Information security disclosures after Sarbanes-Oxely

Research by Larry Gordon and Martin Loeb

The Sarbanes-Oxley Act has caused an increase in the voluntary disclosure of firms’ information security activities.

The late 1990s saw a series of accounting scandals that shook the corporate world, eventually landing a number of executives in prison and driving one of the Big Eight accounting firms out of business. The Sarbanes-Oxley Act of 2002 (SOX) was passed in response, imposing stricter controls and increased reporting responsibility on firms. According to Smith School research, one of the unintended side effects of the passage of SOX is the increasing voluntary disclosure of information security measures taken by firms.

Sections 302 and 404 of SOX require a publicly traded company’s CEO and CFO to explicitly certify that they accept responsibility for establishing and maintaining adequate reporting and appropriate internal control systems within their firms. SOX gave the Securities and Exchange Commission (SEC) the responsibility for setting the rules that firms must follow in complying with the internal control report under Section 404.

All this has indirectly led to an increase in the voluntary disclosure of information security activities, according to a study conducted by Lawrence A. Gordon, Ernst & Young Alumni Professor of Managerial Accounting and Information Assurance, Martin P. Loeb, professor of accounting and information assurance and Deloitte & Touche Faculty Fellow, William Lucshyn, University of Maryland, and Tashfeen Sohail, PhD ’06, Instituto de Empresa, Madrid, Spain. The paper they co-authored is the first to present empirical evidence that SOX is having an impact on voluntary disclosure of information security activities, and indirect evidence that corporate information security activities are receiving more attention from corporate leadership after the passage of SOX.

The study compares frequency distributions of the annual filings with the SEC for all firms from 2000 to 2004, consisting of 10-Ks for large firms, 10-KSBs for small businesses and 20-Fs for foreign registrants, which must also comply with SOX. The authors examined more than 27,000 filings over this five-year period. They detrended the data by taking first differences. Gordon, Loeb, Lucyshyn and Sohail found that there was a more than 100 percent increase in the information security activities being reported after the passage of SOX.

The rules provided by the SEC clearly indicate that a firm’s internal control system must be capable of safeguarding the company’s assets, including information assets. While it does not specifically require reporting of information security activities, it seems that most firms see this as implicit in SOX compliance.

Why has there been such an increase in the disclosure of information security activities if it is not a requirement? Firms may be more aware of their information security activities, which would lead them to pay more attention to those activities. Or it may be that SOX, which requires complex and sophisticated computer systems to manage the information required for reporting, is causing firms to actually increase their information security activities. The activities reported include security breaches as well as the steps firms are taking to secure their information assets.

“Firms may be reporting security breaches as a preemptive measure,” says Loeb. “Firms understand that information about security breaches is going to become public anyway; reporting both the problem and the steps they are taking to resolve it may be the firm’s way of dealing with the negative impact of the security breach.”

The fact that a firm voluntarily discloses more information about its information security doesn’t mean that a firm has increased its level of security activity. Gordon believes that increased disclosure is a firm’s way of signaling the importance it attaches to information security, but he warns that many firms may not be investing sufficiently in this area. “I think companies now recognize that security is a critical issue. But given the importance of information security, firms need to allocate a greater percentage of their IT budgets to information security activities,” says Gordon. “In general, firms are not increasing their spending on information security in a way that is proportionate with the increasing importance of information security.”

Gordon and Loeb also believe that for many firms there is a measurable market value in this voluntary disclosure of information security activities—a topic that is the subject of a future paper.

“The Impact of the Sarbanes-Oxley Act on the Corporate Disclosures of Information Security Activities” was published in the Journal of Accounting and Public Policy. For more information, contact lgordon@rhsmith.umd.edu  or mloeb@rhsmith.umd.edu.