In recent years, cybersecurity has become an increasingly vital dimension of corporate governance, risk management, and public accountability. In the United States, a landmark regulatory shift took place in 2023 when the Securities and Exchange Commission (SEC) mandated comprehensive cybersecurity disclosures for all publicly traded companies. This requirement compelled firms to provide detailed information about their cybersecurity governance structures, risk oversight mechanisms, and incident management strategies within their annual Form 10-K reports. A groundbreaking study conducted by Associate Professors Elina Haapamäki of the University of Vaasa and Jukka Sihvonen of Aalto University offers the first empirical insights into the impact of these new disclosure rules on market behavior and corporate practices.
Spanning an expansive dataset that includes 3,440 U.S. public companies’ 2024 Form 10-K filings, this research reveals a fascinating paradox: despite the unprecedented increase in cybersecurity transparency, stock prices and investor attention remained remarkably indifferent. Rather than triggering a flurry of market reactions or shifting analyst focus toward cybersecurity risks, the SEC’s regulatory innovation appears to have primarily affected internal corporate processes. Firms, in response to the mandate, have enhanced their documentation and clarified cybersecurity responsibilities at the highest levels of management, yet these improvements have not translated into significant valuation adjustments or investor scrutiny.
A key technical finding from Haapamäki and Sihvonen’s study is that the disclosures were far from superficial re-locations of existing cybersecurity language. Instead, companies generated fundamentally new content, systematically detailing governance roles, risk assessment procedures, and control activities. The research meticulously analyzed the quality and extent of this newly introduced disclosure item—known as Item 1C—highlighting substantial variability across firms. Interestingly, this heterogeneity in reporting quality was only partly explained by traditional firm characteristics such as size, profitability, or auditor reputation. Moreover, prior cybersecurity incidents or levels of digitalization did not reliably predict the depth or quality of disclosures, indicating that firms exercise significant discretion in determining the extent of publicly shared cybersecurity information.
While institutional investors and stock analysts are traditionally quick to respond to disclosures perceived as material, the market’s tepid reaction to detailed cybersecurity reports suggests a disconnect between regulatory intentions and investor perceptions. This result contrasts starkly with the widely held understanding that severe cybersecurity breaches can disrupt operations, expose sensitive data, and inflict substantial financial harm. The absence of systematic stock price adjustments or an uptick in analyst commentary on cybersecurity implies that governance-level cybersecurity rhetoric may currently be seen as informational but not value-revealing from an investment standpoint.
This market response—or lack thereof—raises profound questions about how executives and board members communicate cyber risk and the degree to which investors trust or comprehend these disclosures. The findings indicate that current cybersecurity disclosure practices may not yet provide the kind of actionable intelligence that would reliably inform equity investors’ corporate valuations or risk assessments. Instead, the real beneficiaries of these enhanced disclosures seem to be the firms themselves, which gain from forced internal awareness and documentation improvements.
Interviews conducted alongside the submission of the study reinforce this perspective. Cybersecurity professionals and corporate responsibility experts emphasized that the mandate’s primary contribution lies in driving internal organizational change rather than serving as a tool for investor education or market signaling. By demanding clear identification of governance structures and decision-making protocols, the SEC effectively ensures that organizations treat cybersecurity as a strategic risk issue controlled at the highest management levels, promoting accountability and preparedness.
Comparing U.S. practices to the regulatory environment in Europe reveals significant differences in approach and focus. Whereas the U.S. rules emphasize public disclosure aimed at investors, the European Union’s NIS2 Directive prioritizes internal documentation and risk management responsibilities within corporate leadership, including clear accountability frameworks for cybersecurity risk oversight. This difference highlights distinct regulatory philosophies: investor-focused transparency versus management-focused operational control. Peter Sund, CEO of Cybersecurity Finland, underscores that European regulations stress executive and board responsibility for cybersecurity risk, reflecting a broader governance culture.
The study’s implications resonate beyond U.S. borders as many other jurisdictions now evolve cybersecurity regulatory frameworks under similar pressures. Understanding that mandatory disclosure regulations may primarily catalyze internal governance improvements rather than immediate market reactions can help policymakers calibrate future mandates and expectations. From a technical standpoint, the findings demonstrate that disclosures structured around governance and risk oversight language provide valuable internal clarity but do not necessarily translate into direct financial signals.
The publication of this research in the International Journal of Accounting Information Systems lends significant academic credibility to the observations and invites deeper investigation into the efficacy of cybersecurity disclosure regimes. The DOI reference associated with this peer-reviewed article facilitates scholarly dialogue about how evolving regulatory landscapes interact with corporate transparency and investor behavior. As cybersecurity threats continue to evolve in complexity and frequency, understanding how disclosure influences markets and management remains an urgent subject within both accounting and information systems research communities.
By illustrating the nuanced disconnect between regulatory efforts aimed at improving transparency and actual market responses, this study contributes a crucial piece to the emerging puzzle of cybersecurity governance. Firms are nudged toward organized frameworks that document cybersecurity oversight and embed risk management accountability—foundations that may enhance resilience over time even if immediate investor impact is muted. This transformative shift at the intersection of technology governance, risk disclosure, and capital markets promises to shape corporate behavior and regulatory strategies worldwide for years to come.
Subject of Research:
Mandatory cybersecurity disclosures by U.S. public companies and their impact on market behavior and internal corporate governance.
Article Title:
Mandatory cybersecurity disclosure: Early evidence from 10-K reports
News Publication Date:
9-Apr-2026
Web References:
https://www.sciencedirect.com/science/article/pii/S1467089526000059
References:
Haapamäki, E., & Sihvonen, J. (2026). Mandatory cybersecurity disclosure: Early evidence from 10-K reports. International Journal of Accounting Information Systems. DOI: 10.1016/j.accinf.2026.100775
Keywords:
Cybersecurity disclosure, SEC regulation, Item 1C, corporate governance, risk management, stock market reaction, investor behavior, cybersecurity governance, NIS2 Directive, accounting information systems.
