• We examine 3,440 Item 1C disclosures in 2024 10-K filings using textual analysis to assess determinants and market reactions. • Disclosure length, redundancy, and specificity vary with firm characteristics, though these factors explain only moderate variance. • Investors and analysts show minimal response to the newly mandated Item 1C cybersecurity disclosures. • Item 1C represents new governance-focused disclosure content rather than relocated Item 1A risk factor language. This study provides early evidence on U.S. public companies’ responses to the SEC’s 2023 rule requiring detailed annual disclosures on cybersecurity risk management and governance. Using textual analysis of 3,440 Item 1C disclosures in 10-K filings from 2024, we investigate the determinants of these newly required disclosure characteristics and assess market reactions. Results show variation in disclosure quality—proxied by length, redundancy, and specificity—primarily driven by firm size, financial performance, auditor quality, cybersecurity and litigation risk exposures, and peer practices, though these factors collectively explain only moderate variance. Past cyber incidents, firm digitalization, material IT weaknesses, and tech-firm status show no influence, suggesting strategic discretion persists even under a mandate. Additional analyses show that Item 1C represents new disclosure content rather than a relocation of existing risk disclosures. To assess market reactions, we utilize event studies, analyze cybersecurity-related discussions in earnings call transcripts, and examine investor attention through filing download activity. The results indicate a minimal response from both investors and analysts to these newly mandated disclosures. These insights hold important implications for policymakers regarding the balance between regulatory burden and informational value, as jurisdictions globally adopt similar cybersecurity disclosure policies.
Haapamäki et al. (Thu,) studied this question.