Cybersecurity risk disclosure has received great attention in the past several years, especially after the passage of the Securities and Exchange Commission's (SEC's) cybersecurity disclosure guidance published on October 13, 2011. In this study, we examine the usefulness of cybersecurity-related risk factors disclosed in 10-K filings. We document that the presence of these risk factors in the pre-guidance period and length of these risk factors are related to future reported cybersecurity incidents. The association between the presence of cybersecurity risk disclosure and subsequently reported cybersecurity incidents becomes insignificant after the passage of the SEC's cybersecurity disclosure guidance. Our findings, in general, support the SEC's decision on emphasizing cybersecurity risk disclosure. However, SEC's disclosure guidance may unintentionally encourage firms to disclose cybersecurity risks regardless of the level of risks.

在过去的几年中，网络安全风险披露受到了广泛的关注，尤其是在美国证券交易委员会（SEC）于2011年10月13日发布了网络安全披露指南之后。在本研究中，我们研究了与网络安全相关的风险因素的有用性已在10-K文件中披露。我们记录了这些风险因素在预指导期内的存在以及这些风险因素的持续时间与未来报告的网络安全事件有关。通过SEC的网络安全披露指南后，网络安全风险披露的存在与随后报告的网络安全事件之间的关联变得微不足道。我们的发现总体上支持SEC关于强调网络安全风险披露的决定。但是，SEC'