Paper Type
Complete
Abstract
Cybersecurity disclosures in reports filed by public companies subject to U.S. Securities and Exchange Commission (SEC) requirements provide investors with insights into firms’ cybersecurity incidents and risk management efforts, which are increasingly pivotal to investor decision-making. To improve the informativeness and consistency of these disclosures, the SEC introduced enhanced cybersecurity disclosure requirements in 2023, mandating detailed cybersecurity disclosure information in annual 10-K filings. In this study, we explore what these new disclosures reveal about firm cybersecurity behavior and communication practices. Specifically, we focus on (1) identifying general themes that reveal firms' cybersecurity risk management processes, governance, and strategy, and (2) examining how past data breaches influence the prevalence of these reporting themes. Combining machine-learning tools and human qualitative analysis, our mixed-methods analysis reveals significant associations between past data breaches and specific themes, suggesting that firms with breach histories prioritize these areas in subsequent disclosures, signaling strengthened cybersecurity efforts to investors.
Paper Number
1957
Recommended Citation
Varghese, Biju; Tosyali, Ali; and Hansen, Sean William, "CYBERSECURITY SHOW-AND-TELL: AN ANALYSIS OF FIRM DISCLOSURE BEHAVIOR AND THE RELEVANCE OF PRIOR DATA BREACHES" (2025). AMCIS 2025 Proceedings. 38.
https://aisel.aisnet.org/amcis2025/sig_sec/sig_sec/38
CYBERSECURITY SHOW-AND-TELL: AN ANALYSIS OF FIRM DISCLOSURE BEHAVIOR AND THE RELEVANCE OF PRIOR DATA BREACHES
Cybersecurity disclosures in reports filed by public companies subject to U.S. Securities and Exchange Commission (SEC) requirements provide investors with insights into firms’ cybersecurity incidents and risk management efforts, which are increasingly pivotal to investor decision-making. To improve the informativeness and consistency of these disclosures, the SEC introduced enhanced cybersecurity disclosure requirements in 2023, mandating detailed cybersecurity disclosure information in annual 10-K filings. In this study, we explore what these new disclosures reveal about firm cybersecurity behavior and communication practices. Specifically, we focus on (1) identifying general themes that reveal firms' cybersecurity risk management processes, governance, and strategy, and (2) examining how past data breaches influence the prevalence of these reporting themes. Combining machine-learning tools and human qualitative analysis, our mixed-methods analysis reveals significant associations between past data breaches and specific themes, suggesting that firms with breach histories prioritize these areas in subsequent disclosures, signaling strengthened cybersecurity efforts to investors.
When commenting on articles, please be friendly, welcoming, respectful and abide by the AIS eLibrary Discussion Thread Code of Conduct posted here.
Comments
SIGSEC