SEC Cybersecurity Guidelines: Insights into the Utility of Risk Factor Disclosures for Investors
29 Pages Posted: 7 Jan 2016
Date Written: December 29, 2015
In October 2011, the SEC issued new guidelines for disclosure of cybersecurity risks. Some firms responded to these guidelines by issuing new risk factor disclosures. This paper examines the guidelines and cybersecurity disclosures in the context of existing laws governing securities regulation. It then examines empirical results from firm disclosures following the new guidelines. Evidence shows a relatively small proportion of firms chose to modify their risk factor disclosures, with most firms choosing not to disclose any specific cybersecurity risk. Moreover, disclosing firms generally experienced significant negative stock market price effects on account of new disclosures. Rather than viewing disclosure a positive signal of management attentiveness, investors apparently viewed it as a cautionary sign.
Keywords: cybersecurity, data security, securities regulation
JEL Classification: D81, G14, G18, G38, K22
Suggested Citation: Suggested Citation