Though cybersecurity risks are significant and could materially affect business operations and the integrity of financial reporting, there is limited empirical research on the cybersecurity risk disclosure trends and practices of public companies. In this study, we conduct a longitudinal study of the content and linguistic characteristics of public companies' cybersecurity risk disclosure practices as well as factors that may drive disclosure trends. The results show that the two most commonly disclosed cybersecurity risks are risks of service/operation disruption and risks of data breach. Item 1A of the 10-K Report is the most commonly used disclosure location, but some companies also use Items 1 and 7 to disclose regulation risks and cyber incidents, respectively. The length of cybersecurity risk disclosures increases linearly during the period of our study. This increase is associated with the issuance of SEC guidance (2011 and 2018), industry, overall cybersecurity risks in the general environment, company size, and prior cybersecurity breach incidents. Disclosures have also become more difficult to read in general. They are more difficult to read as firm size increases and are easier to read as the proportion of intangible assets increases or after an executive change. Firms have increased their usage of litigious words in their disclosures. Bigger firms, on average, tend to use less litigious language, but companies in industries with high business information technology intensity (e.g., consumer services, software and services, and banking) tend to use more litigious language than other companies.

尽管网络安全风险重大，并且可能对业务运营和财务报告的完整性产生实质性影响，但是关于网络安全风险披露趋势和上市公司实践的实证研究有限。在这项研究中，我们对上市公司网络安全风险披露做法的内容和语言特征以及可能导致披露趋势的因素进行了纵向研究。结果表明，最常披露的两个网络安全风险是服务/运营中断风险和数据泄露风险。10-K报告的项目1A是最常用的披露地点，但一些公司也分别使用项目1和7披露监管风险和网络事件。在研究期间，网络安全风险披露的时间呈线性增长。这一增长与SEC指南（2011年和2018年），行业，一般环境中的总体网络安全风险，公司规模以及先前的网络安全漏洞事件的发布有关。一般而言，披露也变得更加困难。随着公司规模的扩大，它们变得更难以阅读，随着无形资产比例的增加或管理层变更后，它们变得更加易于阅读。公司在披露中增加了对诉讼用语的使用。平均而言，规模较大的公司倾向于使用较少的诉讼语言，但是在商业信息技术强度较高的行业中的公司（例如，消费者服务，软件和服务以及银行业）倾向于比其他公司使用更多的诉讼语言。