Responses to SEC comment letters on cybersecurity disclosures: An exploratory study

Cybersecurity comment letters issued by the Securities and Exchange Commission (SEC) may ask companies to disclose additional or clarifying information about their cybersecurity incidents, risks, and corresponding controls, where appropriate. Although responding to the comment letter in the form of disclosing more information about cybersecurity can better signal a company’s security posture to investors and comply with regulations, it may also expose a company to higher levels of cybersecurity risks because of disclosing proprietary cybersecurity information. Using a sample consisting of 52 cybersecurity comment letters issued between 2011 and 2019 and their no-letter-matched companies, our findings suggest that comment letter companies change their disclosures regarding cybersecurity, as required by the SEC. However, as shown in the short-term cumulative abnormal returns around response letter days, the stock market reacts negatively to the responses. Our results provide policy implications by showing that market participants may not react positively to transparency.     

Public companies' cybersecurity risk disclosures

Though cybersecurity risks are significant and could materially affect business operations and the integrity of financial reporting, there is limited empirical research on the cybersecurity risk disclosure trends and practices of public companies. In this study, we conduct a longitudinal study of the content and linguistic characteristics of public companies' cybersecurity risk disclosure practices as well as factors that may drive disclosure trends. The results show that the two most commonly disclosed cybersecurity risks are risks of service/operation disruption and risks of data breach. Item 1A of the 10-K Report is the most commonly used disclosure location, but some companies also use Items 1 and 7 to disclose regulation risks and cyber incidents, respectively. The length of cybersecurity risk disclosures increases linearly during the period of our study. This increase is associated with the issuance of SEC guidance (2011 and 2018), industry, overall cybersecurity risks in the general environment, company size, and prior cybersecurity breach incidents. Disclosures have also become more difficult to read in general. They are more difficult to read as firm size increases and are easier to read as the proportion of intangible assets increases or after an executive change. Firms have increased their usage of litigious words in their disclosures. Bigger firms, on average, tend to use less litigious language, but companies in industries with high business information technology intensity (e.g., consumer services, software and services, and banking) tend to use more litigious language than other companies.     

Strategic Subsidiary Disclosure

Although subsidiary disclosures in firms’ filings with the Securities and Exchanges Commission (SEC; Exhibit 21) represent the most granular required public disclosure of a firm's geographic footprint, little is understood about the quality of the disclosure, and anecdotal evidence suggests firms may not fully comply with the disclosure requirements. We use data provided by multinational firms to the Internal Revenue Service regarding their foreign subsidiary locations to explore the accuracy of public subsidiary disclosures on Exhibit 21 of Form 10-K per SEC rules. The overall incidence of nondisclosure is low, suggesting that most firms comply with Exhibit 21 disclosure rules, and that for most applications, Exhibit 21 disclosures provide a reasonable proxy for locations of significant subsidiaries. Nevertheless, there is some evidence of nondisclosure, particularly when subsidiaries are in tax havens, when the firm is more highly scrutinized in the media, or when the firm has other characteristics consistent with low-quality disclosures such as SEC comment letters.     

SEC comment letters related to permanently reinvested earnings

In this paper, we examine how permanently reinvested earnings (PRE) and disclosure transparency surrounding PRE influences external monitoring from the Securities and Exchange Commission (SEC). Our research is motivated by increased congressional and SEC scrutiny into companies with substantial PRE via their foreign operations. We hypothesize that firms are more likely to receive a PRE-related comment letter if they have large amounts of PRE, a large estimated hypothetical tax on repatriation, increases in PRE, and have less transparent disclosures related to the hypothetical tax on PRE. We find that the estimated hypothetical tax on repatriation and the transparency of PRE disclosures are determinants of receiving a PRE-related comment letter. Further analysis shows that cash-constrained firms with a large estimated hypothetical tax on repatriation are more likely to receive a PRE-related comment letter. Our research contributes to a growing body of research into the external monitoring role of the SEC in the form of comment letters.     

