The US Securities and Exchange Commission (SEC) requires all firms to include a risk factor section in their periodic filings, but doubts remain about the informativeness of these disclosures. Cybersecurity risk disclosures are particularly important due to the increasing number of data breaches, and firms have a responsibility to inform investors about changes in their assessments of risks following a breach. The study investigates whether risk factor disclosures are used to inform investors about changes in managers‘ assessments of cybersecurity risks, and the analysis is done from both an economic and ethical perspective. The economic lens assumes that a cyberattack would result in a change in post-attack policies, including risk disclosure, only if the cyberattack caused managers to alter their assessment of the loss distribution for cyberattacks. An increase in cybersecurity risk disclosures resulting from a material change in risk assessments would also be consistent with the SEC risk factor disclosure mandate.
The factors that influence whether companies will disclose cybersecurity risks after a cyberattack are being discussed. On the one hand managers may want to suppress negative information to protect the company’s reputation, stock prices, and executive compensation. On the other hand, they may want to disclose information to reduce litigation risk, respond to public scrutiny, and deter future cyberattacks. Increasing cybersecurity risk disclosure can be viewed as an ethical decision and may be critical because it affects stakeholders and society.
The current evidence on whether companies increase cybersecurity risk disclosure after a breach is mixed. The article, however, presents evidence that firms tend to increase the amount of cybersecurity risk factor disclosures after experiencing a data breach, especially severe breaches, indicating that managers intend to inform investors about their assessment of risks through disclosures.
If you are interested in the details, you can find the article here.