Companies disclose more on cybersecurity – but markets remain indifferent

Mandatory cybersecurity disclosure has increased internal documentation and made cyber risks more visible to senior management, but it has not, at least so far, affected investor or stock analyst behavior. This is the conclusion of a new Finnish study examining the early effects of U.S. cybersecurity regulation. The findings are also relevant in Europe, where the NIS2 Directive places cybersecurity increasingly within the responsibility of corporate leadership.

In their study, Associate Professor Elina Haapamäki from the University of Vaasa and Associate Professor Jukka Sihvonen from Aalto University analyse how U.S. public companies responded to the disclosure requirement that came into force in 2023. Under the rule introduced by the U.S. Securities and Exchange Commission (SEC), listed companies are required to provide more detailed disclosures in their annual reports on cybersecurity governance, risk management, and oversight. The study covers 3,440 U.S. public companies’ 2024 Form 10‑K filings, the first reporting year in which the new disclosure item — known as Item 1C — was applied in full.

Markets remained surprisingly indifferent

According to the study, companies did not merely relocate existing cybersecurity risk language to the new disclosure section. Instead, they produced genuinely new content.

– This was not a cosmetic change. Firms had to describe their cybersecurity governance structures and responsibilities in a much more systematic way, Haapamäki says.

However, the quality and extent of disclosures varied substantially across firms. These differences were only partly explained by firm characteristics such as company size, financial performance, or auditor profile.

– What is particularly interesting is that disclosure quality was not influenced by whether a firm had experienced prior cyber incidents or by how digitalised its business was. This suggests that firms retain significant discretion over what they choose to disclose, Sihvonen notes.

Despite the expansion of disclosure, market reactions remained limited. According to the study, stock prices did not respond systematically, stock analysts did not increase cybersecurity-related discussion, and investor attention to annual reports did not rise.

– This contrasts with the common, experience-based understanding that severe cyberattacks can halt operations, lead to data breaches, and cause substantial financial losses, Haapamäki says. According to Sihvonen, the findings indicate that investors are not incorporating governance‑level cybersecurity information into firm valuation decisions.

The main benefits accrue to firms themselves

Based on interviews conducted for the study, cybersecurity and corporate responsibility experts conclude that the primary impact of the disclosure mandate, based on first impressions, is not visible in markets but within firms themselves. The requirement forces organisations to document cybersecurity responsibilities, processes, and decision-making more systematically.

– In the United States, cybersecurity is communicated to corporate stakeholders somewhat differently than in Europe. In the EU, the emphasis has been on clearly defined risk management obligations, and reporting primarily concerns the notification of cybersecurity incidents to authorities and customers, says Peter Sund, CEO of Cybersecurity Finland (Kyberala ry).

– From an investor perspective in the EU, the key issue is that a company’s executive management and board of directors take responsibility for cybersecurity risk management and its oversight, Sund adds.

The findings are also relevant in Europe, where the implementation of the NIS2 Directive is currently tightening cybersecurity requirements for companies. Unlike the U.S. approach, EU regulation primarily emphasises internal documentation rather than public disclosure aimed at investors.

The peer‑reviewed study has been published in the International Journal of Accounting Information Systems. 

Read the full paper: Mandatory cybersecurity disclosure: Early evidence from 10‑K reports