Cybersecurity comment letters issued by the Securities and Exchange Commission (SEC) may ask companies to disclose additional or clarifying information about their cybersecurity incidents, risks, and corresponding controls, where appropriate. Although responding to the comment letter in the form of disclosing more information about cybersecurity can better signal a company’s security posture to investors and comply with regulations, it may also expose a company to higher levels of cybersecurity risks because of disclosing proprietary cybersecurity information. Using a sample consisting of 52 cybersecurity comment letters issued between 2011 and 2019 and their no-letter-matched companies, our findings suggest that comment letter companies change their disclosures regarding cybersecurity, as required by the SEC. However, as shown in the short-term cumulative abnormal returns around response letter days, the stock market reacts negatively to the responses. Our results provide policy implications by showing that market participants may not react positively to transparency.

美国证券交易委员会 (SEC) 发布的网络安全评论信可能会要求公司在适当的情况下披露有关其网络安全事件、风险和相应控制措施的额外或澄清信息。虽然以披露更多网络安全信息的形式回复评论信可以更好地向投资者表明公司的安全态势并遵守法规，但也可能因为披露专有网络安全信息而使公司面临更高水平的网络安全风险。使用由 2011 年至 2019 年间发出的 52 封网络安全评论信及其不匹配的公司组成的样本，我们的调查结果表明，评论信公司根据 SEC 的要求更改了有关网络安全的披露。然而，从回应函日前后的短期累计异常收益可以看出，股市对回应的反应是负面的。我们的结果表明市场参与者可能不会对透明度做出积极反应，从而提供了政策含义。