Abstract
In October 2011, the SEC issued new guidelines for disclosure of cybersecurity risks. Some firms responded to these guidelines by issuing new risk factor disclosures. This article examines the guidelines and cybersecurity disclosures in the context of existing laws governing securities regulation. It then examines empirical results from firm disclosures following the new guidelines. Evidence shows a relatively small proportion of firms chose to modify their risk factor disclosures, with most firms choosing not to disclose any specific cybersecurity risk. Moreover, disclosing firms generally experienced significant negative stock market price effects on account of making new disclosures. Rather than viewing disclosure as a positive signal of management attentiveness, investors apparently viewed it as a cautionary sign.
| Original language | English (US) |
|---|---|
| Pages (from-to) | 1-34 |
| Number of pages | 34 |
| Journal | Business Lawyer |
| Volume | 73 |
| Issue number | 1 |
| State | Published - Dec 1 2017 |
Fingerprint
All Science Journal Classification (ASJC) codes
- Organizational Behavior and Human Resource Management
- Law
Cite this
SEC cybersecurity guidelines : Insights into the utility of risk factor disclosures for investors. / Morse, Edward A.; Raval, Vasant; Wingender, John R.
In: Business Lawyer, Vol. 73, No. 1, 01.12.2017, p. 1-34.Research output: Contribution to journal › Review article
}
TY - JOUR
T1 - SEC cybersecurity guidelines
T2 - Insights into the utility of risk factor disclosures for investors
AU - Morse, Edward A.
AU - Raval, Vasant
AU - Wingender, John R.
PY - 2017/12/1
Y1 - 2017/12/1
N2 - In October 2011, the SEC issued new guidelines for disclosure of cybersecurity risks. Some firms responded to these guidelines by issuing new risk factor disclosures. This article examines the guidelines and cybersecurity disclosures in the context of existing laws governing securities regulation. It then examines empirical results from firm disclosures following the new guidelines. Evidence shows a relatively small proportion of firms chose to modify their risk factor disclosures, with most firms choosing not to disclose any specific cybersecurity risk. Moreover, disclosing firms generally experienced significant negative stock market price effects on account of making new disclosures. Rather than viewing disclosure as a positive signal of management attentiveness, investors apparently viewed it as a cautionary sign.
AB - In October 2011, the SEC issued new guidelines for disclosure of cybersecurity risks. Some firms responded to these guidelines by issuing new risk factor disclosures. This article examines the guidelines and cybersecurity disclosures in the context of existing laws governing securities regulation. It then examines empirical results from firm disclosures following the new guidelines. Evidence shows a relatively small proportion of firms chose to modify their risk factor disclosures, with most firms choosing not to disclose any specific cybersecurity risk. Moreover, disclosing firms generally experienced significant negative stock market price effects on account of making new disclosures. Rather than viewing disclosure as a positive signal of management attentiveness, investors apparently viewed it as a cautionary sign.
UR - http://www.scopus.com/inward/record.url?scp=85050615383&partnerID=8YFLogxK
UR - http://www.scopus.com/inward/citedby.url?scp=85050615383&partnerID=8YFLogxK
M3 - Review article
AN - SCOPUS:85050615383
VL - 73
SP - 1
EP - 34
JO - Business Lawyer
JF - Business Lawyer
SN - 0007-6899
IS - 1
ER -