Cybersecurity breaches and investors’ interest in the firm as an investment

Cybersecurity breaches pose a significant risk to firms. To combat these risks, many firms engage in strategic cybersecurity risk management initiatives. While these efforts may reduce the likelihood of a cybersecurity breach, they do not eliminate the risk of a breach. In the event of a cybersecurity breach, firms may issue an apology to investors. This study uses an experiment to examine whether a firm indicates cybersecurity risk management is a strategic initiative and whether a post-cybersecurity breach apology by the CEO impacts nonprofessional investors’ investment interest in the firm. Results show that, in response to a cybersecurity breach, the presence of a CEO apology positively impacts investors’ investment impression and their perceptions of CEO affective and CEO cognitive trust. We find that investors’ investment interest is lowest for a firm that previously indicates cybersecurity risk management is a strategic initiative and where the CEO does not issue an apology. The CEO apology, however, does not significantly impact investment amount, a secondary measure of investor interest. Results from this study have implications for managers, investors, and regulators.     

SEC confidential treatment and regulatory filing reviews

We study the interplay between the redaction of information from regulatory filings and SEC monitoring of the redacting firms. We find that redactions are associated with more intense SEC monitoring, as evidenced by higher incidence of comment letters and a longer letter resolution process. Hand collected data indicate seller firms that redact information from their sales, licensing, and royalty contracts are more likely to receive revenue recognition-related comment letters, suggesting spurious correlation is not a likely explanation of the inference. We supplement our findings by providing evidence that redacting firms tend to manage proprietary information disclosure, withholding proprietary information that should be made public under extant rules and regulations. Our findings shed light on how various SEC monitoring processes interact and support one another, offering a novel look on the interaction between a firm’s management of proprietary information disclosure and regulatory oversight.     

The impact of CIO characteristics on data breaches

The exponential rate of increase in IT security breach incidents has led governments, regulators, and practitioners to respond by introducing standards and frameworks for the disclosure and management of organizational cybersecurity risk exposure. Cybersecurity, which is a part of IT risk management, is affected by the capability and the ability of senior leadership responsible for IT-related decisions. This paper uses hand-collected data related to the Chief Information Officer (CIO) for S&P 500 firms and explores whether the presence of a CIO role, human capital characteristics of the CIO, and structural capital characteristics of the firm and the CIO are related to a firm’s cybersecurity risk exposure. This study finds that firms disclosing the presence of a CIO are more likely to be breached, even after matching on the likelihood of a breach and controlling for the likelihood that a firm would choose to disclose a CIO. This study also finds predictable variations in the likelihood of a breach among CIOs based on various human capital dimensions (including past technology experience, external board memberships, firm tenure, and CIO tenure) and structural capital dimensions (including a recognized commitment to IT and charging the CIO with multiple responsibilities). Finally, this study finds evidence that the observed associations depend on both the source of the breach (external vs. internal) as well as the type of data compromised by the breach (e.g. financial, personal, etc.). The results of this study contribute to the growing body of academic breach literature, while also informing practitioners as they evaluate the costs and benefits of various methods for combating breaches.     

Regulatory Transparency and Regulators’ Effort: Evidence from Public Release of the SEC's Review Work

Using the public release of comment letters on EDGAR to capture a regime shift toward regulatory transparency, we examine whether an increase in transparency affects regulators’ effort and work performance. We find that the SEC staff reviews more filings and more documents per filing following the disclosure regime shift. These effects are incrementally stronger for firms with comment letters that are expected to attract greater investor or public monitoring. Furthermore, under the new regime, reviews are more timely. Upon the regime switch, the likelihood of a restatement (receiving a comment letter) decreases (increases) for filings that are reviewed. After receiving a comment letter, a firm with signs of potential fraud is more likely to be investigated, and this effect becomes more pronounced under the new regime. Altogether, our findings suggest that publicly disclosing regulators’ work output can mitigate moral hazard (i.e., increase regulators’ work input), improving their work performance.     

SEC monitoring of foreign firms’ disclosures in the presence of foreign regulators

SEC comment letters indicate that the SEC has reviewed the firm’s filings and identified a disclosure issue. Using the existence of an SEC comment letter as a proxy for SEC monitoring, we document a negative association between the level of SEC monitoring of foreign firms and the strength of those foreign firms’ home-country institutions, consistent with the idea that the SEC implicitly shares its regulatory duties with international securities regulators. We find that foreign cross-listed firms are subject to lower monitoring intensity than foreign firms listed only on US exchanges, but do not find a statistically significant difference in monitoring between foreign firms listed only on US exchanges and US firms. These findings suggest that it is the presence of another regulator that drives the intensity of SEC monitoring. We also find that US investor holdings are positively associated with the level of SEC oversight, suggesting that the SEC focuses its resources on firms that pose a greater risk to US investors. Collectively, our analyses show that two countervailing forces drive the SEC’s choice to monitor foreign firms. On the one hand, the SEC reduces monitoring intensity when it can rely on the public and private enforcement institutions in the foreign firm’s home country. On the other hand, the SEC provides increased monitoring of certain foreign firms when investors on US exchanges have greater investment exposure in those firms.     

