Changes in corporate cybersecurity risk disclosures after SEC comment letters

Gao et al. (2020) examined the content and linguistic characteristics of public companies' cybersecurity risk disclosure practices as well as factors that may drive disclosure trends. In this paper, we extend Gao et al. (2020) by exploring SEC comment letter practices related to cybersecurity risk disclosures and investigating how SEC comment letters lead to changes in companies’ cybersecurity risk disclosures. Coinciding with newly issued cybersecurity guidelines, SEC comment letters related to cybersecurity disclosure deficiencies spiked in 2011. On average, it takes about 26 days for a registrant to respond to a comment letter and only 10 percent of registrants respond within the recommended 10-day period. Most comment letters (75 percent) are resolved within one round of communication. Multiple rounds of communication are often required when deficiencies surround disclosure of a cyber breach. Though 81 percent of registrants respond to comment letters related to cybersecurity breaches by claiming that there was no need for disclosure as the breaches were not material, the SEC will likely reject that claim and require the registrant to provide the required detail. We find evidence that the SEC uses comment letters to signal that the staff wish to see an explicit statement in the registrant’s cybersecurity risk disclosures on whether or not the firm suffered security breaches during a reporting period. The SEC scrutinizes cybersecurity risk disclosures to verify they are sufficient subsequent to a published security breach. Firms change their disclosure behavior one year after receiving a comment letter. Specifically, the length of cybersecurity risk disclosures increases, specificity increases, and readability and clarity improve one year after a registrant receives a comment letter that points to deficiencies in the firm’s cybersecurity risk disclosures.