SEC Cites Smith Research in New Cybersecurity Disclosure Rules for Public Companies

Research from the University of Maryland’s Robert H. Smith School of Business weighs significantly in new disclosure rules concerning cybersecurity-related issues from the Securities and Exchange Commission (SEC). Any SEC-registered business is subject to the updates.

“The new rules solidify what was previously disclosure guidance on cybersecurity risks and cyber incidents and expand the requirements for disclosure in annual reports of a registrant's cybersecurity risk management, strategy and governance,” says Martin P. Loeb, professor of accounting and information assurance and Deloitte & Touche Faculty Fellow.

The updated rules, as Federal Register-posted, draw upon and cite four articles published by Loeb with Lawrence A. Gordon, EY Alumni Professor of Managerial Accounting and Information Assurance, and Smith PhD graduate and research scholar Lei Zhou.

Loeb points to a prominent citation from separate papers published in the Journal of Computer Security. “The Economic Cost of Publicly Announced Information Security Breaches: Empirical Evidence from the Stock Market” (2003) and “The Impact of Information Security Breaches: Has There Been a Downward Shift in Costs?” (2011). The findings, according to the SEC, support the new requirement “to disclose a material cybersecurity incident on Form 8–K within four business days after determining the incident is material will improve the overall timeliness of the disclosure offered to investors—disclosure that is relevant to the valuation of registrants' securities.” The Smith research documents, as the SEC citation continues, that the market reacts negatively to announcements of cybersecurity incidents.

Separately, “Externalities and the Magnitude of Cyber Security Underinvestment by Private Sector Firms: A Modification of the Gordon-Loeb Model” (2015) in the Journal of Information Security and co-authored with William Lucyshyn (research professor and the director of research at the Center for Governance of Technology and Systems for UMD’s School of Public Policy), is cited by the SEC for its finding that: “Firms in the private sector of many countries own a large share of critical infrastructure assets. Hence, cybersecurity breaches in private sector firms could cause a major disruption of a critical infrastructure industry (e.g., delivery of electricity), resulting in massive losses throughout the economy, putting the defense of the nation at risk.”

Furthermore, the Gordon, Loeb, Lucyshyn and Zhou paper, “The Impact of Information Sharing on Cybersecurity Underinvestment: A Real Options Perspective,” (2015) published in the Journal of Accounting and Public Policy, was used to support the SEC’s argument that “Information sharing could reduce the tendency by firms to defer cybersecurity investments.”

Beyond the Citations

In addition to co-authoring the research, Gordon has advocated for such mandatory disclosure over the past 15-plus years, via the classroom and talks to academics, practitioners, consultants, regulators, and to Congress. In 2007 before the House Subcommittee on Homeland Security, he argued for including cybersecurity-related disclosures in internal control reporting requirements under the Sarbanes-Oxley Act. Then-Sen. Jay Rockefeller’s (D-W.V.) staff subsequently consulted with Gordon concerning the SEC's 2011 Disclosure Guidance on Cybersecurity Risks and Cyber Incidents. “However, both the 2011 and 2018 SEC documents left cybersecurity disclosures as a reporting guidance issue,” says Gordon. “So, I am delighted that the 2023 rules formally include cybersecurity disclosures -- in a modified SEC Regulation S-K, as well as in the reporting requirements for Forms 8-K, 6-K, 10-K, and 20-F.”

Smith Enterprise Risk Consortium Implications

Gordon says he will continue to speak out on the significance of cybersecurity disclosure, which also has implications for his role as a Fellow for Smith’s recently launched Smith Enterprise Risk Consortium (SERC) and its participating executives, consultants, auditors, regulators and academic researchers.

Professor of the Practice, Executive-in-Residence and SERC Director Clifford Rossi says “the work performed by the consortium’s cyber risk faculty experts underscores the impact this body of work has on helping companies and regulatory agencies understand the complex nature of nontraditional risks such as cybersecurity.”