The SEC revolving door and comment letters

Government officials, advocacy groups, and the business press have raised concerns that former SEC employees may continue to influence the SEC after leaving the agency. Using hand-collected data on the characteristics of 1,384 lawyers who represented firms in responding to SEC comment letters between 2005 and 2016, we examine the impact of post-revolving SEC employees on the SEC comment letter process. Among other determinants, we find that older and larger firms with a history of litigation are more likely to hire former SEC lawyers over non-SEC lawyers. Relative to firms that involve only non-SEC lawyers, we find that firms that involve former SEC lawyers in responding to SEC comment letters negotiate to a greater extent with the SEC, and have a lower likelihood and number of amendment filings, after matching on lawyer, law firm, comment letter, and firm characteristics.     

The spillover effect of focal firms’ cybersecurity breaches on rivals and the role of the CIO: Evidence from stock trading volume

This study investigates whether there is any spillover uncertainty regarding a rival firm’s future operations upon a focal firm’s announcement of cybersecurity breaches and whether the existence of a chief information officer (CIO) in rival firms can reduce this spillover uncertainty. Using abnormal trading volume to capture the change in investors’ expectations, we show that compared with the focal firms, rival firms experience an increase in abnormal trading volume following the focal firm’s announcement of a security breach. The findings suggest that the spillover effect generates even more uncertainties toward these nonbreached rival firms regarding the impact of the focal firm’s security breach. However, CIOs in nonbreached rival firms can play a shielding role in mitigating such effects. Our study contributes to the literature on the impact of cybersecurity and has policy implications for encouraging a strategic perspective when managing cybersecurity risks.     

The impact of country institutional factors on firm disclosure: Cybersecurity disclosures in Chinese cross-listed firms

This paper explores differences in qualitative disclosures between Chinese firms that cross-list in the US and their US domestic counterparts that reflect firm-level cybersecurity awareness. Consistent with the strong regulatory framework in China externalizing cybersecurity and thus reducing the need to disclose individual company cybersecurity awareness, we find that relative to their US domestic counterparts, Chinese cross-listed firms in the US provide less cybersecurity disclosure. However, market valuation of these cybersecurity disclosures is higher for Chinese cross-listed firms, suggesting that the market more favorably views Chinese firm disclosures that communicate a greater level of internalized cybersecurity awareness. We also explore the effect of institutional setting on market valuation of cybersecurity awareness through an event study surrounding the arrest of Huawei’s CFO. This event highlighted cybersecurity weaknesses at Huawei, potentially more generally challenging the effectiveness of Chinese cybersecurity policies. We find a negative stock market reaction to the event, but only for our Chinese sample. These results provide evidence that the market’s view of company cybersecurity awareness is sensitive to changes in perceptions of companies’ institutional setting.     

Cybersecurity awareness and market valuations

This paper introduces a measure of firm-specific cybersecurity awareness that can be used in empirical research exploring cyber-related issues facing corporations. It extends and updates Gordon et al. (2010), who develop an indicator capturing the existence of disclosures related to “information security” and show a positive association between market valuation and their measure. Since publication of their paper, cyber-related events have become more frequent and salient, and disclosure of cybersecurity issues has become more extensive. Increased disclosure is largely due to a 2011 requirement by the Securities and Exchange Commission, which provides guidance for disclosure of cyber-related issues in 10-K filings. Based upon this post-guidance disclosure, we develop a new measure that captures the extent and relevance of cyber disclosures and show that the market positively values cybersecurity awareness. We also show that a more negative tone in cyber disclosures is associated with lower market values. Our results are robust to inclusion of measures of IT governance and controlling for the firm’s overall disclosure characteristics.     

