School of Business

Responses to SEC comment letters on cybersecurity disclosures: An exploratory study

Document Type

Article

Abstract

Cybersecurity comment letters issued by the Securities and Exchange Commission (SEC) may ask companies to disclose additional or clarifying information about their cybersecurity incidents, risks, and corresponding controls, where appropriate. Although responding to the comment letter in the form of disclosing more information about cybersecurity can better signal a company's security posture to investors and comply with regulations, it may also expose a company to higher levels of cybersecurity risks because of disclosing proprietary cybersecurity information. Using a sample consisting of 52 cybersecurity comment letters issued between 2011 and 2019 and their no-letter-matched companies, our findings suggest that comment letter companies change their disclosures regarding cybersecurity, as required by the SEC. However, as shown in the short-term cumulative abnormal returns around response letter days, the stock market reacts negatively to the responses. Our results provide policy implications by showing that market participants may not react positively to transparency.

Publication Title

International Journal of Accounting Information Systems

Publication Date

9-2022

Volume

46

ISSN

1467-0895

DOI

10.1016/j.accinf.2022.100567

Keywords

comment letter, cybersecurity, risk factor disclosure

Share

COinS