当前位置: X-MOL 学术Journal of Accounting and Public Policy › 论文详情
Our official English website, www.x-mol.net, welcomes your feedback! (Note: you will need to create a separate account there.)
Changes in corporate cybersecurity risk disclosures after SEC comment letters
Journal of Accounting and Public Policy ( IF 3.629 ) Pub Date : 2022-06-21 , DOI: 10.1016/j.jaccpubpol.2022.106993
Thomas G. Calderon , Lei Gao

Gao et al. (2020) examined the content and linguistic characteristics of public companies' cybersecurity risk disclosure practices as well as factors that may drive disclosure trends. In this paper, we extend Gao et al. (2020) by exploring SEC comment letter practices related to cybersecurity risk disclosures and investigating how SEC comment letters lead to changes in companies’ cybersecurity risk disclosures. Coinciding with newly issued cybersecurity guidelines, SEC comment letters related to cybersecurity disclosure deficiencies spiked in 2011. On average, it takes about 26 days for a registrant to respond to a comment letter and only 10 percent of registrants respond within the recommended 10-day period. Most comment letters (75 percent) are resolved within one round of communication. Multiple rounds of communication are often required when deficiencies surround disclosure of a cyber breach. Though 81 percent of registrants respond to comment letters related to cybersecurity breaches by claiming that there was no need for disclosure as the breaches were not material, the SEC will likely reject that claim and require the registrant to provide the required detail. We find evidence that the SEC uses comment letters to signal that the staff wish to see an explicit statement in the registrant’s cybersecurity risk disclosures on whether or not the firm suffered security breaches during a reporting period. The SEC scrutinizes cybersecurity risk disclosures to verify they are sufficient subsequent to a published security breach. Firms change their disclosure behavior one year after receiving a comment letter. Specifically, the length of cybersecurity risk disclosures increases, specificity increases, and readability and clarity improve one year after a registrant receives a comment letter that points to deficiencies in the firm’s cybersecurity risk disclosures.



中文翻译:

SEC 评论信后企业网络安全风险披露的变化

高等人。(2020) 研究了上市公司网络安全风险披露实践的内容和语言特征,以及可能推动披露趋势的因素。在本文中,我们扩展了 Gao 等人。(2020) 探索与网络安全风险披露相关的 SEC 评论信函做法,并调查 SEC 评论信函如何导致公司网络安全风险披露的变化。与新发布的网络安全指南相吻合,2011 年与网络安全披露缺陷相关的 SEC 评论信激增。平均而言,注册人需要大约 26 天才能回复评论信,只有 10% 的注册人会在建议的 10 天期限内回复. 大多数评论信(75%)在一轮沟通中得到解决。当围绕披露网络漏洞而存在缺陷时,通常需要多轮沟通。尽管 81% 的注册人在回复与网络安全漏洞相关的评论信时声称没有必要披露,因为这些违规行为并不重要,但 SEC 可能会拒绝这一说法,并要求注册人提供所需的详细信息。我们发现有证据表明 SEC 使用评论信来表明工作人员希望在注册人的网络安全风险披露中看到关于公司在报告期内是否遭受安全漏洞的明确声明。SEC 审查网络安全风险披露,以验证它们在发布安全漏洞后是否足够。公司在收到评论信一年后改变了他们的披露行为。具体来说,

更新日期:2022-06-21
down
wechat
bug