Date of Completion
This paper documents the reporting to the SEC of 197 major incidents of cybersecurity breaches among public firms in the years 2011-2019. My goal is to contribute to the debate on the need to revise the disclosure guidance by evaluating the extent to which cybersecurity breaches are disclosed in SEC filings under the current regulatory regime. In evaluating the individual breaches, I document whether prior to the SEC’s 2022 proposed amendment, firms were already following the SEC recommendation of disclosing material cybersecurity breaches in a timely manner. I find that it is extremely rare for a firm to follow the recommendations set by the SEC. The majority of companies that experience a cybersecurity breach did not make formal disclosure in SEC filings even when a substantial number of customer files were affected in the breach. This study also shows that among the firms that did disclose the breach to the SEC, most did not follow the SEC’s proposed four-day timeline and only provided very minimal information in the actual disclosure. My findings suggest a significant inconsistency and sub optimality in existing disclosure practices. Given the growing number of annual cybersecurity incidents and the continued expected growth in reliance on technology, the results lend support to the SEC’s current proposals to formalize timely and substantive disclosures of these issues.
Morosky, Michaela, "SEC Reporting of Cybersecurity Incidents" (2022). Honors Scholar Theses. 870.