Responses to SEC comment letters on cybersecurity disclosures: An exploratory study

Tawei Wang, Ju Chun Yen, Kyunghee Yoon

Research output: Contribution to journalArticlepeer-review

5 Scopus citations


Cybersecurity comment letters issued by the Securities and Exchange Commission (SEC) may ask companies to disclose additional or clarifying information about their cybersecurity incidents, risks, and corresponding controls, where appropriate. Although responding to the comment letter in the form of disclosing more information about cybersecurity can better signal a company's security posture to investors and comply with regulations, it may also expose a company to higher levels of cybersecurity risks because of disclosing proprietary cybersecurity information. Using a sample consisting of 52 cybersecurity comment letters issued between 2011 and 2019 and their no-letter-matched companies, our findings suggest that comment letter companies change their disclosures regarding cybersecurity, as required by the SEC. However, as shown in the short-term cumulative abnormal returns around response letter days, the stock market reacts negatively to the responses. Our results provide policy implications by showing that market participants may not react positively to transparency.

Original languageEnglish
Article number100567
JournalInternational Journal of Accounting Information Systems
StatePublished - Sep 2022


  • Comment letter
  • Cybersecurity
  • Risk factor disclosure


Dive into the research topics of 'Responses to SEC comment letters on cybersecurity disclosures: An exploratory study'. Together they form a unique fingerprint.

Cite this