As the reported number of data breaches increase and senators push for more disclosure regulation, the SEC staff issued a guidance in 2011 on disclosure obligations relating to cybersecurity risks and incidents. More recently, on February 26, 2018 the SEC Commission issued interpretive guidance to help assist public companies prepare disclosures regarding cybersecurity risks and incidents. As reported incidents of cybersecurity breaches occur, investors are concerned about the risks associated with these incidents and the impact they may have on financial performance. Although the SEC staff guidance warns public companies to make timely disclosure, recognizing the threat that cybercrime poses to investors in the public markets, it does not go far enough to institute direct measures that would compel companies to reveal the nature and scope of a cybersecurity breach.
In light of the lack of specific guidance on cybersecurity disclosure, the aim of this study is to develop a better understanding of the cybersecurity disclosure landscape. The purpose of this study is phenomenological in nature, designed to assess the impact of the 2011 SEC staff guidance on the disclosure of cybersecurity risk factors and provide recommendations for future research following the 2018 SEC Commission’s interpretive guidance. This study analyzes the impact of the SEC guidance by investigating risk factor disclosures both before and after the SEC’s 2011 issuance date. We pay particular attention to organizations that have suffered a data breach, as determined by the Privacy Rights Clearinghouse (PRC). The study uses companies listed on the S&P 500.
Results show that there has been a 23 percent increase in the number of firms referencing cybersecurity in the Risk Factor section of the 10-K and that factors such as the size of the firm, prior reported breaches and breach type were predictors of disclosure. The study also found that there is a tendency not to disclose reported breaches in the narrative of the 10-K and that the cybersecurity risk factor disclosures do not include details on actual breaches. The underreporting of cyber incidents may be in part be the result of alternative interpretations of what constitutes a “material” breach. This study should be of interest to the SEC, in particular, as they continue to evaluate cybersecurity guidance in terms of its implementation by corporate filers and as they move toward a cybersecurity disclosure regulation. In addition, as the SEC continues to scrutinize cybersecurity incident disclosures and issue comment letters to public companies with inadequate disclosures, it should be of interest to corporate filers, as well as to investors, analysts and other professionals that are concerned with the informativeness of corporate cybersecurity disclosures particularly as they affect profits.