SEC cybersecurity guidelines: Insights into the utility of risk factor disclosures for investors

Edward A. Morse; Vasant Raval; John R. Wingender

SEC cybersecurity guidelines: Insights into the utility of risk factor disclosures for investors

Edward A. Morse, Vasant Raval, John R. Wingender

Research output: Contribution to journal › Review article

Abstract

In October 2011, the SEC issued new guidelines for disclosure of cybersecurity risks. Some firms responded to these guidelines by issuing new risk factor disclosures. This article examines the guidelines and cybersecurity disclosures in the context of existing laws governing securities regulation. It then examines empirical results from firm disclosures following the new guidelines. Evidence shows a relatively small proportion of firms chose to modify their risk factor disclosures, with most firms choosing not to disclose any specific cybersecurity risk. Moreover, disclosing firms generally experienced significant negative stock market price effects on account of making new disclosures. Rather than viewing disclosure as a positive signal of management attentiveness, investors apparently viewed it as a cautionary sign.

Original language	English (US)
Pages (from-to)	1-34
Number of pages	34
Journal	Business Lawyer
Volume	73
Issue number	1
Publication status	Published - Dec 1 2017

Fingerprint

All Science Journal Classification (ASJC) codes

Organizational Behavior and Human Resource Management
Law

Cite this

Morse, E. A., Raval, V., & Wingender, J. R. (2017). SEC cybersecurity guidelines: Insights into the utility of risk factor disclosures for investors. Business Lawyer, 73(1), 1-34.

@article{ece01f3828734556ada7d2d3efac26c3,

title = "SEC cybersecurity guidelines: Insights into the utility of risk factor disclosures for investors",

abstract = "In October 2011, the SEC issued new guidelines for disclosure of cybersecurity risks. Some firms responded to these guidelines by issuing new risk factor disclosures. This article examines the guidelines and cybersecurity disclosures in the context of existing laws governing securities regulation. It then examines empirical results from firm disclosures following the new guidelines. Evidence shows a relatively small proportion of firms chose to modify their risk factor disclosures, with most firms choosing not to disclose any specific cybersecurity risk. Moreover, disclosing firms generally experienced significant negative stock market price effects on account of making new disclosures. Rather than viewing disclosure as a positive signal of management attentiveness, investors apparently viewed it as a cautionary sign.",

author = "Morse, {Edward A.} and Vasant Raval and Wingender, {John R.}",

year = "2017",

month = "12",

day = "1",

language = "English (US)",

volume = "73",

pages = "1--34",

journal = "Business Lawyer",

issn = "0007-6899",

publisher = "American Bar Association",

number = "1",

}

TY - JOUR

T1 - SEC cybersecurity guidelines

T2 - Insights into the utility of risk factor disclosures for investors

AU - Morse, Edward A.

AU - Raval, Vasant

AU - Wingender, John R.

PY - 2017/12/1

Y1 - 2017/12/1

N2 - In October 2011, the SEC issued new guidelines for disclosure of cybersecurity risks. Some firms responded to these guidelines by issuing new risk factor disclosures. This article examines the guidelines and cybersecurity disclosures in the context of existing laws governing securities regulation. It then examines empirical results from firm disclosures following the new guidelines. Evidence shows a relatively small proportion of firms chose to modify their risk factor disclosures, with most firms choosing not to disclose any specific cybersecurity risk. Moreover, disclosing firms generally experienced significant negative stock market price effects on account of making new disclosures. Rather than viewing disclosure as a positive signal of management attentiveness, investors apparently viewed it as a cautionary sign.

AB - In October 2011, the SEC issued new guidelines for disclosure of cybersecurity risks. Some firms responded to these guidelines by issuing new risk factor disclosures. This article examines the guidelines and cybersecurity disclosures in the context of existing laws governing securities regulation. It then examines empirical results from firm disclosures following the new guidelines. Evidence shows a relatively small proportion of firms chose to modify their risk factor disclosures, with most firms choosing not to disclose any specific cybersecurity risk. Moreover, disclosing firms generally experienced significant negative stock market price effects on account of making new disclosures. Rather than viewing disclosure as a positive signal of management attentiveness, investors apparently viewed it as a cautionary sign.

UR - http://www.scopus.com/inward/record.url?scp=85050615383&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=85050615383&partnerID=8YFLogxK

M3 - Review article

AN - SCOPUS:85050615383

VL - 73

SP - 1

EP - 34

JO - Business Lawyer

JF - Business Lawyer

SN - 0007-6899

IS - 1

ER -

SEC cybersecurity guidelines: Insights into the utility of risk factor disclosures for investors

Abstract

Fingerprint

All Science Journal Classification (ASJC) codes

Cite this

Access to Document