Potentially Unintended Consequences of the SEC Restricting Managerial Discretion: Evidence from Peer Data Breaches and Cyber Risk Factors
46 Pages Posted: 19 Mar 2021 Last revised: 28 Jun 2021
Date Written: June 28, 2021
Abstract
I document potentially unintended consequences of the SEC restricting managerial discretion, specifically focusing on the SEC’s 2011 guidance regarding cyber risk factors. Using peer data breaches as a salient proxy of non-breached firms that have material exposure to cyber risk and while controlling for firm and year fixed effects, I first find that peer breaches are associated with more unique cyber risk factor disclosures when non-breached firms’ managers possess greater discretion (in the pre-SEC-2011 period) and with less unique cyber risk factor disclosures after their discretion is limited (in the post-SEC-2011 period). I next find that a possible reason for the decrease in the post period is because firms are more likely to mirror the cybersecurity language used in the SEC’s 2011 guidance. Finally, I find that more unique cyber risk factors are more effective in reducing information asymmetry for investors. Altogether, my evidence is consistent with the SEC inducing an organizational shift from normative isomorphism to coercive isomorphism and suggests that the SEC may be harming disclosure informativeness by limiting managerial discretion.
Keywords: cybersecurity; cyber risk; data breaches; regulation; disclosure; risk factors
JEL Classification: M40; M41
Suggested Citation: Suggested Citation