Language (HTML) tags. Our

    approach enables analyses on a much larger scale to demonstrate that firms facing greater

    cybersecurity risks