Cybersecurity insurance and risk-sharing

In today’s interconnected digital world, cybersecurity risks and resulting breaches are a fundamental concern to organizations and public policy setters. Accounting firms, as well as other firms providing risk advisory services, are concerned about their clients’ potential and actual breaches. Organizations cannot, however, eliminate all cybersecurity risks so as to achieve 100% security. Furthermore, at some point additional cybersecurity measures become more costly than the benefits from the incremental security. Thus, those responsible for preventing cybersecurity breaches within their organizations, as well as those providing risk advisory services to those organizations, need to think in terms of the cost-benefit aspects of cybersecurity investments. Besides investing in activities that prevent or mitigate the negative effects of cybersecurity breaches, organizations can invest in cybersecurity insurance as means of transferring some of the cybersecurity risks associated with potential future breaches.This paper provides a model for selecting the optimal set of cybersecurity insurance policies by a firm, given a finite number of policies being offered by one or more insurance companies. The optimal set of policies for the firm determined by this selection model can (and often does) contain at least three areas of possible losses not covered by the selected policies (called the Non-Coverage areas in this paper). By considering sets of insurance policies with three or more Non-Coverage areas, we show that a firm is often better able to address the frequently cited problems of high deductibles and low ceilings common in today’s cybersecurity insurance marketplace. Our selection model facilitates improved risk-sharing among cybersecurity insurance purchasers and sellers. As such, our model provides a basis for a more efficient cybersecurity insurance marketplace than currently exists. Our model is developed from the perspective of a firm purchasing the insurance policies (or the risk advisors guiding the firm) and assumes the firm’s objective in purchasing cybersecurity insurance is to minimize the sum of the costs of the premiums associated with the cybersecurity insurance policies selected and the sum of the expected losses not covered by the insurance policies.     

Cybersecurity Disclosure by the Companies on the S&P/TSX 60 Index

Cybersecurity has become a topic of great interest since 2010. Accounting issues surrounding cybersecurity governance, management, and disclosure have gained attention from accounting standard setters, large accounting firms, and professional associations, but only a limited number of studies have looked at cybersecurity disclosure. In this study, we examine whether the content of cybersecurity disclosures of Canadian firms comprising the S&P/TSX 60 index is aligned with best practices—that is, financial regulators' guidelines in that matter. A content analysis was performed of documents issued between January 2017 and mid‐2018, consisting of recent annual information forms (AIFs), annual and quarterly management's discussion and analysis (MD&As), proxy circulars, material change reports, and news releases. To assess the nature and extent of cybersecurity disclosure, we developed a scoring grid featuring 40 items based on financial regulators' guidelines. Results show that cybersecurity disclosure levels are low. Companies vary widely in the amount of detail they provide, and the information is often not company‐specific. The variations among industrial sectors involve the categories related to cybersecurity risk, cybersecurity risk mitigation, and other items. Most of the companies provided cybersecurity disclosures in the annual MD&A, and several reiterated some disclosure items in the AIF and proxy circular. The results of this study highlight some areas where cybersecurity disclosures have evolved and others where they could be improved. They suggest that some firms strive to avoid boilerplate language and be more company‐specific. The findings also suggest that financial regulators could issue more stringent requirements.     

Information Asymmetry and Voluntary SFAS 157 Fair Value Disclosures by Bank Holding Companies During the 2007 Financial Crisis

We hand‐collect SFAS 157 voluntary fair value disclosures of 18 bank holding companies. The SEC's Division of Corporate Finance likely targeted these entities in 2008 through their “Dear CFO” letters in which they requested specific, additional disclosure items. We collect disclosures that match the SEC recommendations and create eight common factor disclosure variables to examine the effect of such disclosures on information asymmetry. We find that disclosure variables about the use of broker quotes or prices from pricing services and the use of market indices and illiquidity adjustments are related to lower information asymmetry. However, disclosure variables about valuation techniques and asset‐backed securities are related to greater information asymmetry. We also document that disclosure complexity, and disclosure tone (uncertainty and litigious) is related to greater information asymmetry. These findings are consistent with criticism that corporate disclosures are voluminous; management may obfuscate unfavorable information which in turn increases market participants’ assessment of uncertainty associated with the fair value measures. We caveat that the setting of the financial crisis and a small sample size may limit the ability to generalize these inferences to other time periods or other financial firms.     

