SEC's cybersecurity disclosure guidance and disclosed cybersecurity risk factors

He Li, Won Gyun No, Tawei Wang

Research output: Contribution to journalArticlepeer-review

32 Scopus citations


Cybersecurity risk disclosure has received great attention in the past several years, especially after the passage of the Securities and Exchange Commission's (SEC's) cybersecurity disclosure guidance published on October 13, 2011. In this study, we examine the usefulness of cybersecurity-related risk factors disclosed in 10-K filings. We document that the presence of these risk factors in the pre-guidance period and length of these risk factors are related to future reported cybersecurity incidents. The association between the presence of cybersecurity risk disclosure and subsequently reported cybersecurity incidents becomes insignificant after the passage of the SEC's cybersecurity disclosure guidance. Our findings, in general, support the SEC's decision on emphasizing cybersecurity risk disclosure. However, SEC's disclosure guidance may unintentionally encourage firms to disclose cybersecurity risks regardless of the level of risks.

Original languageEnglish (US)
Pages (from-to)40-55
Number of pages16
JournalInternational Journal of Accounting Information Systems
StatePublished - Sep 2018

All Science Journal Classification (ASJC) codes

  • Management Information Systems
  • Accounting
  • Finance
  • Information Systems and Management


  • Cybersecurity
  • Cybersecurity breach incident
  • Cybersecurity risk disclosure
  • Disclosure guidance
  • Risk factors


Dive into the research topics of 'SEC's cybersecurity disclosure guidance and disclosed cybersecurity risk factors'. Together they form a unique fingerprint.

Cite this