The unusual dilemma of corporate cybersecurity disclosure

News about cyberattacks that impact our everyday lives are a daily occurrence. Incidents of ransomware and data breaches result in our personal data being stolen by criminals. In many cases, businesses are locked out of their data and systems, leaving us without access to services we rely on. The fallout is costly, visible and increasingly hard to ignore.

That is why cybersecurity disclosure has become a hot topic of discussion among the general public, regulators, investors and the business community. To gain insight into this topic, a team of researchers from the Department of Accountancy recently pulled together what we know so far about how companies report on cyber risks and incidents, and what happens once they do.

The team, made up of Farzaneh Amani, PhD graduate; Michel Magnan, Distinguished University Research Professor; and Rucsandra Moldovan, associate professor, outlined current research on the topic of cybersecurity, specifically seeking insights as to when, how and where companies disclose cyber risks or attacks.

But the more pressing issue, they argue, is not just how companies disclose such information; it is whether anyone actually pays attention to these disclosures, often buried in lengthy regulatory filings.

While companies spend significant time drafting pages of risk factors, many investors and financial analysts simply skim or ignore them. Too often, these disclosures are vague statements that don't provide any specific details about what makes a particular company vulnerable or how it plans to respond. Investors tend to pay attention when disclosures are specific, credible and new, that is, when firms provide details of a specific breach, a unique vulnerability, or concrete remediation steps.

Even then, not all investors read cyber disclosures the same way. Experimental evidence the researchers synthesize shows that tech-savvy investors pick up on subtle cues about cyber preparedness or negligence from companies’ disclosures. Less experienced investors rely on the tone of these disclosures—optimistic or defensive—rather than their substance. For companies, this means their cyber disclosure gets interpreted differently by different types of investors.

Overall, however, investors tend to trust companies that appear more transparent in their cybersecurity disclosures, even if they do not engage deeply with the content itself. This suggests a primarily social effect of such reporting, rather than the regulatory impact typically anticipated.

The catch is that investors and regulators are not the only ones reading cyber disclosures; cybercriminals may be watching, too. A disclosure that reassures capital markets could just as easily tip off hackers about weak spots.

Companies find themselves balancing effective cyber disclosures for investors and analysts and compliance with regulatory requirements with the ever-present threat that cybercriminals learn from these disclosures about how companies handle cybersecurity.

The researchers highlight that this creates an unusual dilemma for firms since other forms of corporate disclosure, such as financial or sustainability reports, rarely arm competitors, let alone criminals. But cyber disclosures can do exactly that.

This comprehensive study serves as a lynchpin for future research to delve deeper into how, why and when companies report on cybersecurity, as well as the outcomes of disclosures and attacks.

It also encourages future research that helps us better understand the balancing act that companies face meeting regulatory demands and being transparent while keeping valuable intelligence out of the wrong hands.

Read: "Cybersecurity Risks and Incidents Disclosure: A Literature Review"