Data breaches and corporate liquidity management

This paper investigates the effects of data breach disclosure laws and the subsequent disclosure of data breaches on the cash policies of corporations in the United States. Exploiting a series of natural experiments regarding staggered state-level data breach disclosure laws, we find that the passage of mandatory disclosure laws leads to an increase in cash holdings. Our finding suggests that mandatory data breach disclosure laws increase the risks related to data breaches. Further, we find firms that suffer data breaches adjust their financial policies by holding more cash as well as decreasing external finance and investment.     

Exploring the information content of cyber breach reports and the relationship to internal controls

A number of institutions make reports available regarding the types, impacts, or origins of cybersecurity breaches. The information content of cyber breach reports is examined in light of Principle 15 of the 2017 Committee on Sponsoring Organizations Enterprise Risk Management (COSO ERM) information security control framework to understand the degree to which cyber breach reports reflect the established COSO internal control framework. This study utilizes the COSO ERM internal control framework to examine whether current cyber breach reports contain information that may influence a firm’s ability to assess substantial change within its industry due to external forces (COSO ERM Principle 15). As such, this study focuses on data breaches, a special type of cyber incident, which may result in the loss of confidential information. Cyber decision makers rely on this type of information to calibrate information security programs to ensure coverage of relevant threats and the efficient use of available funds. These reports may be used for the purposes of cybersecurity risk assessment and strategic planning. We compare, contrast, and analyzie the reports to identify their utility in such contexts. We also provide an overview of the current cybersecurity reporting environment and suggest revisions to US national cyber policy with the intent of increasing the benefit to reporters and consumers of the data.This study is focused on education as to the current structure of breach reporting based upon our review and synthesis of publicly-available breach reports.In this study, we review nine (9) reports that meet four (4) criteria. We relate these criteria to the framework provided by COSO ERM Principle 15 by analyzing and placing the criteria into a taxonomy developed for this purpose. We analyze the degree to which the reports are complementary, reflect potential improvements of internal controls, and provide recommendations for ways in which these types of reports might be used by practitioners, while highlighting potential limitations. Our findings indicate that the sample reports contain little information that may be incorporated to improve the risk profile of an entity. We provide recommendations to improve the information content and timeliness of breach reports.     

The consequences of deviating from financial reporting industry norms: Evidence from the disclosure of foreign cash

This study examines how investors respond to firms’ disclosure practices that deviate from the majority of industry peers (i.e., industry norms). The SEC has made repeated calls for the disclosure of foreign cash in order for investors to have more information in determining firms’ liquidity positions. We examine the association between firm value and the non-disclosure of foreign cash in industries where the majority of firms choose to disclose foreign cash. We define partial disclosure as disclosing permanently reinvested earnings (PRE), but withholding the disclosure of foreign cash, and find that when the majority of industry peers disclose foreign cash, investors discount the firm-specific partial disclosure of foreign operations. This finding suggests that investors have similar information demands as the SEC, and that withholding foreign cash results in a valuation discount. We also find that this discount is more pronounced for firms predicted to have higher levels of foreign cash and higher levels of PRE. The discount in firm value is also concentrated among firms with managers who have more career concerns, suggesting that managers shift the cost of partial disclosure to shareholders instead of bearing the personal reputational cost of full disclosure. Our results are robust to multiple matched samples and entropy balancing. While previous literature has considered the valuation implications of foreign cash disclosures, we reveal the consequences of opting to withhold the disclosure of foreign cash. Our findings should be of interest to both managers and policy-setters in forming their disclosure protocols.     

Investor overlap and diffusion of disclosure practices

I develop and test an investor demand-driven explanation for why one firm’s change in voluntary disclosure behavior is emulated by some firms in the industry but not others. I focus on the overlap in institutional investor ownership between two firms as a mechanism by which a first-mover firm’s increase in disclosure prompts investors to seek a similar increase from a follower firm. Using 10-K market risk disclosures as my empirical setting, I find that a firm’s decision to follow a first mover in providing more quantitative information than is required by the SEC is positively associated with an increase in investor overlap from the prior year. I also find that the association is stronger for overlap in large institutional investors, consistent with their greater influence over managers, and for firms where investor uncertainty is high. This association is found after controlling for the herding effect documented in prior studies and after addressing potential endogeneity concerns. Overall, this evidence provides new insight into patterns of intra-industry disclosure behavior and highlights investor overlap as a communication channel and feedback mechanism that helps facilitate the diffusion of disclosure practices.