Mandatory Cybersecurity Disclosure: Early Evidence
Posted: 27 May 2025
Date Written: May 05, 2025
Abstract
In 2023, the U.S. Securities and Exchange Commission introduced a new cybersecurity regulation, requiring public firms to disclose material cybersecurity incidents promptly and provide standardized, periodic reports on risk-assessment procedures, board oversight, and management’s role in cybersecurity governance. This shift from voluntary, idiosyncratic disclosure to mandatory, uniform reporting offers a natural experiment for examining how firms respond to compulsory transparency. I provide initial evidence on firm disclosures under the new rule. Leveraging large-language-model techniques to analyze firms’ filings (10-K and 8-K) and earnings call transcripts, I develop novel measures of cybersecurity-disclosure quality and underlying cyber risk. In compliance with the regulation, firms provide significantly more information related to their cybersecurity risk frameworks, incident preparedness, third-party risk management, employee training, governance structures, external engagement, and risk assessment processes. The disclosure tone also becomes more technical, positive, and proactive. Higher disclosure scores are associated with a positive market reaction and reduced information asymmetry, evidenced by narrower bid–ask spreads, lower analyst forecast errors, and diminished abnormal trading volume. Firms with no prior breach history, or those that strategically withheld cybersecurity information before the regulation, disclose relatively more afterward. Overall, my findings indicate that mandated, standardized cybersecurity reporting improves disclosure quality, enhances transparency, and curbs selective disclosure.
Suggested Citation: Suggested Citation
Parupati, Sunil, Mandatory Cybersecurity Disclosure: Early Evidence (May 05, 2025). Available at SSRN: https://ssrn.com/abstract=5268533
Feedback
Feedback to SSRN